[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: How to use extra trusted CA certs when pulling images for a builder



On Mon, 18 Nov 2019 at 13:05, Clayton Coleman <ccoleman redhat com> wrote:
Raise a bug to the installler component, yes

Ok thanks, I raised a bug here: https://bugzilla.redhat.com/show_bug.cgi?id=1773419 


On Nov 17, 2019, at 6:03 PM, Joel Pearson <japearson agiledigital com au> wrote:

On Mon, 18 Nov 2019 at 12:37, Ben Parees <bparees redhat com> wrote:


On Sun, Nov 17, 2019 at 7:24 PM Joel Pearson <japearson agiledigital com au> wrote:


On Wed, 13 Nov 2019 at 02:43, Ben Parees <bparees redhat com> wrote:


On Mon, Nov 11, 2019 at 11:27 PM Ben Parees <bparees redhat com> wrote:


On Mon, Nov 11, 2019 at 10:47 PM Joel Pearson <japearson agiledigital com au> wrote:


On Tue, 12 Nov 2019 at 06:56, Ben Parees <bparees redhat com> wrote:
 

Can I use the “trustedCA” part of the proxy configuration without actually specifying an explicit proxy?

you should be able to.  Daneyon can you confirm?  (if you can't i'd consider it a bug).

It does work! Thanks for that. user-ca-bundle already existed and had my certificate in there, I just needed to reference user-ca-bundle in the proxy config.

cool, given that you supplied the CAs during install, and the user-ca-bundle CM was created, i'm a little surprised the install didn't automatically setup the reference in the proxyconfig resource for you.  I'm guessing it did not because there was no actual proxy hostname configured.  I think that's a gap we should close..would you mind filing a bug?  (bugzilla.redhat.com).  You can submit it against the install component.

fyi I've filed a bug for this aspect of the issues you ran into:


Thanks for raising this, reading through the related github tickets it looks like I've opened a can of worms to some degree.

Yes there's some difference of opinion on what the out of box desired behavior is, but at a minimum you've exposed a gap in our documentation that we will get fixed.
 

I also just discovered that the openshift cluster version operator (CVO), isn't quite configured correctly out of the box to use the correct trusted CA certs (which means it can't download cluster updates).

It correctly mounts /etc/ssl/certs from the host (the masters), but it fails to also mount /etc/pki, because the certs are a symlink /etc/ssl/certs/ca-bundle.crt -> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem

I couldn't find where the installer sets up the CVO but an example of what is missing is here.

Is there an existing bug for this? Or should I raise a bugzilla for this? Would it be part of the installer?
_______________________________________________
users mailing list
users lists openshift redhat com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]