Bug 1891047

Summary: Helm chart fails to install using developer console because of TLS certificate error
Product: OpenShift Container Platform Reporter: Todd Johnson <toddjohn>
Component: Dev ConsoleAssignee: Predrag Knezevic <pknezevi>
Status: CLOSED ERRATA QA Contact: spathak <spathak>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 4.5CC: aballant, aos-bugs, kvatteka, nmukherj, pamoedom, pknezevi, redhat-info, rorai, spathak
Target Milestone: ---Flags: aballant: needinfo+
aballant: needinfo+
pknezevi: needinfo+
pknezevi: needinfo+
aballant: needinfo+
Target Release: 4.7.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of:
: 1894878 (view as bug list) Environment:
Last Closed: 2021-02-24 15:27:53 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1894878    
Attachments:
Description Flags
Helm chart does not fails to install using developer console because of TLS certificate error none

Description Todd Johnson 2020-10-23 16:34:31 UTC 
I was asked to create a bugzilla issue for the following support case: https://access.redhat.com/support/cases/#/case/02780648

Description of problem:
When trying to install a helm chart using the console, I get the following message:
An error occurred
Failed to install helm chart: Kubernetes cluster unreachable: Get https://c104-e.us-east.containers.cloud.ibm.com:32529/version?timeout=32s: x509: certificate signed by unknown authority


Version-Release number of selected component (if applicable):
4.5

How reproducible:


Steps to Reproduce:
1. Bring up the Developer's console
2. Click on helm
3. Following the prompts to install a helm chart.

Actual results:
TLS certificate error as shown above.

Expected results:
Helm chart installed.

Additional info:
I dug into the console code and the issue appears to be caused by https://github.com/openshift/console/blob/7c8a8fb12b77a0c44fad1f6b76c637a8d31b8240/pkg/helm/actions/config.go#L36. This method creates the helm config to talk to that apiserver by using the masterPublicURL located in console-config cm and then also using the "in-cluster" ca certificate from the console service account.  In our installation of 4.5, the public URL and in-cluster config uses different TLS certificates.  The public URL uses a DIgicert signed cert and the in-cluster uses a kube self signed cert.  Therefore the combination of public URL and in-cluster CA cert does not work for us.  I think config.go needs to change to use the entire in-cluster configuration if it's available.
Comment 1 Andrew Ballantyne 2020-10-23 17:37:42 UTC 
cc @Rohit Rai
Comment 4 Predrag Knezevic 2020-11-19 15:28:09 UTC 
The cause of the issue is the usage of public K8S API endpoint that in some configuration can use certificate whose CA is not available to pods running Helm endpoint. In order to fix it, we have switched to using internal endpoint whose certificate is signed by internal CA.
Comment 5 spathak@redhat.com 2020-11-19 21:40:54 UTC 
Created attachment 1731056 [details]
Helm chart does not fails to install using developer console because of TLS certificate error
Comment 6 spathak@redhat.com 2020-11-19 21:51:03 UTC 
Verified on build version: 4.7.0-0.nightly-2020-11-18-085225
Browser version: chrome 84
Comment 14 errata-xmlrpc 2021-02-24 15:27:53 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.7.0 security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:5633