How to apply a certificate in a machineconfig for ROSA cluster

Solution Verified - Updated -

Environment

  • Red Hat OpenShift Services on AWS (ROSA)
    • 4

Issue

  • Unable to create a ROSA cluster by using machineconfig with the following spec:

    $oc create -f files/machineconfig_50-worker-ca-cert.yaml -n openshift-machine-api
[...]
name: Generate MachineConfig with Root Certificate Chain.
[...]
    template:
      src: templates/machineconfig_50-worker-ca-cert.j2
      dest: files/machineconfig_50-worker-ca-cert.yaml

  • The following error is received when creating a machineconfig in ROSA:

    Error when creating \"files/machineconfig_50-worker-ca-cert.yaml\": admission webhook \"regular-user-validation.managed.openshift.io\" denied the request: Prevented from accessing Red Hat managed resources.

Resolution

The supported solution is to add the flag --additional-trust-bundle-file for the creation of the cluster, or after the creation, like for example:

$ rosa create cluster <other_arguments_here> --additional-trust-bundle-file <path_to_ca_bundle_file>

$ rosa edit --cluster=mycluster --additional-trust-bundle-file <path_to_ca_bundle_file>

IMPORTANT: If additional trust bundles are added to the ROSA cluster, please refer to Responsibilities for additional trust bundles.

Root Cause

Additional trust bundles can be added in ROSA using the rosa CLI.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments