Bug 1890741

Summary: path to the CA trust bundle ConfigMap is broken in report operator
Product: OpenShift Container Platform Reporter: tflannag
Component: Metering OperatorAssignee: tflannag
Status: CLOSED ERRATA QA Contact: Peter Ruan <pruan>
Severity: high Docs Contact:
Priority: low    
Version: 4.7CC: aos-bugs, btofel, gparente, pruan, sd-operator-metering
Target Milestone: ---   
Target Release: 4.7.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
When the cluster-wide Proxy has been enabled, Metering reconciles a ConfigMap with the `config.openshift.io/inject-trusted-cabundle="true"` annotation and the Cluster Networking Operator is reponsible for populating those ConfigMap contents with the merged user-provided and system CA bundles. When mounting those ConfigMap contents in the reporting-operator Deployment, an invalid container filename was specified for the reporting-operator and oauth proxy sidecar container. This resulted in an invalid symbolic link being established in the /etc/pki/tls/cert.pem, which the sidecar container is configured to trust. In some customer environments, Metering would be unable to work with the configured cluster-wide Proxy object. After properly updating the container filename to match the recommendations in [1], that symbolic link was properly established again. [1] https://docs.openshift.com/container-platform/4.5/networking/configuring-a-custom-pki.html#certificate-injection-using-operators_configuring-a-custom-pki
 Story Points: ---
Clone Of: 1890733 Environment:
Last Closed: 2021-02-24 15:01:20 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1892127    

Comment 2 Peter Ruan 2020-11-03 22:45:11 UTC 
verified with Server Version: 4.7.0-0.ci-2020-11-03-102229
1. oc create -f user-ca-bundle.yaml # under openshift-config project
2. oc edit proxy cluster such that spec.trustedCA.name is assigned the name of the configmap created in step #1 (user-ca-bundle)
3. create metering normally
4. check for file existence in the reporting-operator pod
$ oc rsh reporting-operator-54f8dbf65-b9jz5
Defaulting container name to reporting-operator.
Use 'oc describe pod/reporting-operator-54f8dbf65-b9jz5 -n openshift-metering' to see all of the containers in this pod.
sh-4.4$ ls -asl /etc/pki/tls/
total 16
 0 drwxr-xr-x. 5 root root   104 Sep  1 19:39 .
 0 drwxr-xr-x. 1 root root    21 Oct 31 13:29 ..
 0 lrwxrwxrwx. 1 root root    49 Jun 22 23:19 cert.pem -> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
 0 drwxr-xr-x. 2 root root    54 Sep  1 19:39 certs
 4 -rw-r--r--. 1 root root   412 Mar  5  2020 ct_log_list.cnf
 0 drwxr-xr-x. 2 root root     6 Mar  5  2020 misc
12 -rw-r--r--. 1 root root 11225 Mar  5  2020 openssl.cnf
 0 drwxr-xr-x. 2 root root     6 Mar  5  2020 private
sh-4.4$ ls -asl  /etc/pki/ca-trust/extracted/pem/
total 376
  0 drwxr-xr-x. 2 root root    101 Sep  1 19:39 .
  0 drwxr-xr-x. 6 root root     70 Sep  1 19:39 ..
  4 -rw-r--r--. 1 root root    898 Jun 22 23:17 README
160 -r--r--r--. 1 root root 163655 Sep  1 19:39 email-ca-bundle.pem
  0 -r--r--r--. 1 root root      0 Sep  1 19:39 objsign-ca-bundle.pem
212 -r--r--r--. 1 root root 216090 Sep  1 19:39 tls-ca-bundle.pem

5. create a report and be able to get it back.
$ oc create -f cluster-memory-usage-now.yaml
report.metering.openshift.io/cluster-memory-usage-now created
$ display_report_using_exposed_route cluster-memory-usage-now
period_start			period_end			total_cluster_usage_memory_byte_seconds		avg_cluster_usage_memory_bytes	avg_pod_count
2020-09-22 00:00:00 +0000 UTC	2020-12-30 23:59:59 +0000 UTC	34497277132800.000000				33820859934.117645		167.117647
Comment 5 errata-xmlrpc 2021-02-24 15:01:20 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.7.0 extras and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:5635