On Mon, 18 Nov 2019 at 13:05, Clayton Coleman <ccole...@redhat.com> wrote:
> Raise a bug to the installler component, yes > Ok thanks, I raised a bug here: https://bugzilla.redhat.com/show_bug.cgi?id=1773419 > On Nov 17, 2019, at 6:03 PM, Joel Pearson <japear...@agiledigital.com.au> > wrote: > > On Mon, 18 Nov 2019 at 12:37, Ben Parees <bpar...@redhat.com> wrote: > >> >> >> On Sun, Nov 17, 2019 at 7:24 PM Joel Pearson < >> japear...@agiledigital.com.au> wrote: >> >>> >>> >>> On Wed, 13 Nov 2019 at 02:43, Ben Parees <bpar...@redhat.com> wrote: >>> >>>> >>>> >>>> On Mon, Nov 11, 2019 at 11:27 PM Ben Parees <bpar...@redhat.com> wrote: >>>> >>>>> >>>>> >>>>> On Mon, Nov 11, 2019 at 10:47 PM Joel Pearson < >>>>> japear...@agiledigital.com.au> wrote: >>>>> >>>>>> >>>>>> >>>>>> On Tue, 12 Nov 2019 at 06:56, Ben Parees <bpar...@redhat.com> wrote: >>>>>> >>>>>>> >>>>>>> >>>>>>>> >>>>>>>> Can I use the “trustedCA” part of the proxy configuration without >>>>>>>> actually specifying an explicit proxy? >>>>>>>> >>>>>>> >>>>>>> you should be able to. Daneyon can you confirm? (if you can't i'd >>>>>>> consider it a bug). >>>>>>> >>>>>>> It does work! Thanks for that. user-ca-bundle already existed and >>>>>> had my certificate in there, I just needed to reference user-ca-bundle in >>>>>> the proxy config. >>>>>> >>>>> >>>>> cool, given that you supplied the CAs during install, and the >>>>> user-ca-bundle CM was created, i'm a little surprised the install didn't >>>>> automatically setup the reference in the proxyconfig resource for you. >>>>> I'm >>>>> guessing it did not because there was no actual proxy hostname configured. >>>>> I think that's a gap we should close..would you mind filing a bug? ( >>>>> bugzilla.redhat.com). You can submit it against the install >>>>> component. >>>>> >>>> >>>> fyi I've filed a bug for this aspect of the issues you ran into: >>>> https://bugzilla.redhat.com/show_bug.cgi?id=1771564 >>>> >>>> >>> Thanks for raising this, reading through the related github tickets it >>> looks like I've opened a can of worms to some degree. >>> >> >> Yes there's some difference of opinion on what the out of box desired >> behavior is, but at a minimum you've exposed a gap in our documentation >> that we will get fixed. >> >> >> I also just discovered that the openshift cluster version operator (CVO), > isn't quite configured correctly out of the box to use the correct trusted > CA certs (which means it can't download cluster updates). > > It correctly mounts /etc/ssl/certs from the host (the masters), but it > fails to also mount /etc/pki, because the certs are a symlink > /etc/ssl/certs/ca-bundle.crt -> > /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem > > I couldn't find where the installer sets up the CVO but an example of what > is missing is here. > > https://github.com/openshift/cluster-version-operator/blob/01a7825179246fa708ac64de96e6675c0bf9a930/bootstrap/bootstrap-pod.yaml#L44-L46 > > > Is there an existing bug for this? Or should I raise a bugzilla for this? > Would it be part of the installer? > > _______________________________________________ > users mailing list > users@lists.openshift.redhat.com > http://lists.openshift.redhat.com/openshiftmm/listinfo/users > >
_______________________________________________ users mailing list users@lists.openshift.redhat.com http://lists.openshift.redhat.com/openshiftmm/listinfo/users
