Bug 1731239 - authentication-operator: route health check fails in proxied cluster
Summary: authentication-operator: route health check fails in proxied cluster
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: apiserver-auth
Version: 4.2.0
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: ---
: ---
Assignee: Stefan Schimanski
QA Contact: Chuan Yu
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-07-18 17:56 UTC by Seth Jennings
Modified: 2019-07-18 21:15 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-07-18 21:15:51 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Seth Jennings 2019-07-18 17:56:01 UTC 
$ oc get proxy cluster -oyaml
apiVersion: config.openshift.io/v1
kind: Proxy
metadata:
  creationTimestamp: "2019-07-18T17:19:22Z"
  generation: 1
  name: cluster
  resourceVersion: "273"
  selfLink: /apis/config.openshift.io/v1/proxies/cluster
  uid: 2f77651a-a980-11e9-8db5-fa163e9073cb
spec:
  httpProxy: http://10.42.15.4:3128
  httpsProxy: http://10.42.15.4:3128

$ oc get clusteroperator authentication 
NAME             VERSION   AVAILABLE   PROGRESSING   DEGRADED   SINCE
authentication             Unknown     Unknown       True       24m

$ oc get event | grep OperatorStatusChanged | tail -n1
22m         Normal    OperatorStatusChanged   deployment/authentication-operator               Status for clusteroperator/authentication changed: Degraded changed from False to True ("RouteHealthDegraded: failed to GET route: dial tcp 10.42.10.202:443: connect: no route to host")

The pod does not have a route to the external network (where the router LB is) and thus can not do the route health check.

https://github.com/openshift/cluster-authentication-operator/blob/988eeefffa2e117076b12ba53bd0a4454d200a21/pkg/operator2/operator.go#L530-L531
Comment 1 Seth Jennings 2019-07-18 21:15:51 UTC 
After talking to Clayton, I think we are just going to make it a requirement that the router wildcard DNS entry resolve to an address reachable from behind the proxy.
Note You need to log in before you can comment on or make changes to this bug.