Description of problem: The grafana-oauth proxy sidecar does not trust ocp console certificate (which uses a certificate signed by GoDaddy). Tried to add with openshift_additional_ca and running the playbook redeploy-ca playbook[1]. After that redeploy-certificates playbook is run to redeploy master certificates. But still grafana-proxy container throws errors as same like mentioned below: ~~~ oauthproxy.go:635: error redeeming code (client:x.x.x.x:38174): Post https://ocp-console.xxx.xxx.com:8443/oauth/token: x509: certificate signed by unknown authority oauthproxy.go:434: ErrorPage 500 Internal Error Internal Error provider.go:382: authorizer reason: no RBAC policy matched provider.go:382: authorizer reason: no RBAC policy matched ~~~ Can we perform this task of addition of custom ca bundle? Link: [1] https://docs.openshift.com/container-platform/3.11/install_config/redeploying_certificates.html#redeploying-new-custom-ca Version-Release number of selected component (if applicable): OCP v3.11 Expected results: Grafana should trust the custom ca bundle.
https://github.com/openshift/openshift-ansible/pull/11472 was merged, which should fix this (thanks to Vadim for working on this!).
Issue is fixed with ]# rpm -qa | grep openshift-ansible openshift-ansible-roles-3.11.104-1.git.0.379a011.el7.noarch openshift-ansible-docs-3.11.104-1.git.0.379a011.el7.noarch openshift-ansible-playbooks-3.11.104-1.git.0.379a011.el7.noarch openshift-ansible-3.11.104-1.git.0.379a011.el7.noarch
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2019:0794