Bug 1749567 - openshift-apiserver operator shows Degraded=True after configuring a cluster with proxy
Summary: openshift-apiserver operator shows Degraded=True after configuring a cluster ...
Keywords:
Status: CLOSED DUPLICATE of bug 1747260
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: openshift-apiserver
Version: 4.2.0
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: ---
: 4.2.0
Assignee: Standa Laznicka
QA Contact: Xingxing Xia
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-09-05 21:36 UTC by Daneyon Hansen
Modified: 2019-09-06 08:05 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-09-06 08:05:10 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift cluster-openshift-apiserver-operator pull 232 0 None closed Bug 1747260: Last (?) fix to trusted-ca CM syncing 2021-02-09 08:05:17 UTC

Description Daneyon Hansen 2019-09-05 21:36:01 UTC 
Description of problem:
openshift-apiserver operator show degraded after configuring a cluster with proxy:

$ oc get clusteroperator/openshift-apiserver
NAME                  VERSION                         AVAILABLE   PROGRESSING   DEGRADED   SINCE
openshift-apiserver   4.2.0-0.okd-2019-09-05-160131   True        False         True       4h55m


Version-Release number of selected component (if applicable):

$ openshift-install version
openshift-install v4.1.9-201907311355-dirty
built from commit 7f8b6bc666e0e061d0f2809646dffb4e98d6f098
release image quay.io/openshift-release-dev/ocp-release@sha256:27fd24c705d1107cc73cb7dda8257fe97900e130b68afc314d0ef0e31bcf9b8e
$ oc adm release info quay.io/openshift-release-dev/ocp-release@sha256:27fd24c705d1107cc73cb7dda8257fe97900e130b68afc314d0ef0e31bcf9b8e --commits | grep openshift-apiserver
  cluster-openshift-apiserver-operator          https://github.com/openshift/cluster-openshift-apiserver-operator          2728ac11a08492543680a5910349e679fb47f08f

How reproducible:
Always

Steps to Reproduce:
1. Create a cluster without proxy configured
2. After the cluster installation completes, create a configmap containing the proxy's trusted ca cert bundle:
$ oc get cm/user-ca-bundle -n openshift-config -o yaml
apiVersion: v1
data:
  ca-bundle.crt: |
    ${MY_PROXY_CA_CERT}
kind: ConfigMap
metadata:
  name: user-ca-bundle
  namespace: openshift-config
  <SNIP>
4. Modify the proxy object:
$ oc edit proxy/cluster
apiVersion: config.openshift.io/v1
kind: Proxy
metadata:
  <SNIP>
spec:
  httpProxy: http://${PROXY_USER}:${PROXY_PSWD}@${HTTP_PROXY}:${PROXY_HTTP_PORT}
  httpsProxy: http://${PROXY_USER}:${PROXY_PSWD}@${HTTP_PROXY}:${PROXY_HTTPS_PORT}
  trustedCA:
    name: user-ca-bundle

4. Verify the proxy object spec has been written to status:
$ oc get proxy/cluster -o yaml
apiVersion: config.openshift.io/v1
kind: Proxy
metadata:
  creationTimestamp: "2019-09-05T16:12:27Z"
  generation: 3
  name: cluster
  resourceVersion: "72012"
  selfLink: /apis/config.openshift.io/v1/proxies/cluster
  uid: f449c4f8-cff7-11e9-91c4-02e845eedf5c
spec:
  httpProxy: http://${PROXY_USER}:${PROXY_PSWD}@${HTTP_PROXY}:${PROXY_HTTP_PORT}
  httpsProxy: http://${PROXY_USER}:${PROXY_PSWD}@${HTTP_PROXY}:${PROXY_HTTPS_PORT}
  trustedCA:
    name: user-ca-bundle
status:
  httpProxy: http://${PROXY_USER}:${PROXY_PSWD}@${HTTP_PROXY}:${PROXY_HTTP_PORT}
  httpsProxy: http://${PROXY_USER}:${PROXY_PSWD}@${HTTP_PROXY}:${PROXY_HTTPS_PORT}
  noProxy: .cluster.local,.svc,.us-west-2.compute.internal,10.0.0.0/16,10.128.0.0/14,127.0.0.1,169.254.169.254,172.30.0.0/16,api-int.no-proxy.devcluster.openshift.com,api.no-proxy.devcluster.openshift.com,etcd-0.no-proxy.devcluster.openshift.com,etcd-1.no-proxy.devcluster.openshift.com,etcd-2.no-proxy.devcluster.openshift.com,localhost

5. Check the status of the openshift-apiserver operator:
$ oc get clusteroperator/openshift-apiserver

Actual results:
$ oc get clusteroperator/openshift-apiserver
NAME                  VERSION                         AVAILABLE   PROGRESSING   DEGRADED   SINCE
openshift-apiserver   4.2.0-0.okd-2019-09-05-160131   True        False         True       5h9m

Expected results:
$ oc get clusteroperator/openshift-apiserver
NAME                  VERSION                         AVAILABLE   PROGRESSING   DEGRADED   SINCE
openshift-apiserver   4.2.0-0.okd-2019-09-05-160131   True        False         False       5h9m

Operator shows

Additional info:

"WorkloadDegraded: \"trusted-ca-bundle\": Operation cannot be fulfilled
      on configmaps \"trusted-ca-bundle\": StorageError: invalid object, Code: 4,
      Key: /kubernetes.io/configmaps/openshift-apiserver/trusted-ca-bundle, ResourceVersion:
      0, AdditionalErrorMsg: Precondition failed: UID in precondition: 0524f326-cff8-11e9-91c4-02e845eedf5c,
      UID in object meta: a9bf513d-cff8-11e9-9d02-06e3e1e076f0\nWorkloadDegraded: "

operator log file: https://gist.github.com/danehans/8e021a3bb42d9c9d4352d7cb3f056600#file-proxy_openshift_apiserver_issue-log
Comment 1 Standa Laznicka 2019-09-06 08:05:10 UTC 
Closing in favour of https://bugzilla.redhat.com/show_bug.cgi?id=1747260 so that QE does not have to go through both as the other BZ was not even submitted to them yet.

Thanks for reporting the bug!

*** This bug has been marked as a duplicate of bug 1747260 ***
Note You need to log in before you can comment on or make changes to this bug.