Bug 1747400 - Service Catalog faile to consume the CA in the proxy cluster
Summary: Service Catalog faile to consume the CA in the proxy cluster
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Service Catalog
Version: 4.2.0
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
: 4.2.0
Assignee: Jesus M. Rodriguez
QA Contact: Bruno Andrade
URL:
Whiteboard:
: 1747571 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-08-30 10:24 UTC by Jian Zhang
Modified: 2019-10-16 06:39 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-10-16 06:39:13 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift cluster-svcat-controller-manager-operator pull 50 0 None None None 2019-09-06 16:36:54 UTC
Github openshift cluster-svcat-controller-manager-operator pull 51 0 None None None 2019-09-09 20:09:34 UTC
Github openshift cluster-svcat-controller-manager-operator pull 52 0 None None None 2019-09-11 17:46:29 UTC
Red Hat Product Errata RHBA-2019:2922 0 None None None 2019-10-16 06:39:23 UTC

Description Jian Zhang 2019-08-30 10:24:45 UTC 
Description of problem:
No Configmap and volumes to consume the cluster CA.

Version-Release number of selected component (if applicable):
Cluster version: 4.2.0-0.nightly-2019-08-29-17042
Service Catalog operator version:
           io.openshift.build.commit.url=https://github.com/openshift/cluster-svcat-controller-manager-operator/commit/723d6814a96920643da14d7e01f2a17c455c3c2f

How reproducible:
always

Steps to Reproduce:
1. Install the OCP 4.2 with enabled the proxy. Like below:
mac:~ jianzhang$ oc get proxy cluster -o yaml
apiVersion: config.openshift.io/v1
kind: Proxy
metadata:
  creationTimestamp: "2019-08-30T07:28:22Z"
  generation: 1
  name: cluster
  resourceVersion: "1617"
  selfLink: /apis/config.openshift.io/v1/proxies/cluster
  uid: bf1b3089-caf7-11e9-84d0-02320f4e1b00
spec:
  httpProxy: http://proxy-user1:JYgU8qRZV4DY4PXJbxJK@ec2-13-59-147-11.us-east-2.compute.amazonaws.com:3129
  httpsProxy: http://proxy-user1:JYgU8qRZV4DY4PXJbxJK@ec2-13-59-147-11.us-east-2.compute.amazonaws.com:3129
  noProxy: test.no-proxy.com
  trustedCA:
    name: user-ca-bundle
status:
  httpProxy: http://proxy-user1:JYgU8qRZV4DY4PXJbxJK@ec2-13-59-147-11.us-east-2.compute.amazonaws.com:3129
  httpsProxy: http://proxy-user1:JYgU8qRZV4DY4PXJbxJK@ec2-13-59-147-11.us-east-2.compute.amazonaws.com:3129
  noProxy: .cluster.local,.svc,10.0.0.0/16,10.128.0.0/14,127.0.0.1,169.254.169.254,172.30.0.0/16,api-int.qe-jiazha-proxy.qe.devcluster.openshift.com,api.qe-jiazha-proxy.qe.devcluster.openshift.com,etcd-0.qe-jiazha-proxy.qe.devcluster.openshift.com,etcd-1.qe-jiazha-proxy.qe.devcluster.openshift.com,etcd-2.qe-jiazha-proxy.qe.devcluster.openshift.com,localhost,test.no-proxy.com

2. Enable Service catalog.
3. Check the daemonset and the configmap objects.

Actual results:
No "trusted-ca-bundle" configmap generated.
mac:~ jianzhang$ oc get cm -n openshift-service-catalog-controller-manager   
NAME                                 DATA   AGE
client-ca                            1      15m
cluster-info                         1      15m
config                               3      15m
service-catalog-controller-manager   0      15m

And, no trusted CA volume generated.
mac:~ jianzhang$ oc get ds controller-manager -o yaml |grep -i "volumeMounts" -A 10
        volumeMounts:
        - mountPath: /var/run/kubernetes-service-catalog
          name: apiserver-ssl
          readOnly: true
        - mountPath: /var/run/configmaps/config
          name: config
        - mountPath: /var/run/configmaps/client-ca
          name: client-ca
        - mountPath: /var/run/secrets/serving-cert
          name: serving-cert
      dnsPolicy: ClusterFirst


Expected results:
Should consume the cluster CA, user-ca-bundle.

Additional info:
Comment 1 Daneyon Hansen 2019-08-30 20:38:25 UTC 
Jian,

The ca trust bundle is not being consumed because the configmap is not being created. Do the following:

1. Cone the repo:
$ git clone https://github.com/openshift/cluster-svcat-controller-manager-operator.git && cd cluster-svcat-controller-manager-operator

2. Create the trusted ca configmap:
$ oc apply -f cluster-svcat-controller-manager-operator/cluster-svcat-controller-manager-operator/bindata/v3.11.0/openshift-svcat-controller-manager/trusted-ca.yaml

3. Verify the configmap with the trust bundle data:
$ oc get cm/trusted-ca-bundle -n openshift-service-catalog-controller-manager -o yaml

4. Verify the trust bundle volume mount gets created.
$ $ oc get daemonset.apps/controller-manager -n openshift-service-catalog-controller-manager -o yaml | grep trust
        - mountPath: /etc/pki/ca-trust/extracted/pem/
          name: trusted-ca-bundle
          name: trusted-ca-bundle
        name: trusted-ca-bundle

Jesus,
Can the configmap be created by default so the above steps are not needed? I hit another bug (https://bugzilla.redhat.com/show_bug.cgi?id=1747571) while triaging this bug.
Comment 2 Jian Zhang 2019-09-02 06:25:52 UTC 
Hi, Daneyon

Yes, thanks! I understand. But, based on my understanding, the ConfiMap should be created automatically.
Comment 3 Jesus M. Rodriguez 2019-09-06 16:55:26 UTC 
@jian yes the configmap was supposed to be created automatically. That was definitely a bug. I have fixed in the following PR:

https://github.com/openshift/cluster-svcat-controller-manager-operator/pull/50
Comment 4 Jesus M. Rodriguez 2019-09-06 17:54:22 UTC 
*** Bug 1747571 has been marked as a duplicate of this bug. ***
Comment 8 Jian Zhang 2019-09-11 07:35:47 UTC 
Cluster version:  4.2.0-0.nightly-2019-09-10-235718
Svat-controller-manger-operator version is:
io.openshift.build.commit.url=https://github.com/openshift/cluster-svcat-controller-manager-operator/commit/b57aa59ceb99ad2493db2f288ae8f084ca4549c5

1, The 4.2 cluster with the proxy enabled.
mac:~ jianzhang$ oc get proxy cluster -o yaml
apiVersion: config.openshift.io/v1
kind: Proxy
metadata:
  creationTimestamp: "2019-09-11T06:11:51Z"
  generation: 3
  name: cluster
  resourceVersion: "20988"
  selfLink: /apis/config.openshift.io/v1/proxies/cluster
  uid: 0bb405fe-d45b-11e9-9cbc-fa163ed41aaa
spec:
  httpProxy: http://proxy-user1:JYgU8qRZV4DY4PXJbxJK@10.0.76.148:3128
  httpsProxy: https://proxy-user1:JYgU8qRZV4DY4PXJbxJK@10.0.76.148:3130
  noProxy: test.no-proxy.com,.google.com
  trustedCA:
    name: user-ca-bundle
status:
  httpProxy: http://proxy-user1:JYgU8qRZV4DY4PXJbxJK@10.0.76.148:3128
  httpsProxy: https://proxy-user1:JYgU8qRZV4DY4PXJbxJK@10.0.76.148:3130
  noProxy: .cluster.local,.google.com,.svc,10.0.0.0/16,10.128.0.0/14,127.0.0.1,172.30.0.0/16,api-int.qe-css-httpsproxy.qe.devcluster.openshift.com,api.qe-css-httpsproxy.qe.devcluster.openshift.com,etcd-0.qe-css-httpsproxy.qe.devcluster.openshift.com,localhost,test.no-proxy.com

2, Enable Service catalog. And, check the "trusted-ca-bundle" configmap. Looks good.

mac:~ jianzhang$ oc get cm -n openshift-service-catalog-controller-manager
NAME                                 DATA   AGE
client-ca                            1      11m
cluster-info                         1      11m
config                               3      11m
service-catalog-controller-manager   0      11m
trusted-ca-bundle                    1      11m

3, Verify the trust bundle volume mount gets created. But, no trusted CA volume generated.
mac:~ jianzhang$ oc get ds controller-manager -n openshift-service-catalog-controller-manager -o yaml |grep -i "trust"
mac:~ jianzhang$ 

mac:~ jianzhang$ oc get ds controller-manager -n openshift-service-catalog-controller-manager -o yaml |grep -i "volumeMounts" -A 10
        volumeMounts:
        - mountPath: /var/run/kubernetes-service-catalog
          name: apiserver-ssl
          readOnly: true
        - mountPath: /var/run/configmaps/config
          name: config
        - mountPath: /var/run/configmaps/client-ca
          name: client-ca
        - mountPath: /var/run/secrets/serving-cert
          name: serving-cert
      dnsPolicy: ClusterFirst
Comment 10 Bruno Andrade 2019-09-16 19:41:43 UTC 
The configmap and the volumen are created to consume the cluster CA as expected. Marking as VERIFIED

Cluster Version: 4.2.0-0.nightly-2019-09-16-131752
cluster-svcat-controller-manager-operator commitId:
"io.openshift.build.url": "https://github.com/openshift/cluster-svcat-controller-manager-operator/commit/9ef3f62c4b3d7b824c9b0b86c2081d694faff5ea"

1. The 4.2 cluster with the proxy enabled.
oc get proxy cluster -o yaml
apiVersion: config.openshift.io/v1
kind: Proxy
metadata:
  creationTimestamp: "2019-09-16T18:01:32Z"
  generation: 2
  name: cluster
  resourceVersion: "32632"
  selfLink: /apis/config.openshift.io/v1/proxies/cluster
  uid: 0446b51b-d8ac-11e9-98bf-0255f6f9ecc6
spec:
  httpProxy: http://proxy-user1:JYgU8qRZV4DY4PXJbxJK@139.178.76.57:3128
  httpsProxy: http://proxy-user1:JYgU8qRZV4DY4PXJbxJK@139.178.76.57:3128
  noProxy: .cluster.local,.svc,.us-east-2.compute.internal,10.0.0.0/16,10.128.0.0/14,127.0.0.1,169.254.169.254,172.30.0.0/16,api-int.bandrade123.qe.devcluster.openshift.com,api.bandrade123.qe.devcluster.openshift.com,etcd-0.bandrade123.qe.devcluster.openshift.com,etcd-1.bandrade123.qe.devcluster.openshift.com,etcd-2.bandrade123.qe.devcluster.openshift.com,localhost,test.no-proxy.com
  trustedCA:
    name: ""
status:
  httpProxy: http://proxy-user1:JYgU8qRZV4DY4PXJbxJK@139.178.76.57:3128
  httpsProxy: http://proxy-user1:JYgU8qRZV4DY4PXJbxJK@139.178.76.57:3128
  noProxy: .cluster.local,.svc,.us-east-2.compute.internal,10.0.0.0/16,10.128.0.0/14,127.0.0.1,169.254.169.254,172.30.0.0/16,api-int.bandrade123.qe.devcluster.openshift.com,api.bandrade123.qe.devcluster.openshift.com,etcd-0.bandrade123.qe.devcluster.openshift.com,etcd-1.bandrade123.qe.devcluster.openshift.com,etcd-2.bandrade123.qe.devcluster.openshift.com,localhost,test.no-proxy.com

2. Enable Service catalog. And, check the "trusted-ca-bundle" configmap. Looks good.
oc get cm -n openshift-service-catalog-controller-manager
NAME                                 DATA   AGE
client-ca                            1      2m54s
cluster-info                         1      2m9s
config                               3      2m54s
service-catalog-controller-manager   0      2m36s
trusted-ca-bundle                    1      2m54s

3. Verify the trust bundle volume mount gets created.

oc get ds controller-manager -n openshift-service-catalog-controller-manager -o yaml |grep -i "trust"
        - mountPath: /etc/pki/ca-trust/extracted/pem/
          name: trusted-ca-bundle
          name: trusted-ca-bundle
        name: trusted-ca-bundle

oc get ds controller-manager -n openshift-service-catalog-controller-manager -o yaml |grep -i "volumeMounts" -A 10
        volumeMounts:
        - mountPath: /var/run/kubernetes-service-catalog
          name: apiserver-ssl
          readOnly: true
        - mountPath: /var/run/configmaps/config
          name: config
        - mountPath: /var/run/configmaps/client-ca
          name: client-ca
        - mountPath: /var/run/secrets/serving-cert
          name: serving-cert
        - mountPath: /etc/pki/ca-trust/extracted/pem/
Comment 11 errata-xmlrpc 2019-10-16 06:39:13 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:2922
Note You need to log in before you can comment on or make changes to this bug.