CA not trusted when installing a cluster through ACM with an SSL offloading loadbalancer in between client (ACM hub) and cluster being installed

[NotABugItsAFeature]

Hi

What works:
When doing a cluster install using RHACM (which uses Hive) and the SSL offloading is disabled all goes fine. Both during the installation and afterwards. After install I can enable the SSL offloading and everything keeps on functioning properly.

Just want to make clear that this issue only happens while SSL offloading is enabled on the loadbalancer during installation.
The loadbalancer in the network has a properly signed certificate and is trusted (has a full SSL chain up to the root which is in your standard trusted CAs).
However during the openshift-install run in the container log I see messages that the certificate authority is not being trusted.
This is not just some cosmetic issue. In the end the install fails from the hive point of view.
When I use the api endpoint in my browser I see it's available. Even when I do it from within the ACM hub cluster. When curling the api endpoint from within the install pod on the hub itself it's also being trusted.

Trying to understand what is actually going on here and maybe there's something to work around this/solve this so we don't need to disable SSL offloading when reinstalling.

What seems to be happening: during the install process on the hive side a kubeconfig is being generated. It has it's own certificateauthority data from a installer generated signer for the api/... And I also notice the client-cert-data.
These are the only CAs that are in that and that seem to be trusted and I can't update this value using anything like additionalTrustBundle.

So it looks like the message about the certificate not being trusted is due to this certificateauthority data in the auto generated kubeconfig? I can't seem to override it to add our CA. On the other hand I think when adding our CA the next issue would be the client certificate data that is in that kubeconfig would not properly functioning due to the SSL offloading.

Is my understanding correct? Any workarounds/fixes for this?

[2uasimojo]

Sorry it's taking me a while to respond to this. I keep getting intimidated by the fact that I don't know what "SSL offloading" is. If you're an ACM customer, you should have access to support through official RH channels; and you're a lot more likely to reach actual SMEs that way. Have you tried opening a support case?