Merge 20220203

docs/user/azure/install_upi_azurestack.md

@@ -47,6 +47,11 @@ We'll be providing the compute machines ourselves, so we set compute replicas to
 
 Azure Stack is not supported by the interactive wizard, but you can use public Azure credentials to create an install config with [the usual approach](install.md#create-configuration) and then edit according to the example above.
 
+### Additional Trust Bundle for Internal Certificate Authorities (Optional)
+
+If your Azure Stack environment uses an internal CA, add the necessary certificate bundle in .pem format to the [`additionalTrustBundle`](../customization.md#additional-trust-bundle). You will also need to [update the cluster proxy
+manifest][proxy-ca] and [add the CA to the ignition shim][ign-ca] in later steps.
+
 ## Credentials
 
 Both Azure and Azure Stack credentials are stored by the installer at `~/.azure/osServicePrincipal.json`. The installer will request the required information if no credentials are found.
@@ -224,6 +229,24 @@ stringData:
   azure_region: <$REGION>
 ```
 
+### Set Cluster to use the Internal Certificate Authority (Optional)
+
+If your Azure Stack environment uses an internal CA, update `.spec.trustedCA.name` to use `user-ca-bundle` in `./manifests/cluster-proxy-01-config.yaml`:
+
+```shell
+$ cat manifests/cluster-proxy-01-config.yaml 
+apiVersion: config.openshift.io/v1
+kind: Proxy
+metadata:
+  creationTimestamp: null
+  name: cluster
+spec:
+  trustedCA:
+    name: user-ca-bundle
+status: {}
+```
+
+You will also need to update the ignition shim to include the CA.
 ## Create ignition configs
 
 Now we can create the bootstrap ignition configs:
@@ -389,9 +412,28 @@ Copy the [`04_bootstrap.json`](../../../upi/azurestack/04_bootstrap.json) ARM te
 
 Create the deployment using the `az` client:
 
+### Create the Bootstrap Ignition Shim
+
+If your Azure Stack environment uses a public certificate authority, you can create the ignition shim like this:
+
 ```sh
 export BOOTSTRAP_URL=$(az storage blob url --account-name "${INFRA_ID}sa" --account-key "$ACCOUNT_KEY" -c "files" -n "bootstrap.ign" -o tsv)
 export BOOTSTRAP_IGNITION=$(jq -rcnM --arg v "3.2.0" --arg url "$BOOTSTRAP_URL" '{ignition:{version:$v,config:{replace:{source:$url}}}}' | base64 | tr -d '\n')
+```
+
+### Create the Bootstrap Ignition Shim with an Internal Certificate Authority (Optional)
+
+If your Azure Stack environments uses an internal CA, you will need to add the PEM encoded bundle to the bootstrap ignition
+shim so that your bootstrap VM will be able to pull the bootstrap ignition from the storage account. Assuming your CA
+is in a file called `CA.pem` you can add the bundle to the shim like this:
+
+```sh
+export CA="data:text/plain;charset=utf-8;base64,$(cat CA.pem |base64 |tr -d '\n')"
+export BOOTSTRAP_URL=$(az storage blob url --account-name "${INFRA_ID}sa" --account-key "$ACCOUNT_KEY" -c "files" -n "bootstrap.ign" -o tsv)
+export BOOTSTRAP_IGNITION=$(jq -rcnM --arg v "3.2.0" --arg url "$BOOTSTRAP_URL" --arg cert "$CA" '{ignition:{version:$v,security:{tls:{certificateAuthorities:[{source:$cert}]}},config:{replace:{source:$url}}}}' | base64 | tr -d '\n')
+```
+
+### Deploy the Bootstrap VM
 
 az deployment group create --verbose -g "$RESOURCE_GROUP" \
   --template-file "04_bootstrap.json" \
@@ -607,3 +649,5 @@ INFO Login to the console with user: kubeadmin, password: REDACTED
 [kubernetes-service-load-balancers-exclude-masters]: https://github.com/kubernetes/kubernetes/issues/65618
 [manual-credentials]: https://docs.openshift.com/container-platform/4.8/installing/installing_azure/manually-creating-iam-azure.html
 [azure-vhd-utils]: https://github.com/microsoft/azure-vhd-utils
+[proxy-ca]: #set-cluster-to-use-the-internal-certificate-authority-optional
+[ign-ca]: #create-the-bootstrap-ignition-shim-with-an-internal-certificate-authority-optional

go.sum

@@ -1963,11 +1963,11 @@ github.com/yuin/goldmark v1.1.30/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9de
 github.com/yuin/goldmark v1.1.32/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k=
+github.com/yuin/goldmark v1.4.0/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k=
 github.com/yussufsh/power-go-client v1.99.4 h1:+7Zz60BOBZCOlTkbU8LeNiwh2wRfZ+anNwcTG+X30eg=
 github.com/yussufsh/power-go-client v1.99.4/go.mod h1:I4r5tCrA8mV5GFqGAJG4/Tn+/JpR+XLnDCLLNVKJxuI=
 github.com/yussufsh/terraform-provider-ibm v1.89.0 h1:gjdIIr5DFPQg2ncFVQcM7sgouBCC4ZEtrTqmnezpVoU=
 github.com/yussufsh/terraform-provider-ibm v1.89.0/go.mod h1:iPP4zVJhZ0YsaPNVaWNTZHYmWLXFAoou4uE+kRkYF+M=
-github.com/yuin/goldmark v1.4.0/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k=
 github.com/zclconf/go-cty v1.0.0/go.mod h1:xnAOWiHeOqg2nWS62VtQ7pbOu17FtxJNW8RLEih+O3s=
 github.com/zclconf/go-cty v1.1.0/go.mod h1:xnAOWiHeOqg2nWS62VtQ7pbOu17FtxJNW8RLEih+O3s=
 github.com/zclconf/go-cty v1.1.1/go.mod h1:xnAOWiHeOqg2nWS62VtQ7pbOu17FtxJNW8RLEih+O3s=

pkg/asset/installconfig/aws/regions.go

@@ -14,12 +14,9 @@ func knownRegions(architecture types.Architecture) map[string]string {
 	required := rhcos.AMIRegions(architecture)
 
 	regions := make(map[string]string)
-	for _, partition := range endpoints.DefaultPartitions() {
-		for _, partitionRegion := range partition.Regions() {
-			partitionRegion := partitionRegion
-			if required.Has(partitionRegion.ID()) {
-				regions[partitionRegion.ID()] = partitionRegion.Description()
-			}
+	for _, region := range endpoints.AwsPartition().Regions() {
+		if required.Has(region.ID()) {
+			regions[region.ID()] = region.Description()
 		}
 	}
 	return regions

pkg/asset/installconfig/openstack/validation/cloudinfo.go

@@ -211,13 +211,11 @@ func (ci *CloudInfo) collectInfo(ic *types.InstallConfig, opts *clientconfig.Cli
 	if err != nil {
 		if isUnauthorized(err) {
 			logrus.Warnf("Missing permissions to fetch Quotas and therefore will skip checking them: %v", err)
-			return nil
-		}
-		if isNotFoundError(err) {
+		} else if isNotFoundError(err) {
 			logrus.Warnf("Quota API is not available and therefore will skip checking them: %v", err)
-			return nil
+		} else {
+			return errors.Wrap(err, "failed to load Quota")
 		}
-		return errors.Wrap(err, "failed to load Quota")
 	}
 
 	ci.NetworkExtensions, err = networkextensions.Get(ci.clients.networkClient)