On Sun, Dec 1, 2019 at 11:04 PM Jon Stanley <jonstan...@gmail.com> wrote:
> On Mon, Dec 2, 2019 at 3:32 AM Ben Parees <bpar...@redhat.com> wrote: > > > 1) If you define a proxy config with additional CAs, those CAs will be > used during imagestream import (as well as consumed by many other > components). This is true even if you don't have a proxy, so you so can > define a dummy proxy config that has no "http/httpsProxy" values but just > has a reference to your additional CA bundle. If you are doing it at > install time, I think you have to provide a dummy "noProxy" value, this > will trick the installer into setting up a proxyconfig that references the > additionalTrustBundle you provided in the install-config. > > Wouldn't it make sense to do this if there's an additionalTrustBundle > to be found in the install-config? From a usability perspective, I > probably want that CA bundle to be used throughout the installed > system as well without having to define a non-existent proxy. > It's being discussed. The challenge is that the mechanism was originally introduced for proxy usage only, so we need to evolve the behavior to be a mechanism that provides CAs in general, not just CAs for proxies. Today you can effectively use it for that, but it's not documented that way and not all parts of the system treat it that way (hence the why the installer does not). You can follow this bug to see some discussion of it: https://bugzilla.redhat.com/show_bug.cgi?id=1771564 and also this enhancement proposal: https://github.com/openshift/enhancements/pull/115 > > Moreover, thinking of $DAYJOB - we very well may (haven't decided yet) > allow that proxy configuration to point to a real proxy that can > access the Internet (however doesn't mangle certs - our app proxy is > not a MITM proxy), but our registries and such internally are signed > by an internal CA. Would the noProxy list also allow those CA's that > are in the proxy config? > If i understand your question... The noproxy list only serves to determine whether the connection request goes through the proxy or not. It has no bearing on whether the CAs provided are loaded into the trust store used by the transport, regardless of where the connection is being made (at least for all the components that consume the proxy+CAs that i am aware of). -- Ben Parees | OpenShift
_______________________________________________ users mailing list users@lists.openshift.redhat.com http://lists.openshift.redhat.com/openshiftmm/listinfo/users
