-
Story
-
Resolution: Done-Errata
-
Normal
-
None
-
None
-
Strategic Product Work
-
5
-
False
-
False
-
OCPSTRAT-292 - Support cluster-wide proxy on Windows Containers
-
WINC - Sprint 242, WINC - Sprint 243
Description
This story covers undoing changes the operator made to Windows nodes’ local CA trust stores. Any certs imported as part of proxy configuration should be deleted during node deconfiguration. This includes during node upgrades and when a BYOH node is removed from the windows-instances ConfigMap. Only the certs present in the trusted CA ConfigMap should be removed.
Acceptance Criteria
- Delete all user-provided certs, and only these, from the Windows instance’s local trust store when a node is deconfigured
QE testing:
- Case 1: removing a customer user certificate from the `openshift-config/user-ca-bundle` configmap should result in that certificate being removed from all Windows node's local trust stores
- Case 2: removing a BYOH node from the cluster should result in all certificates from the `openshift-windows-machine-config-operator/trusted-ca` configmap being removed from the instance's local trust store
- Case 3: removing the cluster-wide proxy entirely (including trustedCA and env vars) all certificates from the `openshift-windows-machine-config-operator/trusted-ca` configmap being removed from all Windows node's local trust stores
- is blocked by
-
OCPBUGS-19716 Enable proxy cert test run in CI
-
- Closed
-
-
-
- Closed
-
- is related to
-
-
- Closed
-
- links to
-
RHBA-2023:120235
Red Hat OpenShift support for Windows Containers 10.15.0 product release
-
RHSA-2023:110725
Red Hat OpenShift support for Windows Containers 9.0.0 security update
- mentioned on
