Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bug 1900138: Removed support for insecure mode for oVirt/RHV installation #4404

Merged
merged 1 commit into from Dec 5, 2020
Merged

Bug 1900138: Removed support for insecure mode for oVirt/RHV installation #4404

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
21 changes: 21 additions & 0 deletions docs/user/ovirt/install_ipi.md
View file
Open in desktop
Expand Up @@ -226,3 +226,24 @@ $ oc get nodes
```

[Bare Metal IPI Networking Infrastructure]: https://github.com/openshift/installer/blob/master/docs/design/baremetal/networking-infrastructure.md

#### Installing OpenShift on RHV/oVirt in *insecure* mode

<!-- Do not change this title as it is used in the code to point users to the right place -->

Starting OpenShift 4.7 we are sunsetting the “insecure” option from the OpenShift Installer. Starting with this version, the installer only supports installation methods from the user interface that lead to using verified certificates.

This change also means that setting up the CA certificate for RHV is no longer required before running the installer. The installer will ask you for confirmation about the certificate and store the CA certificate for use during the installation.

Should you, nevertheless, require an installation without certificate verification you can create a file named ovirt-config.yaml in the .ovirt directory in your home directory (~/.ovirt/ovirt-config.yaml) before running the installer with the following content:

```yaml
ovirt_url: https://ovirt.example.com/ovirt-engine/api
ovirt_fqdn: ovirt.example.com
ovirt_pem_url: ""
ovirt_username: admin@internal
ovirt_password: super-secret-password
ovirt_insecure: true
```

Please note that this option is **not recommended** as it will allow a potential attacker to perform a Man-in-the-Middle attack and capture sensitive credentials on the network.
16 changes: 13 additions & 3 deletions pkg/asset/installconfig/ovirt/credentials.go
View file
Open in desktop
Expand Up @@ -366,9 +366,19 @@ func engineSetup() (Config, error) {
}

if engineConfig.Insecure {
logrus.Warning(
"cannot detect Engine CA cert imported in the system. ",
"Communication with the Engine will be insecure.")
logrus.Error(
"****************************************************************************\n",
"* Could not configure secure communication to the oVirt engine. *\n",
"* As of 4.7 insecure mode for oVirt is no longer supported in the *\n",
"* installer. Please see the help article titled \"Installing OpenShift on *\n",
"* RHV/oVirt in insecure mode\" for details how to configure insecure mode *\n",
"* manually. *\n",
"****************************************************************************",
)
return engineConfig,
errors.New(
"cannot detect engine ca cert imported in the system",
)
}
return askCredentials(engineConfig)
}