Can I use the “trustedCA” part of the proxy configuration without actually specifying an explicit proxy?
you should be able to. Daneyon can you confirm? (if you can't i'd consider it a bug).
It does work! Thanks for that. user-ca-bundle already existed and had my certificate in there, I just needed to reference user-ca-bundle in the proxy config.
cool, given that you supplied the CAs during install, and the user-ca-bundle CM was created, i'm a little surprised the install didn't automatically setup the reference in the proxyconfig resource for you. I'm guessing it did not because there was no actual proxy hostname configured. I think that's a gap we should close..would you mind filing a bug? (bugzilla.redhat.com
). You can submit it against the install component.
fyi I've filed a bug for this aspect of the issues you ran into:
Thanks for raising this, reading through the related github tickets it looks like I've opened a can of worms to some degree.
Yes there's some difference of opinion on what the out of box desired behavior is, but at a minimum you've exposed a gap in our documentation that we will get fixed.
I also just discovered that the openshift cluster version operator (CVO), isn't quite configured correctly out of the box to use the correct trusted CA certs (which means it can't download cluster updates).
It correctly mounts /etc/ssl/certs from the host (the masters), but it fails to also mount /etc/pki, because the certs are a symlink /etc/ssl/certs/ca-bundle.crt -> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
I couldn't find where the installer sets up the CVO but an example of what is missing is here.
Is there an existing bug for this? Or should I raise a bugzilla for this? Would it be part of the installer?