Router CI is currently broken on the router e2e job. A subset of the router e2e tests are failing. Log files would suggest that the e2e router pods are not able to load the default cert baked into the router image. [ALERT] 243/205744 (21) : parsing [/var/lib/haproxy/conf/haproxy.config:116] : 'bind 127.0.0.1:10444' : unable to load SSL certificate from PEM file '/var/lib/haproxy/conf/default_pub_keys.pem'. [ALERT] 243/205744 (21) : parsing [/var/lib/haproxy/conf/haproxy.config:153] : 'bind 127.0.0.1:10443' : unable to load SSL certificate from PEM file '/var/lib/haproxy/conf/default_pub_keys.pem'. [ALERT] 243/205744 (21) : Error(s) found in configuration file : /var/lib/haproxy/conf/haproxy.config [ALERT] 243/205744 (21) : Fatal errors found in configuration. The router e2e jobs depend on the default cert in the image to run properly. This may be related to recent base image changes through ART. How reproducible: 100%, see router CI jobs. https://prow.ci.openshift.org/pr-history?org=openshift&repo=router&pr=170 Reproduce outside of CI: Launch a 4.6 cluster bot cluster with a reference to a router PR ie launch openshift/router#170 gcp
Verified in the latest "4.6.0-0.ci-2020-09-04-224216" payload. The environment now includes "SECLEVEL=1" for the SSL: ---- $ oc get clusterversion NAME VERSION AVAILABLE PROGRESSING SINCE STATUS version 4.6.0-0.ci-2020-09-04-224216 True False 39m Cluster version is 4.6.0-0.ci-2020-09-04-224216 sh-4.4$ cat /etc/crypto-policies/back-ends/openssl openssl.config opensslcnf.config sh-4.4$ cat /etc/crypto-policies/back-ends/opensslcnf.config CipherString = @SECLEVEL=1:kEECDH:kRSA:kEDH:kPSK:kDHEPSK:kECDHEPSK:-aDSS:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8 Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256 ----
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (OpenShift Container Platform 4.6 GA Images), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:4196