Bug 1794313 - Some cluster operators fail to come up because RHV CA is not trusted by a pod
Summary: Some cluster operators fail to come up because RHV CA is not trusted by a pod
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Installer
Version: 4.4
Hardware: Unspecified
OS: Unspecified
high
medium
Target Milestone: ---
: 4.5.0
Assignee: Roy Golan
QA Contact: Jan Zmeskal
URL:
Whiteboard:
Depends On:
Blocks: 1811760
TreeView+ depends on / blocked
 
Reported: 2020-01-23 09:25 UTC by Jan Zmeskal
Modified: 2020-07-13 17:13 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1811760 (view as bug list)
Environment:
Last Closed: 2020-07-13 17:13:28 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift cloud-credential-operator pull 164 0 None closed Bug 1794313: Some cluster operators fail to come up because RHV CA is not trusted by a pod 2020-09-29 10:12:54 UTC
Github openshift cluster-api-provider-ovirt pull 40 0 None closed Bug 1794313: Some cluster operators fail to come up because RHV CA is not trusted by a pod 2020-09-29 10:12:53 UTC
Github openshift installer pull 3261 0 None closed Bug 1794313: Some cluster operators fail to come up because RHV CA is not trusted by a pod 2020-09-29 10:12:52 UTC
Red Hat Product Errata RHBA-2020:2409 0 None None None 2020-07-13 17:13:57 UTC

Description Jan Zmeskal 2020-01-23 09:25:30 UTC
Description of problem:
If you don't specify "ovirt_insecure: true" in your oVirt credentials config, the installation will eventually fail apparently because machine-controller container (and maybe some others as well) does not trust engine's CA. Even though the CA is trusted by the bastion's operating system.

Version-Release number of the following components:
./openshift-install version
./openshift-install unreleased-master-2320-g6791d02a6fadedd44f9263fb72f9f65dbd51bfe0-dirty
built from commit 6791d02a6fadedd44f9263fb72f9f65dbd51bfe0
release image registry.svc.ci.openshift.org/ovirt/ovirt-release@sha256:c46483c4bfd9418226d3bbf46e15b7905dfefcccfe899b652db3a8c88b522b96

How reproducible:
I tried it only once but I believe this behaviour is consistent.

Steps to Reproduce:
1. Make sure your bastion machine (the one from where you conduct the installation) trusts your engine's CA. If your engine is your bastion, then it's easy as running this:
ln -sf /etc/pki/ovirt-engine/ca.pem /etc/pki/ca-trust/source/anchors/ && update-ca-trust

2. Now just follow the installation steps with one specific. When you're setting up your ovirt credentials file, completely omit the line that says "ovirt_insecure: true". It should default to false. Mine looks like this:
cat ~/.ovirt/ovirt-config.yaml 
ovirt_url: https://<engine_fqdn>/ovirt-engine/api
ovirt_username: admin@internal
ovirt_password: <pass>

3. Try to install OCP4 and monitor the progress.

Actual results:
The installation got pretty far and most of the cluster operators came up, not all though: http://pastebin.test.redhat.com/828699
Also workers nodes were not created. 

Expected results:
The installation is finished successfully. 

Additional info:
openshift-install output: http://pastebin.test.redhat.com/828698 
Logs from authentication: http://pastebin.test.redhat.com/828702 
Logs from console: http://pastebin.test.redhat.com/828704           
Logs from ingress: http://pastebin.test.redhat.com
Logs from monitoring: http://pastebin.test.redhat.com/828707/828706
oc get pods -n openshift-machine-api: http://pastebin.test.redhat.com/828772
cluster-autoscaler-operator: http://pastebin.test.redhat.com/828766 
machine-api-operator: http://pastebin.test.redhat.com/828770
And most importantly here's the error message about untrusted CA:
machine-api-controllers: http://pastebin.test.redhat.com/828779 http://pastebin.test.redhat.com/828768

Comment 4 Jan Zmeskal 2020-03-19 13:27:59 UTC
Verified with openshift-install-linux-4.5.0-0.nightly-2020-03-19-042419

Verification steps:
1. Create /root/.ovirt/ovirt-config.yaml with following content:

ovirt_url: https://<engine_fqdn>/ovirt-engine/api
ovirt_username: admin@internal
ovirt_password: "<pass>"
ovirt_ca_bundle: |-
  -----BEGIN CERTIFICATE-----
<CA gibberish>
  -----END CERTIFICATE-----

2. Prepare valid install-config.yaml and copy it to install-dir
3. Run openshift-install create cluster --dir=install-dir

Comment 6 errata-xmlrpc 2020-07-13 17:13:28 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:2409


Note You need to log in before you can comment on or make changes to this bug.