Bug 1890741 - path to the CA trust bundle ConfigMap is broken in report operator
Summary: path to the CA trust bundle ConfigMap is broken in report operator
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Metering Operator
Version: 4.7
Hardware: Unspecified
OS: Unspecified
low
high
Target Milestone: ---
: 4.7.0
Assignee: tflannag
QA Contact: Peter Ruan
URL:
Whiteboard:
Depends On:
Blocks: 1892127
TreeView+ depends on / blocked
 
Reported: 2020-10-22 20:13 UTC by tflannag
Modified: 2021-02-24 15:02 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
When the cluster-wide Proxy has been enabled, Metering reconciles a ConfigMap with the `config.openshift.io/inject-trusted-cabundle="true"` annotation and the Cluster Networking Operator is reponsible for populating those ConfigMap contents with the merged user-provided and system CA bundles. When mounting those ConfigMap contents in the reporting-operator Deployment, an invalid container filename was specified for the reporting-operator and oauth proxy sidecar container. This resulted in an invalid symbolic link being established in the /etc/pki/tls/cert.pem, which the sidecar container is configured to trust. In some customer environments, Metering would be unable to work with the configured cluster-wide Proxy object. After properly updating the container filename to match the recommendations in [1], that symbolic link was properly established again. [1] https://docs.openshift.com/container-platform/4.5/networking/configuring-a-custom-pki.html#certificate-injection-using-operators_configuring-a-custom-pki
Clone Of: 1890733
Environment:
Last Closed: 2021-02-24 15:01:20 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github kube-reporting metering-operator pull 1416 0 None closed Bug 1890741: Fix the path to the CA trust bundle ConfigMap 2020-11-23 19:36:16 UTC
Red Hat Product Errata RHSA-2020:5635 0 None None None 2021-02-24 15:02:11 UTC

Comment 2 Peter Ruan 2020-11-03 22:45:11 UTC 
verified with Server Version: 4.7.0-0.ci-2020-11-03-102229
1. oc create -f user-ca-bundle.yaml # under openshift-config project
2. oc edit proxy cluster such that spec.trustedCA.name is assigned the name of the configmap created in step #1 (user-ca-bundle)
3. create metering normally
4. check for file existence in the reporting-operator pod
$ oc rsh reporting-operator-54f8dbf65-b9jz5
Defaulting container name to reporting-operator.
Use 'oc describe pod/reporting-operator-54f8dbf65-b9jz5 -n openshift-metering' to see all of the containers in this pod.
sh-4.4$ ls -asl /etc/pki/tls/
total 16
 0 drwxr-xr-x. 5 root root   104 Sep  1 19:39 .
 0 drwxr-xr-x. 1 root root    21 Oct 31 13:29 ..
 0 lrwxrwxrwx. 1 root root    49 Jun 22 23:19 cert.pem -> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
 0 drwxr-xr-x. 2 root root    54 Sep  1 19:39 certs
 4 -rw-r--r--. 1 root root   412 Mar  5  2020 ct_log_list.cnf
 0 drwxr-xr-x. 2 root root     6 Mar  5  2020 misc
12 -rw-r--r--. 1 root root 11225 Mar  5  2020 openssl.cnf
 0 drwxr-xr-x. 2 root root     6 Mar  5  2020 private
sh-4.4$ ls -asl  /etc/pki/ca-trust/extracted/pem/
total 376
  0 drwxr-xr-x. 2 root root    101 Sep  1 19:39 .
  0 drwxr-xr-x. 6 root root     70 Sep  1 19:39 ..
  4 -rw-r--r--. 1 root root    898 Jun 22 23:17 README
160 -r--r--r--. 1 root root 163655 Sep  1 19:39 email-ca-bundle.pem
  0 -r--r--r--. 1 root root      0 Sep  1 19:39 objsign-ca-bundle.pem
212 -r--r--r--. 1 root root 216090 Sep  1 19:39 tls-ca-bundle.pem

5. create a report and be able to get it back.
$ oc create -f cluster-memory-usage-now.yaml
report.metering.openshift.io/cluster-memory-usage-now created
$ display_report_using_exposed_route cluster-memory-usage-now
period_start			period_end			total_cluster_usage_memory_byte_seconds		avg_cluster_usage_memory_bytes	avg_pod_count
2020-09-22 00:00:00 +0000 UTC	2020-12-30 23:59:59 +0000 UTC	34497277132800.000000				33820859934.117645		167.117647
Comment 5 errata-xmlrpc 2021-02-24 15:01:20 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.7.0 extras and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:5635
Note You need to log in before you can comment on or make changes to this bug.