Description of problem: I installed the latest Openshift 4.2 version. And I used the variable "additionalTrustBundle:" to add our internal intermediate and root chains. The proxy sidecar of kibana is not receiving the additionalTrustBundle How reproducible: Every install using additionalTrustBundle Steps to Reproduce: 1. Install Openshift 4.2 with additionalTrustBundle for self signed certificate 2. Deploy the logging operator following the procedure 3. Try to authenticate to - https://kibana-openshift-logging.apps.ose.company.com/ Actual results: Browser error "500 Internal Error" # Kibana-proxy container $ oc logs -c kibana-proxy kibana-5f6cb5bf7f-zrhvm | grep TLS I1017 00:11:10.507334 1 log.go:172] http: TLS handshake error from 10.130.0.1:47784: EOF I1017 00:18:13.698951 1 log.go:172] http: TLS handshake error from 10.128.0.1:35522: remote error: tls: bad certificate Expected results: Login Additional info: https://github.com/openshift/cluster-logging-operator/issues/261 CASE 02497459 ######## # To fix Kibana I set the operator to Unmanaged then I manually created the configMap "trusted-ca-bundle". ######## Under kibana-proxy container I added: - name: trusted-ca-bundle readOnly: true mountPath: /etc/pki/ca-trust/extracted/pem Under Volumes I added: - name: trusted-ca-bundle configMap: name: trusted-ca-bundle items: - key: ca-bundle.crt path: tls-ca-bundle.pem defaultMode: 420
Created attachment 1639474 [details] the clo, fluentd,kibana resource and clo logs The kibana couldn't be accessable. there wasn't HTTP_PROXY Env kibana pod, the configmap kibana-trusted-ca-bundle wasn't mounted into kibana pod
Note: The kibana works well although the HTTP_RPOXY is not set, and kibana-trusted-ca-bundle wasn't mounted
4.4 additional fixes: https://github.com/openshift/cluster-logging-operator/pull/305
The kibana can be display when proxy is enabled. Will launch a new cluster to verify the additional ca works.
The trust can file are binded to /etc/pki/ca-trust/extracted/pem/ in both fluentd and kibana pod
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:0062