1479930 – [3.2] Hawkular Metrics cannot handle connecting to the Kubernetes Master when the ca.crt contains multiple certificates.

Bug 1479930 - [3.2] Hawkular Metrics cannot handle connecting to the Kubernetes Master when the ca.crt contains multiple certificates.

Summary: [3.2] Hawkular Metrics cannot handle connecting to the Kubernetes Master when...

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Hawkular
Sub Component:
Version:	3.2.1
Hardware:	Unspecified
OS:	Unspecified
Priority:	urgent
Severity:	urgent
Target Milestone:	---
Target Release:	3.2.1
Assignee:	Matt Wringe
QA Contact:	Junqi Zhao
Docs Contact:
URL:
Whiteboard:
Depends On:	1447463 1461635
Blocks:	1468308 1468309
TreeView+	depends on / blocked

Reported:	2017-08-09 18:52 UTC by Matt Wringe
Modified:	2020-12-14 09:26 UTC (History)
CC List:	14 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:	Cause: The Java keytool command can only handle importing single individual certificates. The OpenShift ca bundle certificates can contain multiple ca certificates. Consequence: When importing the ca certificate from OpenShift, the Java keytool command would only import the first certificate and ignore the rest. Fix: Instead of directly importing the CA certicate from OpenShift directly, we need to split up the certificate into individual certificates and load them individually. Result: Hawkular Metrics can now trust certificates signed by any of the CA certificates in the OpenShift CA bundle.
Clone Of:	1461635
Environment:
Last Closed:	2018-06-01 17:59:10 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Comment 4 Junqi Zhao 2017-08-17 04:26:59 UTC

Issue was fixed.

Verification steps:
1. Add the example certificate in https://bugzilla.redhat.com/show_bug.cgi?id=1447463#c53 before and after /etc/origin/master/ca-bundle.crt.
2. Restart server and deploy metrics 3.2.1 by using images from brew registry.
3. oc rsh ${HAWKULAR_METRICS_PODS};
   cat /var/run/secrets/kubernetes.io/serviceaccount/ca.crt

/var/run/secrets/kubernetes.io/serviceaccount/ca.crt is the same with /etc/origin/master/ca-bundle.crt.

4. Login web console, metrics can  be viewed.

Comment 5 Junqi Zhao 2017-08-17 04:28:19 UTC

# openshift version
openshift v3.2.1.34
kubernetes v1.2.0-36-g4a3f9c5
etcd 2.2.5

Images:
metrics-hawkular-metrics:3.2.1-16

Note You need to log in before you can comment on or make changes to this bug.