From c942986e8d1208c7124dc1de42fb236cd353fcbf Mon Sep 17 00:00:00 2001
From: Aviel Yosef <ayosef@redhat.com>
Date: Tue, 17 Nov 2020 12:42:56 +0200
Subject: [PATCH 1/4] Adding the option to add certs to install-config.yaml

---
 ocp_install_env.sh | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/ocp_install_env.sh b/ocp_install_env.sh
index 03138fae6..8586dc0de 100644
--- a/ocp_install_env.sh
+++ b/ocp_install_env.sh
@@ -97,6 +97,15 @@ EOF
     fi
 }
 
+function additional_trust_bundle() {
+    if [ ! -z "$ADDITIONAL_TRUST_BUNDLE" ]; then
+cat <<EOF
+additionalTrustBundle: |
+  $(echo ${ADDITIONAL_TRUST_BUNDLE} | sed -e ':a;N;$!ba;s/\n/\n  /g')
+EOF
+    fi
+}
+
 function cluster_network() {
   if [[ "${IP_STACK}" == "v4" ]]; then
 cat <<EOF
@@ -191,6 +200,7 @@ $(baremetal_network_configuration)
 $(node_map_to_install_config_hosts $NUM_MASTERS 0 master)
 $(node_map_to_install_config_hosts $NUM_WORKERS $NUM_MASTERS worker)
 $(image_mirror_config)
+$(additional_trust_bundle)
 pullSecret: |
   $(jq -c . $install_config_pull_secret)
 sshKey: |

From 9f6d13273e47609272a88d9994e27b9e4b5a4ede Mon Sep 17 00:00:00 2001
From: Aviel Yosef <ayosef@redhat.com>
Date: Tue, 17 Nov 2020 12:46:28 +0200
Subject: [PATCH 2/4] Add ADDITIONAL_TRUST_BUNDLE to the config_example.sh

---
 config_example.sh | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/config_example.sh b/config_example.sh
index a792dc4f4..55687ad60 100755
--- a/config_example.sh
+++ b/config_example.sh
@@ -188,3 +188,8 @@ set -x
 
 # Image reference for installing hive. See hive_install.sh.
 #export HIVE_DEPLOY_IMAGE="registry.svc.ci.openshift.org/openshift/hive-v4.0:hive"
+
+# PEM-encoded X.509 certificate bundle that will be added to the nodes' trusted 
+# certificate store. This trust bundle may also be used when a proxy has 
+# been configured.
+# export ADDITIONAL_TRUST_BUNDLE=$(cat ca)

From 3bbe825f9eee90a3424db27c1b75894b49db2328 Mon Sep 17 00:00:00 2001
From: Aviel Yosef <ayosef@redhat.com>
Date: Tue, 17 Nov 2020 13:53:57 +0200
Subject: [PATCH 3/4] Avoid additionalTrustBundle duplication & move from sed
 to awk When MIRROR_IMAGES is set or when using ipv6 (this is always true for
 ipv6) additionalTrustBundle section gets created, so give precedence to
 MIRROR_IMAGES CA

---
 ocp_install_env.sh | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/ocp_install_env.sh b/ocp_install_env.sh
index 8586dc0de..e1a0a0751 100644
--- a/ocp_install_env.sh
+++ b/ocp_install_env.sh
@@ -98,10 +98,10 @@ EOF
 }
 
 function additional_trust_bundle() {
-    if [ ! -z "$ADDITIONAL_TRUST_BUNDLE" ]; then
+    if [ ! -z "$ADDITIONAL_TRUST_BUNDLE" ] && [ -z $MIRROR_IMAGES ]; then
 cat <<EOF
 additionalTrustBundle: |
-  $(echo ${ADDITIONAL_TRUST_BUNDLE} | sed -e ':a;N;$!ba;s/\n/\n  /g')
+$(echo ${ADDITIONAL_TRUST_BUNDLE} | awk '{ print " ", $0 }')
 EOF
     fi
 }

From 185f76cf06d81a774b41564ffeda7936c6945a8f Mon Sep 17 00:00:00 2001
From: Aviel Yosef <ayosef@redhat.com>
Date: Wed, 18 Nov 2020 12:57:42 +0200
Subject: [PATCH 4/4] In case MIRROR_IMAGES is set, concat
 ADDITIONAL_TRUST_BUNDLE

---
 ocp_install_env.sh | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/ocp_install_env.sh b/ocp_install_env.sh
index e1a0a0751..ddc59b035 100644
--- a/ocp_install_env.sh
+++ b/ocp_install_env.sh
@@ -102,6 +102,10 @@ function additional_trust_bundle() {
 cat <<EOF
 additionalTrustBundle: |
 $(echo ${ADDITIONAL_TRUST_BUNDLE} | awk '{ print " ", $0 }')
+EOF
+    elif [ ! -z "$ADDITIONAL_TRUST_BUNDLE" ] && [ ! -z "$MIRROR_IMAGES" ]; then
+cat <<EOF
+$(echo ${ADDITIONAL_TRUST_BUNDLE} | awk '{ print " ", $0 }')
 EOF
     fi
 }