Bug 1891047 - Helm chart fails to install using developer console because of TLS certificate error
Summary: Helm chart fails to install using developer console because of TLS certificat...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Dev Console
Version: 4.5
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: ---
: 4.7.0
Assignee: Predrag Knezevic
QA Contact: spathak@redhat.com
URL:
Whiteboard:
Depends On:
Blocks: 1894878
TreeView+ depends on / blocked
 
Reported: 2020-10-23 16:34 UTC by Todd Johnson
Modified: 2023-12-15 19:53 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: No Doc Update
Doc Text:
Clone Of:
: 1894878 (view as bug list)
Environment:
Last Closed: 2021-02-24 15:27:53 UTC
Target Upstream Version:
Embargoed:
aballant: needinfo+
aballant: needinfo+
pknezevi: needinfo+
pknezevi: needinfo+
aballant: needinfo+


Attachments (Terms of Use)
Helm chart does not fails to install using developer console because of TLS certificate error (74.63 KB, image/png)
2020-11-19 21:40 UTC, spathak@redhat.com
no flags Details


Links
System ID Private Priority Status Summary Last Updated
Github openshift console pull 7112 0 None closed Bug 1891047: Access server API via kubernetes.default.svc from Helm endpoints 2021-02-15 13:42:23 UTC
Red Hat Product Errata RHSA-2020:5633 0 None None None 2021-02-24 15:28:20 UTC

Description Todd Johnson 2020-10-23 16:34:31 UTC
I was asked to create a bugzilla issue for the following support case: https://access.redhat.com/support/cases/#/case/02780648

Description of problem:
When trying to install a helm chart using the console, I get the following message:
An error occurred
Failed to install helm chart: Kubernetes cluster unreachable: Get https://c104-e.us-east.containers.cloud.ibm.com:32529/version?timeout=32s: x509: certificate signed by unknown authority


Version-Release number of selected component (if applicable):
4.5

How reproducible:


Steps to Reproduce:
1. Bring up the Developer's console
2. Click on helm
3. Following the prompts to install a helm chart.

Actual results:
TLS certificate error as shown above.

Expected results:
Helm chart installed.

Additional info:
I dug into the console code and the issue appears to be caused by https://github.com/openshift/console/blob/7c8a8fb12b77a0c44fad1f6b76c637a8d31b8240/pkg/helm/actions/config.go#L36. This method creates the helm config to talk to that apiserver by using the masterPublicURL located in console-config cm and then also using the "in-cluster" ca certificate from the console service account.  In our installation of 4.5, the public URL and in-cluster config uses different TLS certificates.  The public URL uses a DIgicert signed cert and the in-cluster uses a kube self signed cert.  Therefore the combination of public URL and in-cluster CA cert does not work for us.  I think config.go needs to change to use the entire in-cluster configuration if it's available.

Comment 1 Andrew Ballantyne 2020-10-23 17:37:42 UTC
cc @Rohit Rai

Comment 4 Predrag Knezevic 2020-11-19 15:28:09 UTC
The cause of the issue is the usage of public K8S API endpoint that in some configuration can use certificate whose CA is not available to pods running Helm endpoint. In order to fix it, we have switched to using internal endpoint whose certificate is signed by internal CA.

Comment 5 spathak@redhat.com 2020-11-19 21:40:54 UTC
Created attachment 1731056 [details]
Helm chart does not fails to install using developer console because of TLS certificate error

Comment 6 spathak@redhat.com 2020-11-19 21:51:03 UTC
Verified on build version: 4.7.0-0.nightly-2020-11-18-085225
Browser version: chrome 84

Comment 14 errata-xmlrpc 2021-02-24 15:27:53 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.7.0 security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:5633


Note You need to log in before you can comment on or make changes to this bug.