Bug 1596546
| Summary: | server doesn't have a resource type "dc" and "Error: 'x509: certificate signed by unknown authority (possibly because of \"crypto/rsa: verification error\" while trying to verify candidate authority certificate \"service-catalog-signer\" | ||
|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | Andre Costa <andcosta> |
| Component: | Master | Assignee: | Michal Fojtik <mfojtik> |
| Status: | CLOSED DUPLICATE | QA Contact: | Xingxing Xia <xxia> |
| Severity: | high | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 3.9.0 | CC: | aos-bugs, jokerman, maszulik, mmccomas |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2018-07-02 14:06:48 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
*** This bug has been marked as a duplicate of bug 1525014 *** |
Description of problem: Upgrading from v3.7 and v3.9.30 to new Errata version v3.9.31 fails with: " Message: {u'cmd': u'/usr/bin/oc get dc docker-registry -o json -n default', u'returncode': 1, u'results': [{}], u'stderr': u'the serv"er doesn\'t have a resource type "dc"\n', u'stdout': u''} " After changing the playbooks from dc to deploymentconfig it works. After that the Service Catalog fails: | oc apply --config=/tmp/tsb-ansible-2jqtus/admin.kubeconfig -f -", "delta": "0:00:00.899532", "end": "2018-06-28 16:02:46.162382", "msg": "non-zero return code", "rc": 1, "start": "2018-06-28 16:02:45.262850", "stderr": "Error from server (InternalError): an error on the server (\"Error: 'x509: certificate signed by unknown authority (possibly because of \\\"crypto/rsa: verification error\\\" while trying to verify candidate authority certificate \\\"service-catalog-signer\\\")'\\nTrying to reach: 'https://172.30.182.187:443/apis/servicecatalog.k8s.io/v1beta1/clusterservicebrokers/template-service-broker'\") has prevented the request from succeeding (get clusterservicebrokers.servicecatalog.k8s.io template-service-broker)", "stderr_lines": ["Error from server (InternalError): an error on the server (\"Error: 'x509: certificate signed by unknown authority (possibly because of \\\"crypto/rsa: verification error\\\" while trying to verify candidate authority certificate \\\"service-catalog-signer\\\")'\\nTrying to reach: 'https://172.30.182.187:443/apis/servicecatalog.k8s.io/v1beta1/clusterservicebrokers/template-service-broker'\") has prevented the request from succeeding (get clusterservicebrokers.servicecatalog.k8s.io template-service-broker)"], "stdout": "", "stdout_lines": []} 2018-06-28 16:02:46,257 p=13842 u=root | to retry, use: --limit @/usr/share/ansible/openshift-ansible/playbooks/openshift-service-catalog/config.retry And on the customer even deleting a resource, gives the same error, which doesn't make much sense, even if the Service Catalog is nor working: "oc delete all -l app=testbinary --loglevel=5 I0625 15:25:11.067178 16738 request.go:1076] body was not decodable (unable to check for Status): Object 'Kind' is missing in 'Error: 'x509: certificate signed by unknown authority (possibly because of "crypto/rsa: verification error" while trying to verify candidate authority certificate "service-catalog-signer")' Trying to reach: 'https://172.30.36.161:443/apis/servicecatalog.k8s.io/v1alpha1'' I0625 15:25:11.067261 16738 cached_discovery.go:77] skipped caching discovery info due to an error on the server ("Error: 'x509: certificate signed by unknown authority (possibly because of \"crypto/rsa: verification error\" while trying to verify candidate authority certificate \"service-catalog-signer\")'\nTrying to reach: 'https://172.30.36.161:443/apis/servicecatalog.k8s.io/v1alpha1'") has prevented the request from succeeding" Version-Release number of selected component (if applicable): v3.9.31 How reproducible: On my lab after running the openshift-service-catalog/config.yml playbook separately the Service Catalog was upgraded successfully. On the customers side we did the same 3 times and keeps having the same issue. last time made sure that all Service Catalog and brokers objects were deleted before reinstalling: # oc delete apiservices.apiregistration.k8s.io/v1beta1.servicecatalog.k8s.io -n kube-service-catalog # oc delete kube-service-catalog openshift-template-service-broker openshift-ansible-service-broker # ansible-playbook -vvv -i <path-to-host-inventory-file> /usr/share/ansible/openshift-ansible/playbooks/openshift-service-catalog/config.yml Expected results: The service catalog should be installed without issues and be used without these issues. The playbooks should work with full "kind" name or abbreviated, since manually "oc get dc" was working. And customer shouldn't need to edit playbooks.