diff --git a/docs/user/azure/install_upi_azurestack.md b/docs/user/azure/install_upi_azurestack.md index b059eb343c7..25cdef3fd8f 100644 --- a/docs/user/azure/install_upi_azurestack.md +++ b/docs/user/azure/install_upi_azurestack.md @@ -47,6 +47,11 @@ We'll be providing the compute machines ourselves, so we set compute replicas to Azure Stack is not supported by the interactive wizard, but you can use public Azure credentials to create an install config with [the usual approach](install.md#create-configuration) and then edit according to the example above. +### Additional Trust Bundle for Internal Certificate Authorities (Optional) + +If your Azure Stack environment uses an internal CA, add the necessary certificate bundle in .pem format to the [`additionalTrustBundle`](../customization.md#additional-trust-bundle). You will also need to [update the cluster proxy +manifest][proxy-ca] and [add the CA to the ignition shim][ign-ca] in later steps. + ## Credentials Both Azure and Azure Stack credentials are stored by the installer at `~/.azure/osServicePrincipal.json`. The installer will request the required information if no credentials are found. @@ -224,6 +229,24 @@ stringData: azure_region: <$REGION> ``` +### Set Cluster to use the Internal Certificate Authority (Optional) + +If your Azure Stack environment uses an internal CA, update `.spec.trustedCA.name` to use `user-ca-bundle` in `./manifests/cluster-proxy-01-config.yaml`: + +```shell +$ cat manifests/cluster-proxy-01-config.yaml +apiVersion: config.openshift.io/v1 +kind: Proxy +metadata: + creationTimestamp: null + name: cluster +spec: + trustedCA: + name: user-ca-bundle +status: {} +``` + +You will also need to update the ignition shim to include the CA. ## Create ignition configs Now we can create the bootstrap ignition configs: @@ -389,9 +412,28 @@ Copy the [`04_bootstrap.json`](../../../upi/azurestack/04_bootstrap.json) ARM te Create the deployment using the `az` client: +### Create the Bootstrap Ignition Shim + +If your Azure Stack environment uses a public certificate authority, you can create the ignition shim like this: + ```sh export BOOTSTRAP_URL=$(az storage blob url --account-name "${INFRA_ID}sa" --account-key "$ACCOUNT_KEY" -c "files" -n "bootstrap.ign" -o tsv) export BOOTSTRAP_IGNITION=$(jq -rcnM --arg v "3.2.0" --arg url "$BOOTSTRAP_URL" '{ignition:{version:$v,config:{replace:{source:$url}}}}' | base64 | tr -d '\n') +``` + +### Create the Bootstrap Ignition Shim with an Internal Certificate Authority (Optional) + +If your Azure Stack environments uses an internal CA, you will need to add the PEM encoded bundle to the bootstrap ignition +shim so that your bootstrap VM will be able to pull the bootstrap ignition from the storage account. Assuming your CA +is in a file called `CA.pem` you can add the bundle to the shim like this: + +```sh +export CA="data:text/plain;charset=utf-8;base64,$(cat CA.pem |base64 |tr -d '\n')" +export BOOTSTRAP_URL=$(az storage blob url --account-name "${INFRA_ID}sa" --account-key "$ACCOUNT_KEY" -c "files" -n "bootstrap.ign" -o tsv) +export BOOTSTRAP_IGNITION=$(jq -rcnM --arg v "3.2.0" --arg url "$BOOTSTRAP_URL" --arg cert "$CA" '{ignition:{version:$v,security:{tls:{certificateAuthorities:[{source:$cert}]}},config:{replace:{source:$url}}}}' | base64 | tr -d '\n') +``` + +### Deploy the Bootstrap VM az deployment group create --verbose -g "$RESOURCE_GROUP" \ --template-file "04_bootstrap.json" \ @@ -607,3 +649,5 @@ INFO Login to the console with user: kubeadmin, password: REDACTED [kubernetes-service-load-balancers-exclude-masters]: https://github.com/kubernetes/kubernetes/issues/65618 [manual-credentials]: https://docs.openshift.com/container-platform/4.8/installing/installing_azure/manually-creating-iam-azure.html [azure-vhd-utils]: https://github.com/microsoft/azure-vhd-utils +[proxy-ca]: #set-cluster-to-use-the-internal-certificate-authority-optional +[ign-ca]: #create-the-bootstrap-ignition-shim-with-an-internal-certificate-authority-optional diff --git a/go.sum b/go.sum index 15e7c90757e..e71e40eb958 100644 --- a/go.sum +++ b/go.sum @@ -1963,11 +1963,11 @@ github.com/yuin/goldmark v1.1.30/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9de github.com/yuin/goldmark v1.1.32/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k= +github.com/yuin/goldmark v1.4.0/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k= github.com/yussufsh/power-go-client v1.99.4 h1:+7Zz60BOBZCOlTkbU8LeNiwh2wRfZ+anNwcTG+X30eg= github.com/yussufsh/power-go-client v1.99.4/go.mod h1:I4r5tCrA8mV5GFqGAJG4/Tn+/JpR+XLnDCLLNVKJxuI= github.com/yussufsh/terraform-provider-ibm v1.89.0 h1:gjdIIr5DFPQg2ncFVQcM7sgouBCC4ZEtrTqmnezpVoU= github.com/yussufsh/terraform-provider-ibm v1.89.0/go.mod h1:iPP4zVJhZ0YsaPNVaWNTZHYmWLXFAoou4uE+kRkYF+M= -github.com/yuin/goldmark v1.4.0/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k= github.com/zclconf/go-cty v1.0.0/go.mod h1:xnAOWiHeOqg2nWS62VtQ7pbOu17FtxJNW8RLEih+O3s= github.com/zclconf/go-cty v1.1.0/go.mod h1:xnAOWiHeOqg2nWS62VtQ7pbOu17FtxJNW8RLEih+O3s= github.com/zclconf/go-cty v1.1.1/go.mod h1:xnAOWiHeOqg2nWS62VtQ7pbOu17FtxJNW8RLEih+O3s= diff --git a/pkg/asset/installconfig/aws/regions.go b/pkg/asset/installconfig/aws/regions.go index 1453e753d8d..878bb2e3082 100644 --- a/pkg/asset/installconfig/aws/regions.go +++ b/pkg/asset/installconfig/aws/regions.go @@ -14,12 +14,9 @@ func knownRegions(architecture types.Architecture) map[string]string { required := rhcos.AMIRegions(architecture) regions := make(map[string]string) - for _, partition := range endpoints.DefaultPartitions() { - for _, partitionRegion := range partition.Regions() { - partitionRegion := partitionRegion - if required.Has(partitionRegion.ID()) { - regions[partitionRegion.ID()] = partitionRegion.Description() - } + for _, region := range endpoints.AwsPartition().Regions() { + if required.Has(region.ID()) { + regions[region.ID()] = region.Description() } } return regions diff --git a/pkg/asset/installconfig/openstack/validation/cloudinfo.go b/pkg/asset/installconfig/openstack/validation/cloudinfo.go index 3c973868fed..e9b6a3493a8 100644 --- a/pkg/asset/installconfig/openstack/validation/cloudinfo.go +++ b/pkg/asset/installconfig/openstack/validation/cloudinfo.go @@ -211,13 +211,11 @@ func (ci *CloudInfo) collectInfo(ic *types.InstallConfig, opts *clientconfig.Cli if err != nil { if isUnauthorized(err) { logrus.Warnf("Missing permissions to fetch Quotas and therefore will skip checking them: %v", err) - return nil - } - if isNotFoundError(err) { + } else if isNotFoundError(err) { logrus.Warnf("Quota API is not available and therefore will skip checking them: %v", err) - return nil + } else { + return errors.Wrap(err, "failed to load Quota") } - return errors.Wrap(err, "failed to load Quota") } ci.NetworkExtensions, err = networkextensions.Get(ci.clients.networkClient)