I was asked to create a bugzilla issue for the following support case: https://access.redhat.com/support/cases/#/case/02780648 Description of problem: When trying to install a helm chart using the console, I get the following message: An error occurred Failed to install helm chart: Kubernetes cluster unreachable: Get https://c104-e.us-east.containers.cloud.ibm.com:32529/version?timeout=32s: x509: certificate signed by unknown authority Version-Release number of selected component (if applicable): 4.5 How reproducible: Steps to Reproduce: 1. Bring up the Developer's console 2. Click on helm 3. Following the prompts to install a helm chart. Actual results: TLS certificate error as shown above. Expected results: Helm chart installed. Additional info: I dug into the console code and the issue appears to be caused by https://github.com/openshift/console/blob/7c8a8fb12b77a0c44fad1f6b76c637a8d31b8240/pkg/helm/actions/config.go#L36. This method creates the helm config to talk to that apiserver by using the masterPublicURL located in console-config cm and then also using the "in-cluster" ca certificate from the console service account. In our installation of 4.5, the public URL and in-cluster config uses different TLS certificates. The public URL uses a DIgicert signed cert and the in-cluster uses a kube self signed cert. Therefore the combination of public URL and in-cluster CA cert does not work for us. I think config.go needs to change to use the entire in-cluster configuration if it's available.
cc @Rohit Rai
The cause of the issue is the usage of public K8S API endpoint that in some configuration can use certificate whose CA is not available to pods running Helm endpoint. In order to fix it, we have switched to using internal endpoint whose certificate is signed by internal CA.
Created attachment 1731056 [details] Helm chart does not fails to install using developer console because of TLS certificate error
Verified on build version: 4.7.0-0.nightly-2020-11-18-085225 Browser version: chrome 84
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Container Platform 4.7.0 security, bug fix, and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2020:5633