[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: 4.3 must-gather



On Mon, Dec 2, 2019 at 3:32 AM Ben Parees <bparees redhat com> wrote:

> 1) If you define a proxy config with additional CAs, those CAs will be used during imagestream import (as well as consumed by many other components).  This is true even if you don't have a proxy, so you so can define a dummy proxy config that has no "http/httpsProxy" values but just has a reference to your additional CA bundle.  If you are doing it at install time, I think you have to provide a dummy "noProxy" value, this will trick the installer into setting up a proxyconfig that references the additionalTrustBundle you provided in the install-config.

Wouldn't it make sense  to do this if there's an additionalTrustBundle
to be found in the install-config? From a usability perspective, I
probably want that CA bundle to be used throughout the installed
system as well without having to define a non-existent proxy.

Moreover, thinking of $DAYJOB - we very well may (haven't decided yet)
allow that proxy configuration to point to a real proxy that can
access the Internet (however doesn't mangle certs - our app proxy is
not a MITM proxy), but our registries and such internally are signed
by an internal CA. Would the noProxy list also allow those CA's that
are in the proxy config?


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]