Hide Forgot
Description of problem: I0325 11:05:33.276424 1 status_controller.go:150] clusteroperator/authentication diff {"status":{"conditions":[{"lastTransitionTime":"2019-03-25T11:04:02Z","message":"Failing: x509: certificate signed by unknown authority","reason":"Failing","status":"True","type":"Failing"},{"lastTransitionTime":"2019-03-25T11:04:02Z","reason":"AsExpected","status":"False","type":"Progressing"},{"lastTransitionTime":"2019-03-25T11:03:08Z","reason":"Available","status":"False","type":"Available"},{"lastTransitionTime":"2019-03-25T10:38:52Z","reason":"NoData","status":"Unknown","type":"Upgradeable"}]}} I0325 11:05:33.290053 1 event.go:221] Event(v1.ObjectReference{Kind:"Deployment", Namespace:"openshift-authentication-operator", Name:"openshift-authentication-operator", UID:"1636fadd-4eea-11e9-958a-029e9341ad66", APIVersion:"apps/v1", ResourceVersion:"", FieldPath:""}): type: 'Normal' reason: 'OperatorStatusChanged' Status for operator authentication changed: Failing message changed from "Failing: dial tcp: lookup openshift-authentication-openshift-authentication.apps.ci-op-8n1f8l1l-ad003.origin-ci-int-aws.dev.rhcloud.com on 172.30.0.10:53: no such host" to "Failing: x509: certificate signed by unknown authority" E0325 11:05:35.465719 1 controller.go:130] {š¼ š¼} failed with: x509: certificate signed by unknown authority E0325 11:05:38.776327 1 controller.go:130] {š¼ š¼} failed with: x509: certificate signed by unknown authority Seen here: https://openshift-gce-devel.appspot.com/build/origin-ci-test/pr-logs/pull/openshift_cluster-kube-controller-manager-operator/197/pull-ci-openshift-cluster-kube-controller-manager-operator-master-e2e-aws/951 Also the authentication operator is reporting failing: ```authentication Available=False, Failing=True, Progressing=False, Upgradeable=Unknown``` Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
*** Bug 1692842 has been marked as a duplicate of this bug. ***
The authn operator fails to become ready as it took 33 minutes for the `router-certs` secret to appear (meaning from the first request authn-operator did to find it till the time it appears and is filled with data). Moving to Routing team for investigation.
Following is the chain of events that resulted in the reported CI failure: 1. The RestrictSubjectBindings admission plug-in failed to get rolebindingrestrictions. 2. Consequently, cluster-version-operator failed to create the "openshift-ingress-operator/ingress-operator" role binding from cluster-ingress-operator's manifest assets. 3. Thus cluster-version-operator did not start cluster-ingress-operator. 4. Thus cluster-ingress-operator failed to create the router-certs secret. After ~25 minutes, cluster-version-operator succeeded in creating the role binding, after which point cluster-version-operator started cluster-ingress-operator, and the latter created the router-certs secret. https://github.com/openshift/origin/pull/22416 should fix the problem.
Does that mean this bug is mis-categorized? According to Miciah's analysis, the ingress operator did what it was supposed to do.
Michal, Because this is test flake, QE can not easily to reproduce and verify it when bug is in ON_QA state If you will not see the same issue any more, could you update the bug to VERIFIED? Thank you!
Iām going to mark it as verified. Please reopen if you hit again.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2019:0758