Description of problem: When installing metrics in my cluster I noticed that the hawkular-metrics route did not properly have the caCertificate data that is required for proper lookup and validation of the tls information. Version-Release number of selected component (if applicable): atomic-openshift-3.6.153-1.git.0.4894417.el7.x86_64 How reproducible: Very Steps to Reproduce: 1. Run the openshift-ansible/playbooks/byo/openshift-cluster/openshift_metrics.yml 2. When it has completed, verify the route information is correct: oc get route hawkular-metrics -n openshift-infra look at spec.tls and verify that there is no CACertificate in the Route object. 3. Actual results: The route object when creating does not recognize the CACertificate flag that is used in this file: https://github.com/openshift/openshift-ansible/blob/master/roles/openshift_metrics/templates/route.j2#L20 It then fails to properly validate the tls information. Expected results: The above route.j2 should have 'caCertificate' instead of 'CACertificate' so that the route properly accepts the caCertificate attribute. Additional info: This is a relatively easy fix. It probably should be backported to 3.5 as well.
https://github.com/openshift/openshift-ansible/pull/4868 https://github.com/openshift/openshift-ansible/pull/4869
Used build openshift-ansible-3.6.173.0.7-2.git.0.340aa2c.el7 mentioned in https://errata.devel.redhat.com/advisory/29863 Set openshift_metrics_hawkular_ca=***** in inventory file and run the playbook openshift-ansible/playbooks/byo/openshift-cluster/openshift_metrics.yml. When it had completed, verified the route information was correct: # oc get route hawkular-metrics -o json -n openshift-infra There was caCertificate in the Route object. See the attached file "spec": { "host": "hawkular-metrics.*******", "tls": { "caCertificate": "-----BEGIN CERTIFICATE-----\nMIIC6jCCAdKgAwIBAgIBATANBgkqhkiG9w0BAQsFADAmMSQwIgYDVQQDDBtvcGVu\nc2hpZnQtc2lnbmVyQDE1MDM0NDcwNDIwHhcNMTcwODIzMDAxMDQxWhcNMjIwODIy\nMDAxMDQyWjAmMSQwIgYDVQQDDBtvcGVuc2hpZnQtc2lnbmVyQDE1MDM0NDcwNDIw\nggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDEMg2YjIQVc2w58Ov0H9EP\nHmSBaKgTxkB8Xx6JthMjUfrheZ//9YK6Mce4ezmfBuVn7YMnZW+YyQOWqcUarxtf\n46soWdUmlATmUxIuviDdrFcbzD4W7wrmFD6vWwj6GIWIlzi/D3r2UNaHQ0aVySBE\nsG/FaMn1kkWRSybPdX99nhkCnRfzyicdrWbhcl0GkYwpbY7iIb560NScpheKhFO+\nZBeaWY+w/h/S/sfp1xn6yH/zDucCFvAy0jvq3bHZxQ2IOBVwhapjXv1CWRHepGBw\n0YApnXIiLMjkBUSewZlcRxY3MZ2IpOwFu1ORb0V+edRVqNeTSSg/4//fPJgHRuPN\nAgMBAAGjIzAhMA4GA1UdDwEB/wQEAwICpDAPBgNVHRMBAf8EBTADAQH/MA0GCSqG\nSIb3DQEBCwUAA4IBAQB+nGQaAzM2R8XVKHxFGS5Xu5XaibeimKhsHYZqV72beBxM\ncbF+SgYOnMroNASj7V+zKvQsMbZmlePFF+bBuOrToPXyyPCIau9PfCogs9TfdQfr\nUfKEIfL1juUyGbE0Q2atH1Dol3kJnEctzkFrRImWqgr3Yq35pXY1twCjicFpi9KC\nA+M8lhchB4i5GcLdGFBGuVpzlBd1jX8fc7QX2ZD+SRNpqri+yDhVWfCr434MZzgL\nt4cfRwQLNe3mrub592xtO9CQuNyLznjxUpKmq1vnWk/Q41z8FnpLY254CxYz4O6U\nG3ztrvirqNvaiVtrGG+cEArwijY8dG1NvdEI+RTP\n-----END CERTIFICATE-----\n"
Created attachment 1316949 [details] caCertificate field in metrics route
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:2639