Bug 1788477 - proxy user-ca-bundle did not present in grafana pod /etc/pki/tls/certs/ca-bundle.crt
Summary: proxy user-ca-bundle did not present in grafana pod /etc/pki/tls/certs/ca-bu...
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Monitoring
Version: 4.2.0
Hardware: x86_64
OS: Linux
Target Milestone: ---
: 4.2.z
Assignee: Pawel Krupa
QA Contact: Junqi Zhao
Depends On: 1776085
TreeView+ depends on / blocked
Reported: 2020-01-07 10:19 UTC by Muhammad Aizuddin Zali
Modified: 2023-03-24 16:38 UTC (History)
10 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2020-01-22 10:46:40 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Github openshift cluster-monitoring-operator pull 602 0 None closed Bug 1788477: trustedCA bundle support for grafana oauth proxy 2020-09-23 11:56:43 UTC
Red Hat Product Errata RHBA-2020:0107 0 None None None 2020-01-22 10:46:57 UTC

Description Muhammad Aizuddin Zali 2020-01-07 10:19:21 UTC
Description of problem:
When replacing default ingress certificate with custom organization root CA, added root CA into proxies/config. Grafana pod did not take the root CA into it pod CA bundle. Hence grafana proxy POST call  auth URL returned below error:

2020/01/07 10:14:11 oauthproxy.go:645: error redeeming code (client: Post https://oauth-openshift.apps.ocp4.local.bytewise.my/oauth/token: x509: certificate signed by unknown authority
2020/01/07 10:14:11 oauthproxy.go:438: ErrorPage 500 Internal Error Internal Error

Version-Release number of selected component (if applicable):

How reproducible:

Follow this guide[1] to add cluster wide new custom root CA and then replace default ingress certificate from here[2]. Login to the cluster and open up Grafana dashboard will shown above error.

[1]: https://docs.openshift.com/container-platform/4.2/networking/enable-cluster-wide-proxy.html
[2]: https://docs.openshift.com/container-platform/4.2/authentication/certificates/replacing-default-ingress-certificate.html

Steps to Reproduce:

Actual results:
Grafana CA trust bundle did not include proxies certificate for trusting custom root CA.

Expected results:
Grafana CA trust bundle should include proxies certificate and trust the custom root CA.

Additional info:

Comment 1 Muhammad Aizuddin Zali 2020-01-07 10:23:44 UTC
1. The custom root CA:

mzali  ~  cat  CA-Auth/rootCA.crt  | head -n 2

2. The trust bundle does not include the root CA:

mzali  ~  oc rsh grafana-6cc69d4d4b-5xc7b 
Defaulting container name to grafana.
Use 'oc describe pod/grafana-6cc69d4d4b-5xc7b -n openshift-monitoring' to see all of the containers in this pod.
sh-4.2$ cat /etc/pki/tls/certs/ca-bundle.crt | grep MIIFxTCCA62gAwIBAgIUIQeGpl00JG5PC1Db0xrNpW9aiu0wDQYJKoZIhvcNAQEL

Comment 2 Stephen Cuppett 2020-01-07 13:28:45 UTC
Setting target to active development branch (4.4). Fixes (if any) will result in cloned BZs for backports (where required/requested) for prior versions.

Comment 11 errata-xmlrpc 2020-01-22 10:46:40 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.