Bug 1890733
| Summary: | path to the CA trust bundle ConfigMap is broken in report operator | |||
|---|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | German Parente <gparente> | |
| Component: | Metering Operator | Assignee: | tflannag | |
| Status: | CLOSED WONTFIX | QA Contact: | Peter Ruan <pruan> | |
| Severity: | medium | Docs Contact: | ||
| Priority: | medium | |||
| Version: | 4.5 | CC: | aos-bugs, btofel, crawford, openshift-bugzilla-robot, sd-operator-metering | |
| Target Milestone: | --- | Keywords: | Reopened | |
| Target Release: | 4.5.z | |||
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | ||||
| Fixed In Version: | Doc Type: | If docs needed, set a value | ||
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 1890741 (view as bug list) | Environment: | ||
| Last Closed: | 2021-01-22 15:33:00 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | 1892127 | |||
| Bug Blocks: | ||||
*** Bug 1900116 has been marked as a duplicate of this bug. *** This has been targeted against 4.5, which is now in the maintenance phase of its life. If this is still needed, please update the severity to high or urgent. Otherwise, please close this and the related pull request. Going to mark this as CLOSED - WONTFIX then as there's already a workaround that's been documented and this has been resolved in 4.6. Going to re-reclose this as it looks like the BZ bot reopened this after I closed it yesterday as `wontfix` as there was still a PR attached as a link. |
Description of problem: if we deploy the metering operator in an environment where a http proxy and additional ca trust is configured we can see that reporting operator pod logs show: oc logs -f reporting-operator-xxxxxxxxxxx-nhrsv -c reporting-operator-auth-proxy oauthproxy.go:438: ErrorPage 500 Internal Error certificate authority file (/etc/pki/tls/cert.pem) could not be read - open /etc/pki/tls/cert.pem: no such file or directory if we rsh to the pod: oc rsh reporting-operator-xxxxxx-nhrsv ls -asl /etc/pki/tls/ lrwxrwxrwx. 1 root root 49 Aug 3 09:13 cert.pem -> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem ls -asl /etc/pki/ca-trust/extracted/pem/ 0 lrwxrwxrwx. 1 root root 20 Sep 30 12:51 ca-bundle.crt -> ..data/ca-bundle.crt So, tls-ca-bundle.pem file is missing and instead we see: ca-bundle.crt the explanation is that we are injecting additional ca bundle in configmap reporting-operator-trusted-ca-bundle: oc get cm reporting-operator-trusted-ca-bundle -o yaml | grep config.openshift.io/inject-trusted-cabundle config.openshift.io/inject-trusted-cabundle: "true" And from documentation in https://docs.openshift.com/container-platform/4.5/networking/configuring-a-custom-pki.html#certificate-injection-using-operators_configuring-a-custom-pki the ca should be mounted as: - name: trusted-ca configMap: name: trusted-ca items: - key: ca-bundle.crt path: tls-ca-bundle.pem And in the report operator we are just mounting as: - name: trusted-ca configMap: name: trusted-ca so, the file that is mounted is ca-bundle.crt instead of tls-ca-bundle.pem A way to workaround this would be to scale the metring operator to 0 replicas so as it's not managing the report operator and modify the deployment.apps/reporting-operator as shown before. This is fixed in: https://github.com/kube-reporting/metering-operator/pull/1416 Version-Release number of selected component (if applicable): 4.5.15