On Mon, Dec 2, 2019 at 3:32 AM Ben Parees <bparees redhat com> wrote:
> 1) If you define a proxy config with additional CAs, those CAs will be used during imagestream import (as well as consumed by many other components). This is true even if you don't have a proxy, so you so can define a dummy proxy config that has no "http/httpsProxy" values but just has a reference to your additional CA bundle. If you are doing it at install time, I think you have to provide a dummy "noProxy" value, this will trick the installer into setting up a proxyconfig that references the additionalTrustBundle you provided in the install-config.
Wouldn't it make sense to do this if there's an additionalTrustBundle
to be found in the install-config? From a usability perspective, I
probably want that CA bundle to be used throughout the installed
system as well without having to define a non-existent proxy.
It's being discussed. The challenge is that the mechanism was originally introduced for proxy usage only, so we need to evolve the behavior to be a mechanism that provides CAs in general, not just CAs for proxies. Today you can effectively use it for that, but it's not documented that way and not all parts of the system treat it that way (hence the why the installer does not).
You can follow this bug to see some discussion of it:
and also this enhancement proposal:
Moreover, thinking of $DAYJOB - we very well may (haven't decided yet)
allow that proxy configuration to point to a real proxy that can
access the Internet (however doesn't mangle certs - our app proxy is
not a MITM proxy), but our registries and such internally are signed
by an internal CA. Would the noProxy list also allow those CA's that
are in the proxy config?
If i understand your question... The noproxy list only serves to determine whether the connection request goes through the proxy or not. It has no bearing on whether the CAs provided are loaded into the trust store used by the transport, regardless of where the connection is being made (at least for all the components that consume the proxy+CAs that i am aware of).