Raise a bug to the installler component, yes On Nov 17, 2019, at 6:03 PM, Joel Pearson <japear...@agiledigital.com.au> wrote:
On Mon, 18 Nov 2019 at 12:37, Ben Parees <bpar...@redhat.com> wrote: > > > On Sun, Nov 17, 2019 at 7:24 PM Joel Pearson < > japear...@agiledigital.com.au> wrote: > >> >> >> On Wed, 13 Nov 2019 at 02:43, Ben Parees <bpar...@redhat.com> wrote: >> >>> >>> >>> On Mon, Nov 11, 2019 at 11:27 PM Ben Parees <bpar...@redhat.com> wrote: >>> >>>> >>>> >>>> On Mon, Nov 11, 2019 at 10:47 PM Joel Pearson < >>>> japear...@agiledigital.com.au> wrote: >>>> >>>>> >>>>> >>>>> On Tue, 12 Nov 2019 at 06:56, Ben Parees <bpar...@redhat.com> wrote: >>>>> >>>>>> >>>>>> >>>>>>> >>>>>>> Can I use the “trustedCA” part of the proxy configuration without >>>>>>> actually specifying an explicit proxy? >>>>>>> >>>>>> >>>>>> you should be able to. Daneyon can you confirm? (if you can't i'd >>>>>> consider it a bug). >>>>>> >>>>>> It does work! Thanks for that. user-ca-bundle already existed and had >>>>> my certificate in there, I just needed to reference user-ca-bundle in the >>>>> proxy config. >>>>> >>>> >>>> cool, given that you supplied the CAs during install, and the >>>> user-ca-bundle CM was created, i'm a little surprised the install didn't >>>> automatically setup the reference in the proxyconfig resource for you. I'm >>>> guessing it did not because there was no actual proxy hostname configured. >>>> I think that's a gap we should close..would you mind filing a bug? ( >>>> bugzilla.redhat.com). You can submit it against the install component. >>>> >>> >>> fyi I've filed a bug for this aspect of the issues you ran into: >>> https://bugzilla.redhat.com/show_bug.cgi?id=1771564 >>> >>> >> Thanks for raising this, reading through the related github tickets it >> looks like I've opened a can of worms to some degree. >> > > Yes there's some difference of opinion on what the out of box desired > behavior is, but at a minimum you've exposed a gap in our documentation > that we will get fixed. > > > I also just discovered that the openshift cluster version operator (CVO), isn't quite configured correctly out of the box to use the correct trusted CA certs (which means it can't download cluster updates). It correctly mounts /etc/ssl/certs from the host (the masters), but it fails to also mount /etc/pki, because the certs are a symlink /etc/ssl/certs/ca-bundle.crt -> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem I couldn't find where the installer sets up the CVO but an example of what is missing is here. https://github.com/openshift/cluster-version-operator/blob/01a7825179246fa708ac64de96e6675c0bf9a930/bootstrap/bootstrap-pod.yaml#L44-L46 Is there an existing bug for this? Or should I raise a bugzilla for this? Would it be part of the installer? _______________________________________________ users mailing list users@lists.openshift.redhat.com http://lists.openshift.redhat.com/openshiftmm/listinfo/users
_______________________________________________ users mailing list users@lists.openshift.redhat.com http://lists.openshift.redhat.com/openshiftmm/listinfo/users
