Description of problem: When creating VM from template, I am getting following error 15:50:31 HTTP response headers: HTTPHeaderDict({'Audit-Id': 'f19416d1-ad5a-4958-a23d-8a59721a492a', 'Cache-Control': 'no-cache, private', 'Content-Type': 'application/json', 'X-Kubernetes-Pf-Flowschema-Uid': '77f18fcd-d82e-461c-b144-4d0b0d22604a', 'X-Kubernetes-Pf-Prioritylevel-Uid': 'b909d5d0-6fcd-4954-8cec-858e7622a419', 'Date': 'Tue, 09 Jun 2020 13:50:33 GMT', 'Content-Length': '609'}) 15:50:31 HTTP response body: b'{"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"Internal error occurred: failed calling webhook \\"virt-template-admission.kubevirt.io\\": Post https://virt-template-validator.openshift-cnv.svc:443/virtualmachine-template-validate?timeout=30s: x509: certificate signed by unknown authority","reason":"InternalError","details":{"causes":[{"message":"failed calling webhook \\"virt-template-admission.kubevirt.io\\": Post https://virt-template-validator.openshift-cnv.svc:443/virtualmachine-template-validate?timeout=30s: x509: certificate signed by unknown authority"}]},"code":500}\n' Here I provide logs from template validator pods [cloud-user@ocp-ipi-2-executor ~]$ oc logs -n openshift-cnv virt-template-validator-854c69fbff-9rpgd {"component":"kubevirt-template-validator","level":"info","msg":"kubevirt-template-validator v0.6.6 (revision: ) starting","pos":"app.go:75","timestamp":"2020-06-09T13:42:53.159415Z"} {"component":"kubevirt-template-validator","level":"info","msg":"kubevirt-template-validator using kubevirt client-go (v0.0.0-master+$Format:%h$ $Format:%H$ 1970-01-01T00:00:00Z)","pos":"app.go:76","timestamp":"2020-06-09T13:42:53.159615Z"} {"component":"kubevirt-template-validator","level":"info","msg":"certificate from /etc/webhook/certs with common name 'virt-template-validator.openshift-cnv.svc' retrieved.","pos":"tlsinfo.go:131","timestamp":"2020-06-09T13:42:53.160573Z"} W0609 13:42:53.159754 1 client_config.go:549] Neither --kubeconfig nor --master was specified. Using the inClusterConfig. This might not work. {"component":"kubevirt-template-validator","level":"info","msg":"validator app: started informers","pos":"app.go:97","timestamp":"2020-06-09T13:42:53.187210Z"} {"component":"kubevirt-template-validator","level":"info","msg":"validator app: synched informers","pos":"app.go:102","timestamp":"2020-06-09T13:42:53.490365Z"} {"component":"kubevirt-template-validator","level":"info","msg":"validator app: running with TLSInfo.CertsDirectory/etc/webhook/certs","pos":"app.go:105","timestamp":"2020-06-09T13:42:53.490477Z"} {"component":"kubevirt-template-validator","level":"info","msg":"validator app: TLS configured, serving over HTTPS on 0.0.0.0:8443","pos":"app.go:113","timestamp":"2020-06-09T13:42:53.490512Z"} I0609 13:50:33.314749 1 server.go:3055] http: TLS handshake error from 10.130.0.1:42508: remote error: tls: bad certificate W0609 13:52:35.525695 1 reflector.go:270] github.com/fromanirh/kubevirt-template-validator/pkg/template-validator/app.go:96: watch of *v1.Template ended with: The resourceVersion for the provided watch is too old. [cloud-user@ocp-ipi-2-executor ~]$ oc logs -n openshift-cnv virt-template-validator-854c69fbff-k6dwt {"component":"kubevirt-template-validator","level":"info","msg":"kubevirt-template-validator v0.6.6 (revision: ) starting","pos":"app.go:75","timestamp":"2020-06-09T13:42:53.150349Z"} {"component":"kubevirt-template-validator","level":"info","msg":"kubevirt-template-validator using kubevirt client-go (v0.0.0-master+$Format:%h$ $Format:%H$ 1970-01-01T00:00:00Z)","pos":"app.go:76","timestamp":"2020-06-09T13:42:53.150476Z"} W0609 13:42:53.150665 1 client_config.go:549] Neither --kubeconfig nor --master was specified. Using the inClusterConfig. This might not work. {"component":"kubevirt-template-validator","level":"info","msg":"certificate from /etc/webhook/certs with common name 'virt-template-validator.openshift-cnv.svc' retrieved.","pos":"tlsinfo.go:131","timestamp":"2020-06-09T13:42:53.153328Z"} {"component":"kubevirt-template-validator","level":"info","msg":"validator app: started informers","pos":"app.go:97","timestamp":"2020-06-09T13:42:53.172202Z"} {"component":"kubevirt-template-validator","level":"info","msg":"validator app: synched informers","pos":"app.go:102","timestamp":"2020-06-09T13:42:53.474686Z"} {"component":"kubevirt-template-validator","level":"info","msg":"validator app: running with TLSInfo.CertsDirectory/etc/webhook/certs","pos":"app.go:105","timestamp":"2020-06-09T13:42:53.474868Z"} {"component":"kubevirt-template-validator","level":"info","msg":"validator app: TLS configured, serving over HTTPS on 0.0.0.0:8443","pos":"app.go:113","timestamp":"2020-06-09T13:42:53.474953Z"} W0609 13:52:35.539181 1 reflector.go:270] github.com/fromanirh/kubevirt-template-validator/pkg/template-validator/app.go:96: watch of *v1.Template ended with: The resourceVersion for the provided watch is too old. Version-Release number of selected component (if applicable): OCP-4.5 HCO v2.3.0-302 How reproducible: 100 Steps to Reproduce: 1. Deploy CNV 2. Try to create VM from template 3. Actual results: validation of template fails on certificate error Expected results: VM is created Additional info:
It happens in HCO-v2.3.0-303 build too.
The cause is that since OCP 4.4, the filename of the CA that is used has changed. I have tested this feature with OCP 4.3, so I missed it. I'm working on a fix.
Working with HCO-v2.3.0-315
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2020:3194