Bug 1832803 - Missing ca-bundle in reporter-operator and reporter-operator-auth-proxy pods. Fail when connecting to oauth-openshift
Summary: Missing ca-bundle in reporter-operator and reporter-operator-auth-proxy pods....
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Metering Operator
Version: 4.4
Hardware: Unspecified
OS: Unspecified
medium
high
Target Milestone: ---
: 4.5.0
Assignee: tflannag
QA Contact: Peter Ruan
URL:
Whiteboard:
Depends On:
Blocks: 1837043
TreeView+ depends on / blocked
 
Reported: 2020-05-07 10:10 UTC by Sergio G.
Modified: 2023-09-07 23:05 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1837043 (view as bug list)
Environment:
Last Closed: 2020-05-18 18:10:45 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Sergio G. 2020-05-07 10:10:45 UTC 
Description of problem:
This is an issue which has affected monitoring, logging and service mesh operators so far: when the certificate of the ingress controller is replaced with one signed by a unknown CA, the proxies fail in reaching the oauth URL.

In all previous operators the solutions has been creating a configmap with the CA bundle from the cluster (including the custom CA from the customer) and mounting it in /etc/pki/ca-trust/extracted/pem in all the containers.


Version-Release number of selected component (if applicable):
4.4 and all previous releases


How reproducible:
Always


Steps to Reproduce:
1. Install OpnShift 4
2. Follow [1] and [2] to replace the ingress certificate and add the custom CA to the cluster-wide proxy
2. Install Metering operator and deploy an instance 
3. Reach reporter URL


Actual results:
Error 500 when validating using the browser and/or sending a proper authentication token. 

2020/04/30 15:37:29 oauthproxy.go:645: error redeeming code (client:10.130.2.1:57722): Post https://oauth-openshift.apps.infra.ont.belastingdienst.nl/oauth/token: x509: certificate signed by unknown authority
2020/04/30 15:37:29 oauthproxy.go:438: ErrorPage 500 Internal Error Internal Error


Expected results:
No issues when reaching https://oauth-openshift.apps.infra.ont.belastingdienst.nl/oauth/token


Additional info:
See next steps to fix the deployment reporter-operator:
- create the configmap and fill it with the cluster ca-bundle:
$ cat <<EOF | oc create -f -
apiVersion: v1
kind: ConfigMap
metadata:
  namespace: openshift-metering
  labels:
    config.openshift.io/inject-trusted-cabundle: "true"
  name: trusted-ca
EOF

- edit the deployment/reporting-operator to add :
  - a volume to mount:
     spec:
       spec:
         volumes:
         - configMap:
             defaultMode: 420
             items:
             - key: ca-bundle.crt
               path: tls-ca-bundle.pem
             name: trusted-ca
           name: trusted-ca

  - the volume to each of the two pods in the deployment:
     spec:
       spec:
         containers
         - name: reporting-operator
           volumeMounts:
           - name: trusted-ca
             mountPath: /etc/pki/ca-trust/extracted/pem
             readOnly: true
         - name: reporting-operator-auth-proxy
           volumeMounts:
           - name: trusted-ca
             mountPath: /etc/pki/ca-trust/extracted/pem
             readOnly: true
Note You need to log in before you can comment on or make changes to this bug.