-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bug 2012173: Azure Stack: Add UPI Instructions for internal CA #5573
Bug 2012173: Azure Stack: Add UPI Instructions for internal CA #5573
Conversation
Many Azure Stack environments use internal CAs. In these cases special steps are needed for a UPI install.
6d13bb1
to
199bfbc
Compare
```sh | ||
export BOOTSTRAP_URL=$(az storage blob url --account-name "${INFRA_ID}sa" --account-key "$ACCOUNT_KEY" -c "files" -n "bootstrap.ign" -o tsv) | ||
export BOOTSTRAP_IGNITION=$(jq -rcnM --arg v "3.2.0" --arg url "$BOOTSTRAP_URL" '{ignition:{version:$v,config:{replace:{source:$url}}}}' | base64 | tr -d '\n') | ||
``` | ||
|
||
### Create the Bootstrap Ignition Shim with an Internal Certificate Authority (Optional) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@patrickdillon Is this step specific to a UPI install? Given that users will not have to create ignition config files for the cluster, I wanted to verify creating the bootstrap ignition shim is not required for IPI.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is indeed specific for UPI. For IPI, we do this in the installer's code.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@patrickdillon The ignition spec says the tls.certificateAuthorities[].source
element is a URL. I trust that the example below works, but wondering if it there is a chance this is not supported.
source (string): the URL of the contents to append. Supported schemes are http, https, tftp, s3, gs, and data. When using http, it is advisable to use the verification option to ensure the contents haven’t been modified.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It is valid and supported. The example uses a data url: https://developer.mozilla.org/en-US/docs/Web/HTTP/Basics_of_HTTP/Data_URIs
/close |
@patrickdillon: Closed this PR. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Woops. Closed the wrong pr |
@patrickdillon: The following tests failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
@patrickdillon, I am following these instructions (thanks, by the way, they got me further than the product guide) , using a private CA and installing OCP 4.9.15. I set the
Update on Jan/27: According to this technote, the cluster-wide proxy settings are not applied to user created application pods, and I guess the Azure CSI driver pods count as "user created". Unfortunately, the technote only talks about setting the URL of the proxy, but does not say anything about setting the user CA truststore for the proxy (if it is at all mapped to an environment variable.)
Full stretch of logs from that container:
|
Something else I noticed is that, of the 5 secrets manually created and added to the "openshift/manifests" directory before invoking Note that I read through https://docs.openshift.com/container-platform/4.9/installing/installing_azure/manually-creating-iam-azure.html and did not have
|
@nastacio thank you for your thoughtful comments. The azure-csi-disk-driver issue was fixed in 4.9.17. If you switch to the newest release image and then do the same install as before, you should not hit this issue. |
Any manifests that are in the dir should be applied "dumbly" on the bootstrap node. You would need to check the logs there to see if they were actually applied. The first bit of troubleshooting I would do is to actually make sure the secrets you are creating are unique (for example you might be creating multiple secrets with the same name, ask me how I know). Are you scripting this step? Hopefully we will get Azure support for the ccotool to make this step easier for users.
This should not make a difference/cause any problems. I believe we are choosing a sane default when Azure Stack is specified. I will admit we are working to improve the credentials usability. |
Yes:
In fact, the fix for the problem was to run I double-checked the
|
I came back to this. It turns out I had left incorrect copies of the secret files in the folder, along with the correct ones. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
/approve
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: staebler The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/retest-required Please review the full test history for this PR and help us cut down flakes. |
/retitle Bug 2012173: Azure Stack: Add UPI Instructions for internal CA |
@patrickdillon: All pull requests linked via external trackers have merged: Bugzilla bug 2012173 has been moved to the MODIFIED state. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Many Azure Stack environments use internal CAs. In these cases
special steps are needed for a UPI install.