More result: testing the webhook case OCP-25161, it got: cat > smooth-app.pod.yaml << EOF apiVersion: v1 kind: Pod metadata: name: smooth-app spec: containers: - image: openshift/hello-openshift name: smooth-app EOF # This test got equivalent error result with above step 3 IMO. oc create -f smooth-app.pod.yaml Error from server (InternalError): error when creating "smooth-app.pod.yaml": Internal error occurred: failed calling webhook "xxia.admission.webhook": Post https://grumpy-default.apps.<masked>.qe.devcluster.openshift.com/validate?timeout=30s: x509: certificate signed by unknown authority Commented PR BTW https://github.com/openshift/cluster-kube-apiserver-operator/pull/567#discussion_r325609997
The issue of comment 0 is verified in 4.2.0-0.nightly-2019-09-19-014231. But the issue of comment 1 still exists. Still investigating and will report separate bug later if the issue is considered a bug.
Xingxing regarding comment #1, platform components request CA injection by 1) creating a configmap with label 'config.openshift.io/inject-trusted-cabundle=true' in the same namespace as the pod 2) mounting the configmap as the local trust store like so: --- kind: Pod/Deployment/DaemonSet/etc.. <SNIP> volumeMounts: - name: trusted-ca mountPath: /etc/pki/ca-trust/extracted/pem/ <SNIP> volumes: - name: trusted-ca configMap: name: trusted-ca optional: true items: - key: ca-bundle.crt path: tls-ca-bundle.pem
(In reply to Daneyon Hansen from comment #4) > Xingxing regarding comment #1, platform components request CA injection by Thanks Daneyon, yeah, for cluster components, that is correct. But comment 1 is not regarding cluster components, it is a step of the test case OCP-25161.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2019:2922