Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

additionalTrustedBundle not taking affect when kicking off installation #46

Closed
00Asgaroth00 opened this issue Sep 5, 2023 · 2 comments
Closed

additionalTrustedBundle not taking affect when kicking off installation #46

00Asgaroth00 opened this issue Sep 5, 2023 · 2 comments

Comments

@00Asgaroth00
Copy link

00Asgaroth00 commented Sep 5, 2023
edited
Loading

Hi,

When adding an additionalTrustBundle to the aicli parameters file and creating the cluster, the installation fails at the preparing phase with the following error message:

Container images availability: Failed to fetch container images needed for installation from quay.io/openshift-release-dev/ocp-release:4.13.9-x86_64,quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:6367174e22dca6a79d2aca3de974ed38499fb9cd10b7d845143cb82211b7bb02,quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:eba22f67551d60674a8c9550b9284f2a0540b2a69f5e3c12b7cb2d943684b2a3. This may be due to a network hiccup. Retry to install again. If this problem persists, check your network settings to make sure you’re not blocked.

This issue appears to be very similar to the RedHat bugzilla 2038013 referenced HERE

The parameters file I am using to create the cluster is as follows (temporary ca cert so I will show the full cert in the configuration):

openshift_version: "4.13"
base_dns_domain: "home.ie"
network_type: "OVNKubernetes"
cluster_network_cidr: "10.128.0.0/14"
service_network_cidr: "172.30.0.0/16"
cluster_network_host_prefix: 23
vip_dhcp_allocation: false
pull_secret: "/data/openshift/cluster_config/ocp/openshift_pull.json"
proxy:
  http_proxy: "http://172.16.17.3:3128/"
  https_proxy: "http://172.16.17.3:3128/"
  no_proxy: ".home.ie,172.16.17.0/24"
installconfig:
  additionalTrustBundle: |
    -----BEGIN CERTIFICATE-----
    MIIGCjCCA/KgAwIBAgIUTTqxlEyLu6n4T8H6rBvQNRwkVAgwDQYJKoZIhvcNAQEL
    BQAwgZwxCzAJBgNVBAYTAk5MMRYwFAYDVQQIDA1Ob29yZCBIb2xsYW5kMRIwEAYD
    VQQHDAlBbXN0ZXJkYW0xCzAJBgNVBAoMAk1FMQswCQYDVQQLDAJJVDFHMEUGA1UE
    Aww+RG9ja2VyTWlycm9yQm94IENBIFJvb3QgZG9ja2VyLXJlZ2lzdHJ5LXByb3h5
    IDIwMjMuMDguMzEgMDg6NDUwHhcNMjMwODMxMDg0NTE0WhcNMjcwMzIzMDg0NTE0
    WjCBnDELMAkGA1UEBhMCTkwxFjAUBgNVBAgMDU5vb3JkIEhvbGxhbmQxEjAQBgNV
    BAcMCUFtc3RlcmRhbTELMAkGA1UECgwCTUUxCzAJBgNVBAsMAklUMUcwRQYDVQQD
    DD5Eb2NrZXJNaXJyb3JCb3ggQ0EgUm9vdCBkb2NrZXItcmVnaXN0cnktcHJveHkg
    MjAyMy4wOC4zMSAwODo0NTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIB
    AMYex0XOLcNnv0GDT5uUH4KmGMnYvzPq6T8kO7a735QnIdVaDJHVNe8tjUaF1yPU
    DP6pOYORAJJ6FGOgu0QSr2NHRlEQ+QcL8ZWQqVcQ+FnIN0w7nDrhk5iQu/2Wh4e5
    y1+Fy9Le4QkgTdJU7h8+9uLQ9Zf7+TQkC+5S2BjrP4vBoz4tj0dxt1hrrJJH+ksh
    B32TL17f1Fd2nireVbTgidrnl+CEThZIpfxEPDKF7ms2TfjAcYH8hLfXCSKsobvy
    Zk8lTnj6UN7bryuzgV2mdywB1CXq1mlRnU97JWfzcuaS1i5HnhmOY5mfMKAY6Z5a
    xXJrult93Bn8ExkqH5aikq/7hvAv5cu7rjPZgPEQwFECCZRwQgTn1OvVcvXLTrUt
    onkdEqanuPGyaMfKk5WknDnMpGVLMw0fptjz3f4bsctIC7zzqVaiIsUOcUNkDWzL
    /KkuV7+8cxd7cbBRUGMx/elyGDBH+Gd9UVytgl6DaGkXcsM5ExQ14osvf+F1sSpy
    evyp6Cn7VqdQtOAMCMXfJh33+eTL4pVc8HzxBRqNj2wjIEG0BcvJ6AAqglVWrTOM
    4n2YtG5qQZdjMU4rtwDaLPplHMu3Z06g9AkbbyME+ryltr5Zp70updXaeFWg1BCl
    t1Lf/58wBBdXgc+37mpKCSBr80FCvnkCIB5uqVN0j8PBAgMBAAGjQjBAMA8GA1Ud
    EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgGGMB0GA1UdDgQWBBQuX2KcirLT5pS1
    R4lMYJvxBdPTaDANBgkqhkiG9w0BAQsFAAOCAgEAVyMQfM6LBIAVrH2Nb44B8P/X
    bebaVtTq7d8lpXlqLDApOxh31J24c4Ik/FZOZMmnTAS9EX5NejpaCX+RFWBTSrso
    LHUzIlB5j6a9kAMTl0HCnSIcVXuJEplaTxliSQwr0pxLvm9oa/SMcArVfs0kRsfc
    JOxIfc49skhXJMtT8aSn7m6mK6OTMdlxx4t1x7dYPYHl45LRUczqDiJQ1F7UpbTx
    YwzJeayeWOR67wOSvHCB/hdFman5nwZty3/kj2kCciC/R+Yke+1qDQmyXpmWzOKi
    EvzqZj3EoYI7Lr12mxy8bGBPKOFy2Yj57mALqlE9QupWzJNqmQZp7caNi4wMKm8z
    FWRi01esOgJF6RXUaiuXDbi1nRtgst0RKnWMJceGDytcVGEla9g/PmTezATinJgl
    RwPdvsDDQM3wOaebvxvyJqjFPSNRSjkppH/TQhoBt+TYOloFDuhaVpLwpojPy/SD
    cfM/nBFujkT9B+OTPT+lpb37BPc28labRKjkCCS81bu90hqD1BVhO6tgd5sbKh42
    pqSlktBbMeF/dEsBXHAF2zdv5qYPx5OluMAWqQ6+YPHhQcjPeZcF+hOfValZAGmM
    /mOzAO/3N6W187k58/cDDXE23yLAperR4yhvEmOaW/vT5cEMrA/tb5ZhJ7Qf+57/
    th16emzhfSSoucwqDFk=
    -----END CERTIFICATE-----
additional_ntp_source: "172.16.17.1"
minimal: true
ssh_public_key: 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFfwtJOvjAOZxAfAQ+hDI1DTDMqwzQ2qF1JeVV1H7h9X core@ocp.home.ie'
user_managed_networking: true
static_network_config:
  - interfaces:
    - name: eth0
      mac-address: 00:0c:29:c8:f9:d4
      ipv4:
        dhcp: true
        auto-dns: true
        auto-gateway: true
        auto-routes: true
        enabled: true
      ipv6:
        enabled: false
      state: up
      type: ethernet
  - interfaces:
    - name: eth0
      mac-address: 00:0c:29:a1:dc:08
      ipv4:
        dhcp: true
        auto-dns: true
        auto-gateway: true
        auto-routes: true
        enabled: true
      ipv6:
        enabled: false
      state: up
      type: ethernet
  - interfaces:
    - name: eth0
      mac-address: 00:0c:29:c4:bc:04
      ipv4:
        dhcp: true
        auto-dns: true
        auto-gateway: true
        auto-routes: true
        enabled: true
      ipv6:
        enabled: false
      state: up
      type: ethernet
  - interfaces:
    - name: eth0
      mac-address: 92:b6:91:2a:f1:31
      ipv4:
        dhcp: true
        auto-dns: true
        auto-gateway: true
        auto-routes: true
        enabled: true
      ipv6:
        enabled: false
      state: up
      type: ethernet
  - interfaces:
    - name: eth0
      mac-address: 92:b6:91:2a:f1:32
      ipv4:
        dhcp: true
        auto-dns: true
        auto-gateway: true
        auto-routes: true
        enabled: true
      ipv6:
        enabled: false
      state: up
      type: ethernet
  - interfaces:
    - name: eth0
      mac-address: 92:b6:91:2a:f1:33
      ipv4:
        dhcp: true
        auto-dns: true
        auto-gateway: true
        auto-routes: true
        enabled: true
      ipv6:
        enabled: false
      state: up
      type: ethernet

The installconfig for this parameters file, pulled down using 'aicli download installconfig ocp', pull-secret removed, is as follows:

apiVersion: v1
baseDomain: home.ie
proxy:
  httpProxy: http://172.16.17.3:3128/
  httpsProxy: http://172.16.17.3:3128/
  noProxy: .home.ie,172.16.17.0/24
networking:
  networkType: OVNKubernetes
  clusterNetwork:
  - cidr: 10.128.0.0/14
    hostPrefix: 23
  machineNetwork:
  - cidr: 172.16.17.0/24
  serviceNetwork:
  - 172.30.0.0/16
metadata:
  name: ocp
compute:
- hyperthreading: Enabled
  name: worker
  replicas: 3
controlPlane:
  hyperthreading: Enabled
  name: master
  replicas: 3
platform:
  none: {}
fips: false
pullSecret: ''
sshKey: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFfwtJOvjAOZxAfAQ+hDI1DTDMqwzQ2qF1JeVV1H7h9X
  core@ocp.home.ie
additionalTrustBundle: |-
  -----BEGIN CERTIFICATE-----
  MIIGCjCCA/KgAwIBAgIUTTqxlEyLu6n4T8H6rBvQNRwkVAgwDQYJKoZIhvcNAQEL
  BQAwgZwxCzAJBgNVBAYTAk5MMRYwFAYDVQQIDA1Ob29yZCBIb2xsYW5kMRIwEAYD
  VQQHDAlBbXN0ZXJkYW0xCzAJBgNVBAoMAk1FMQswCQYDVQQLDAJJVDFHMEUGA1UE
  Aww+RG9ja2VyTWlycm9yQm94IENBIFJvb3QgZG9ja2VyLXJlZ2lzdHJ5LXByb3h5
  IDIwMjMuMDguMzEgMDg6NDUwHhcNMjMwODMxMDg0NTE0WhcNMjcwMzIzMDg0NTE0
  WjCBnDELMAkGA1UEBhMCTkwxFjAUBgNVBAgMDU5vb3JkIEhvbGxhbmQxEjAQBgNV
  BAcMCUFtc3RlcmRhbTELMAkGA1UECgwCTUUxCzAJBgNVBAsMAklUMUcwRQYDVQQD
  DD5Eb2NrZXJNaXJyb3JCb3ggQ0EgUm9vdCBkb2NrZXItcmVnaXN0cnktcHJveHkg
  MjAyMy4wOC4zMSAwODo0NTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIB
  AMYex0XOLcNnv0GDT5uUH4KmGMnYvzPq6T8kO7a735QnIdVaDJHVNe8tjUaF1yPU
  DP6pOYORAJJ6FGOgu0QSr2NHRlEQ+QcL8ZWQqVcQ+FnIN0w7nDrhk5iQu/2Wh4e5
  y1+Fy9Le4QkgTdJU7h8+9uLQ9Zf7+TQkC+5S2BjrP4vBoz4tj0dxt1hrrJJH+ksh
  B32TL17f1Fd2nireVbTgidrnl+CEThZIpfxEPDKF7ms2TfjAcYH8hLfXCSKsobvy
  Zk8lTnj6UN7bryuzgV2mdywB1CXq1mlRnU97JWfzcuaS1i5HnhmOY5mfMKAY6Z5a
  xXJrult93Bn8ExkqH5aikq/7hvAv5cu7rjPZgPEQwFECCZRwQgTn1OvVcvXLTrUt
  onkdEqanuPGyaMfKk5WknDnMpGVLMw0fptjz3f4bsctIC7zzqVaiIsUOcUNkDWzL
  /KkuV7+8cxd7cbBRUGMx/elyGDBH+Gd9UVytgl6DaGkXcsM5ExQ14osvf+F1sSpy
  evyp6Cn7VqdQtOAMCMXfJh33+eTL4pVc8HzxBRqNj2wjIEG0BcvJ6AAqglVWrTOM
  4n2YtG5qQZdjMU4rtwDaLPplHMu3Z06g9AkbbyME+ryltr5Zp70updXaeFWg1BCl
  t1Lf/58wBBdXgc+37mpKCSBr80FCvnkCIB5uqVN0j8PBAgMBAAGjQjBAMA8GA1Ud
  EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgGGMB0GA1UdDgQWBBQuX2KcirLT5pS1
  R4lMYJvxBdPTaDANBgkqhkiG9w0BAQsFAAOCAgEAVyMQfM6LBIAVrH2Nb44B8P/X
  bebaVtTq7d8lpXlqLDApOxh31J24c4Ik/FZOZMmnTAS9EX5NejpaCX+RFWBTSrso
  LHUzIlB5j6a9kAMTl0HCnSIcVXuJEplaTxliSQwr0pxLvm9oa/SMcArVfs0kRsfc
  JOxIfc49skhXJMtT8aSn7m6mK6OTMdlxx4t1x7dYPYHl45LRUczqDiJQ1F7UpbTx
  YwzJeayeWOR67wOSvHCB/hdFman5nwZty3/kj2kCciC/R+Yke+1qDQmyXpmWzOKi
  EvzqZj3EoYI7Lr12mxy8bGBPKOFy2Yj57mALqlE9QupWzJNqmQZp7caNi4wMKm8z
  FWRi01esOgJF6RXUaiuXDbi1nRtgst0RKnWMJceGDytcVGEla9g/PmTezATinJgl
  RwPdvsDDQM3wOaebvxvyJqjFPSNRSjkppH/TQhoBt+TYOloFDuhaVpLwpojPy/SD
  cfM/nBFujkT9B+OTPT+lpb37BPc28labRKjkCCS81bu90hqD1BVhO6tgd5sbKh42
  pqSlktBbMeF/dEsBXHAF2zdv5qYPx5OluMAWqQ6+YPHhQcjPeZcF+hOfValZAGmM
  /mOzAO/3N6W187k58/cDDXE23yLAperR4yhvEmOaW/vT5cEMrA/tb5ZhJ7Qf+57/
  th16emzhfSSoucwqDFk=
  -----END CERTIFICATE-----

It looks like the additionalTrustBundle is applied to the installconfig, however, I'm wondering if there is something else that needs to be done for the discovery iso to trust this ca cert. Do we need to apply an ignition configuration to the discovery iso as well for this to apply properly?

One observation, if I manually add the ca cert via the "Host Discovery" -> "Add Host" -> "Configure cluster-wide trusted certificates" option in the cluster console, regenerate the iso and boot off of it, then the installation proceeds properly, the installconfig with the above process then has two copies of the same certificate (duplicated) in the additionalTrustBundle section.

Is this a possible bug, or, is it something I may be doing wrong here?
@00Asgaroth00
Copy link
Author

Does the assisted installer web interface set the additionalTrustBundlePolicy to Proxyonly when manualy adding in the cert through the interface, or, does it set it to Always? I'm wondering if the api interface sets it to Proxyonly (default) when not specified. I cannot tell if this is an issue with the parameters file AdditionalTrustBundle yaml or if this is a setting I'm missing (additionalTrustBundlePolicy) in the paremeters file, or, if this is a bug/enhancement for aicli.

Reference: Proxy settings for CA as mentioned HERE

Any thoughts would be appreciated.

@karmab
Copy link
Owner

karmab commented Oct 10, 2023

can you try with the extra keyword registry_url: testk-disconnecter.ipv6only:5000
this will take care of fetching the cert and putting it in the install config, along with setting image content source policies, which i believe are what's missing in your case

@karmab karmab closed this as completed Mar 2, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@karmab @00Asgaroth00