Bug 1753156

Summary: [MSTR-829] kube-apiserver pod cannot access external https address after proxy CA is set
Product: OpenShift Container Platform Reporter: Xingxing Xia <xxia>
Component: kube-apiserverAssignee: Stefan Schimanski <sttts>
Status: CLOSED ERRATA QA Contact: Xingxing Xia <xxia>
Severity: high Docs Contact:
Priority: high    
Version: 4.2.0CC: aos-bugs, dhansen, mfojtik
Target Milestone: ---Keywords: TestBlocker
Target Release: 4.2.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-10-16 06:41:33 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Comment 1 Xingxing Xia 2019-09-18 10:59:54 UTC 
More result: testing the webhook case OCP-25161, it got:
cat > smooth-app.pod.yaml << EOF
apiVersion: v1
kind: Pod
metadata:
  name: smooth-app
spec:
  containers:
  - image: openshift/hello-openshift
    name: smooth-app
EOF

# This test got equivalent error result with above step 3 IMO.
oc create -f smooth-app.pod.yaml
Error from server (InternalError): error when creating "smooth-app.pod.yaml": Internal error occurred: failed calling webhook "xxia.admission.webhook": Post https://grumpy-default.apps.<masked>.qe.devcluster.openshift.com/validate?timeout=30s: x509: certificate signed by unknown authority

Commented PR BTW https://github.com/openshift/cluster-kube-apiserver-operator/pull/567#discussion_r325609997
Comment 3 Xingxing Xia 2019-09-19 07:56:16 UTC 
The issue of comment 0 is verified in 4.2.0-0.nightly-2019-09-19-014231. But the issue of comment 1 still exists. Still investigating and will report separate bug later if the issue is considered a bug.
Comment 4 Daneyon Hansen 2019-09-23 16:42:35 UTC 
Xingxing regarding comment #1, platform components request CA injection by 1) creating a configmap with label 'config.openshift.io/inject-trusted-cabundle=true' in the same namespace as the pod 2) mounting the configmap as the local trust store like so:

---
kind: Pod/Deployment/DaemonSet/etc..
<SNIP>
          volumeMounts:
            - name: trusted-ca
              mountPath: /etc/pki/ca-trust/extracted/pem/
<SNIP>
      volumes:
        - name: trusted-ca
          configMap:
            name: trusted-ca
            optional: true
            items:
            - key: ca-bundle.crt
              path: tls-ca-bundle.pem
Comment 5 Xingxing Xia 2019-09-24 02:42:13 UTC 
(In reply to Daneyon Hansen from comment #4)
> Xingxing regarding comment #1, platform components request CA injection by
Thanks Daneyon, yeah, for cluster components, that is correct. But comment 1 is not regarding cluster components, it is a step of the test case OCP-25161.
Comment 6 errata-xmlrpc 2019-10-16 06:41:33 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:2922