Bug 1832803

Summary: Missing ca-bundle in reporter-operator and reporter-operator-auth-proxy pods. Fail when connecting to oauth-openshift
Product: OpenShift Container Platform Reporter: Sergio G. <sgarciam>
Component: Metering OperatorAssignee: tflannag
Status: CLOSED WONTFIX QA Contact: Peter Ruan <pruan>
Severity: high Docs Contact:
Priority: medium    
Version: 4.4CC: sd-operator-metering
Target Milestone: ---   
Target Release: 4.5.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1837043 (view as bug list) Environment:
Last Closed: 2020-05-18 18:10:45 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1837043    

Description Sergio G. 2020-05-07 10:10:45 UTC 
Description of problem:
This is an issue which has affected monitoring, logging and service mesh operators so far: when the certificate of the ingress controller is replaced with one signed by a unknown CA, the proxies fail in reaching the oauth URL.

In all previous operators the solutions has been creating a configmap with the CA bundle from the cluster (including the custom CA from the customer) and mounting it in /etc/pki/ca-trust/extracted/pem in all the containers.


Version-Release number of selected component (if applicable):
4.4 and all previous releases


How reproducible:
Always


Steps to Reproduce:
1. Install OpnShift 4
2. Follow [1] and [2] to replace the ingress certificate and add the custom CA to the cluster-wide proxy
2. Install Metering operator and deploy an instance 
3. Reach reporter URL


Actual results:
Error 500 when validating using the browser and/or sending a proper authentication token. 

2020/04/30 15:37:29 oauthproxy.go:645: error redeeming code (client:10.130.2.1:57722): Post https://oauth-openshift.apps.infra.ont.belastingdienst.nl/oauth/token: x509: certificate signed by unknown authority
2020/04/30 15:37:29 oauthproxy.go:438: ErrorPage 500 Internal Error Internal Error


Expected results:
No issues when reaching https://oauth-openshift.apps.infra.ont.belastingdienst.nl/oauth/token


Additional info:
See next steps to fix the deployment reporter-operator:
- create the configmap and fill it with the cluster ca-bundle:
$ cat <<EOF | oc create -f -
apiVersion: v1
kind: ConfigMap
metadata:
  namespace: openshift-metering
  labels:
    config.openshift.io/inject-trusted-cabundle: "true"
  name: trusted-ca
EOF

- edit the deployment/reporting-operator to add :
  - a volume to mount:
     spec:
       spec:
         volumes:
         - configMap:
             defaultMode: 420
             items:
             - key: ca-bundle.crt
               path: tls-ca-bundle.pem
             name: trusted-ca
           name: trusted-ca

  - the volume to each of the two pods in the deployment:
     spec:
       spec:
         containers
         - name: reporting-operator
           volumeMounts:
           - name: trusted-ca
             mountPath: /etc/pki/ca-trust/extracted/pem
             readOnly: true
         - name: reporting-operator-auth-proxy
           volumeMounts:
           - name: trusted-ca
             mountPath: /etc/pki/ca-trust/extracted/pem
             readOnly: true