Merge pull request openshift#3040 from iamemilio/ssc-known-issues

Bug 1769879: remove self signed certs from known issues
rna-afk · Feb 3, 2020 · 2651d44 · 2651d44
2 parents b0d828f + 8c55eae
commit 2651d44
Show file tree

Hide file tree

Showing 11 changed files with 1,736 additions and 4 deletions.
diff --git a/docs/user/azure/install_upi.md b/docs/user/azure/install_upi.md
diff --git a/docs/user/openstack/known-issues.md b/docs/user/openstack/known-issues.md
@@ -10,10 +10,6 @@ If the mDNS service name of a server is too long, it will exceed the character l
 
 Since the installer requires the *Name* of your external network and Red Hat Core OS image, if you have other networks or images with the same name, it will choose one randomly from the set. This is not a reliable way to run the installer. We highly recommend that you resolve this with your cluster administrator by creating unique names for your resources in openstack.
 
-## Self Signed Certificates
-
-A partial fix for Self Signed Certificates has been merged, enabling the bootstrap node to get its ignition configs. However, this revealed another bug with CA bundle distrubution within OpenShift that is being tracked here: https://bugzilla.redhat.com/show_bug.cgi?id=1769879. Unfortunately, we are not able to resolve this bug in the current release, so clusters with self signed certificates will remain unsupported. This bug is a top priority for the team, and the necessary trackers will be updated frequently with the latest information.
-
 ## External Network Overlap
 
 If your external network's CIDR range is the same as one of the default network ranges, then you will need to change the matching network range by running the installer with a custom `install-config.yaml`. If users are experiencing unusual networking problems, please contact your cluster administrator and validate that none of your network CIDRs are overlapping with the external network. We were unfortunately unable to support validation for this due to a lack of support in gophercloud, and even if we were, it is likely that the CIDR range of the floating ip would only be accessible cluster administrators. The default network CIDR are as follows:

diff --git a/pkg/asset/machines/baremetal/hosts.go b/pkg/asset/machines/baremetal/hosts.go
@@ -2,6 +2,7 @@ package baremetal
 
 import (
 	"fmt"
+	"github.com/metal3-io/baremetal-operator/pkg/hardware"
 
 	machineapi "github.com/openshift/cluster-api/pkg/apis/machine/v1beta1"
 	corev1 "k8s.io/api/core/v1"
@@ -52,6 +53,11 @@ func Hosts(config *types.InstallConfig, machines []machineapi.Machine) (*HostSet
 		}
 		settings.Secrets = append(settings.Secrets, secret)
 
+		// Map string 'default' to hardware.DefaultProfileName
+		if host.HardwareProfile == "default" {
+			host.HardwareProfile = hardware.DefaultProfileName
+		}
+
 		newHost := baremetalhost.BareMetalHost{
 			TypeMeta: metav1.TypeMeta{
 				APIVersion: baremetalhost.SchemeGroupVersion.String(),

diff --git a/upi/azure/01_vnet.json b/upi/azure/01_vnet.json
@@ -0,0 +1,102 @@
+{
+  "$schema" : "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
+  "contentVersion" : "1.0.0.0",
+  "variables" : {
+    "location" : "[resourceGroup().location]",
+    "virtualNetworkName" : "[concat(resourceGroup().name, '-vnet')]",
+    "addressPrefix" : "10.0.0.0/16",
+    "masterSubnetName" : "[concat(resourceGroup().name, '-master-subnet')]",
+    "masterSubnetPrefix" : "10.0.0.0/24",
+    "nodeSubnetName" : "[concat(resourceGroup().name, '-node-subnet')]",
+    "nodeSubnetPrefix" : "10.0.1.0/24",
+    "controlPlaneNsgName" : "[concat(resourceGroup().name, '-controlplane-nsg')]",
+    "nodeNsgName" : "[concat(resourceGroup().name, '-node-nsg')]"
+  },
+  "resources" : [
+    {
+      "apiVersion" : "2018-12-01",
+      "type" : "Microsoft.Network/virtualNetworks",
+      "name" : "[variables('virtualNetworkName')]",
+      "location" : "[variables('location')]",
+      "dependsOn" : [
+        "[concat('Microsoft.Network/networkSecurityGroups/', variables('controlPlaneNsgName'))]",
+        "[concat('Microsoft.Network/networkSecurityGroups/', variables('nodeNsgName'))]"
+      ],
+      "properties" : {
+        "addressSpace" : {
+          "addressPrefixes" : [
+            "[variables('addressPrefix')]"
+          ]
+        },
+        "subnets" : [
+          {
+            "name" : "[variables('masterSubnetName')]",
+            "properties" : {
+              "addressPrefix" : "[variables('masterSubnetPrefix')]",
+              "serviceEndpoints": [],
+              "networkSecurityGroup" : {
+                "id" : "[resourceId('Microsoft.Network/networkSecurityGroups', variables('controlPlaneNsgName'))]"
+              }
+            }
+          },
+          {
+            "name" : "[variables('nodeSubnetName')]",
+            "properties" : {
+              "addressPrefix" : "[variables('nodeSubnetPrefix')]",
+              "serviceEndpoints": [],
+              "networkSecurityGroup" : {
+                "id" : "[resourceId('Microsoft.Network/networkSecurityGroups', variables('nodeNsgName'))]"
+              }
+            }
+          }
+        ]
+      }
+    },
+    {
+      "type" : "Microsoft.Network/networkSecurityGroups",
+      "name" : "[variables('controlPlaneNsgName')]",
+      "apiVersion" : "2018-10-01",
+      "location" : "[variables('location')]",
+      "properties" : {
+        "securityRules" : [
+          {
+            "name" : "apiserver_in",
+            "properties" : {
+              "protocol" : "Tcp",
+              "sourcePortRange" : "*",
+              "destinationPortRange" : "6443",
+              "sourceAddressPrefix" : "*",
+              "destinationAddressPrefix" : "*",
+              "access" : "Allow",
+              "priority" : 101,
+              "direction" : "Inbound"
+            }
+          }
+        ]
+      }
+    },
+    {
+      "type" : "Microsoft.Network/networkSecurityGroups",
+      "name" : "[variables('nodeNsgName')]",
+      "apiVersion" : "2018-10-01",
+      "location" : "[variables('location')]",
+      "properties" : {
+        "securityRules" : [
+          {
+            "name" : "apiserver_in",
+            "properties" : {
+              "protocol" : "Tcp",
+              "sourcePortRange" : "*",
+              "destinationPortRange" : "6443",
+              "sourceAddressPrefix" : "*",
+              "destinationAddressPrefix" : "*",
+              "access" : "Allow",
+              "priority" : 101,
+              "direction" : "Inbound"
+            }
+          }
+        ]
+      }
+    }
+  ]
+}
diff --git a/upi/azure/02_storage.json b/upi/azure/02_storage.json
@@ -0,0 +1,34 @@
+{
+  "$schema" : "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
+  "contentVersion" : "1.0.0.0",
+  "parameters" : {
+    "vhdBlobURL" : {
+      "type" : "string",
+      "metadata" : {
+        "description" : "URL pointing to the blob where the VHD to be used to create master and worker machines is located"
+      }
+    }
+  },
+  "variables" : {
+    "location" : "[resourceGroup().location]",
+    "imageName" : "[concat(resourceGroup().name, '-image')]"
+  },
+  "resources" : [
+    {
+      "apiVersion" : "2018-06-01",
+      "type": "Microsoft.Compute/images",
+      "name": "[variables('imageName')]",
+      "location" : "[variables('location')]",
+      "properties": {
+        "storageProfile": {
+          "osDisk": {
+            "osType": "Linux",
+            "osState": "Generalized",
+            "blobUri": "[parameters('vhdBlobURL')]",
+            "storageAccountType": "Standard_LRS"
+          }
+        }
+      }
+    }
+  ]
+}