Bug 1833288

Summary: Kibana OAuth HTTP 500 error - x509: certificate signed by unknown authority
Product: OpenShift Container Platform Reporter: rdomnu
Component: LoggingAssignee: Periklis Tsirakidis <periklis>
Status: CLOSED ERRATA QA Contact: Anping Li <anli>
Severity: high Docs Contact:
Priority: unspecified    
Version: 4.4CC: aos-bugs, awyatt, bsawyers, cruhm, fshaikh, jmalde, jniu, jnordell, mfuruta, nnosenzo, ocasalsa, periklis, qitang, rh-container, sgarciam
Target Milestone: ---Keywords: Reopened
Target Release: 4.4.z   
Hardware: All   
OS: All   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Cause: Cluster-logging-operator did not reconcile the injected CA Bundle contents for fluentd. Same applies to elasticsearch-operator for kibana. Consequence: Fluentd and Kibana missing volume mounts to config maps with injected CA bundle Fix: Fetch anew the config map contents during reconciliation to ensure volume mounts. Result: Fluentd and Kibana mount the CA bundle config maps appropriately and certification works again
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-07-07 10:05:59 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1834311    
Bug Blocks:    

Description rdomnu 2020-05-08 10:33:09 UTC 
Description of problem: Encountering https://bugzilla.redhat.com/show_bug.cgi?id= 1766187 in 4.4. The problem has already been fixed in 4.3


Version-Release number of selected component (if applicable): 4.4


Steps to Reproduce:
1. Install ClusterLogging with 4.4 subscription channel. CSV is clusterlogging.4.4.0-202004261927. The cluster is using a custom CA bundle.
2. Create ClusterLogging resource
3. Try to login to Kibana using Oauth

Actual results:
HTTP error 500

Logs Kibana Oauth proxy:
2020/05/08 07:15:26 oauthproxy.go:645: error redeeming code (client:172.28.20.20:40992): Post https://oauth-openshift.apps.dx01.od.sdx.corp/oauth/token: x509: certificate signed by unknown authority
2020/05/08 07:15:26 oauthproxy.go:438: ErrorPage 500 Internal Error Internal Error


Expected results:
Login to Kibana succeeds.


Additional info:
Kibana CM trusted ca bundle is created

─➤  oc get cm kibana-trusted-ca-bundle
NAME                       DATA   AGE
kibana-trusted-ca-bundle   1      2m58s


However it is not mounted in Kibana deployment.

  volumes:
    - name: kibana
      secret:
        secretName: kibana
        defaultMode: 420
    - name: kibana-proxy
      secret:
        secretName: kibana-proxy
        defaultMode: 420
    - name: kibana-token-9pswp
      secret:
        secretName: kibana-token-9pswp
        defaultMode: 420
Comment 1 rdomnu 2020-05-08 11:13:22 UTC 
Just another comment:
After reverting to the Subscription/CSV version 4.3 and reinstalling cluster logging, the ca bundle configmap is mounted to Kibana deployment and authentication works
Comment 2 Periklis Tsirakidis 2020-05-26 15:22:35 UTC 
*** Bug 1838770 has been marked as a duplicate of this bug. ***
Comment 6 Nicolas Nosenzo 2020-05-29 06:33:59 UTC 
Manually mounting the volume should just work as a workaround: https://access.redhat.com/solutions/5000761
Comment 7 Anping Li 2020-06-02 11:56:29 UTC 
verified on clusterlogging.4.4.0-202005301254
Comment 12 errata-xmlrpc 2020-06-17 22:26:05 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:2445