2112426 – No cluster discovered due to x509: certificate signed by unknown authority

Bug 2112426 - No cluster discovered due to x509: certificate signed by unknown authority

Summary: No cluster discovered due to x509: certificate signed by unknown authority

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Advanced Cluster Management for Kubernetes
Classification:	Red Hat
Component:	Installer
Sub Component:
Version:	rhacm-2.6
Hardware:	x86_64
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	---
Target Release:	rhacm-2.6
Assignee:	Jakob
QA Contact:	txue
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2022-07-29 16:37 UTC by Thuy Nguyen
Modified:	2022-09-06 22:35 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2022-09-06 22:35:24 UTC
Target Upstream Version:
Embargoed:
Flags:	bot-tracker-sync: rhacm-2.6+ cbynum: rhacm-2.6.z+

Attachments	(Terms of Use)
discovery-operator log (93.05 KB, text/plain) 2022-07-29 16:37 UTC, Thuy Nguyen	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	stolostron backlog issues 24691	0	None	None	None	2022-07-29 20:16:44 UTC
Red Hat Product Errata	RHSA-2022:6370	0	None	None	None	2022-09-06 22:35:34 UTC

Description Thuy Nguyen 2022-07-29 16:37:04 UTC

Created attachment 1900167 [details]
discovery-operator log

Description of the problem: No cluster discovered due to x509: certificate signed by unknown authority 

Release version:

Operator snapshot version:
2.6.0-FC1

OCP version:
4.10.23

Browser Info:

Steps to reproduce:
1. Create RH OCM creds in UI
2. Create/configure discovery setting in UI

Actual results:
No cluster discovered in UI

Expected results:

Additional info:

```
# oc get discoveryconfig -n aut-disco-ns discovery -oyaml
apiVersion: discovery.open-cluster-management.io/v1
kind: DiscoveryConfig
metadata:
  creationTimestamp: "2022-07-29T16:25:02Z"
  generation: 1
  name: discovery
  namespace: aut-disco-ns
  resourceVersion: "115533"
  uid: f9e58c20-f5e4-4d67-94d5-67cde6f6b702
spec:
  credential: aut-disco
  filters:
    lastActive: 30
    openShiftVersions:
    - "4.7"
    - "4.8"
    - "4.9"
    - "4.10"

# oc get discoveredcluster -n aut-disco-ns
No resources found in aut-disco-ns namespace.
```

discovery-operator log:
```
1.6591122306428995e+09	ERROR	Error updating DiscoveredClusters	{"controller": "discoveryconfig", "controllerGroup": "discovery.open-cluster-management.io", "controllerKind": "DiscoveryConfig", "discoveryConfig": {"name":"discovery","namespace":"aut-disco-ns"}, "namespace": "aut-disco-ns", "name": "discovery", "reconcileID": "2a401570-dda6-400f-bc96-fa63b70139c6", "error": "couldn't get token: Post \"https://sso.redhat.com/auth/realms/redhat-external/protocol/openid-connect/token\": x509: certificate signed by unknown authority"}
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Reconcile
	/remote-source/deps/gomod/pkg/mod/sigs.k8s.io/controller-runtime.3/pkg/internal/controller/controller.go:121
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler
	/remote-source/deps/gomod/pkg/mod/sigs.k8s.io/controller-runtime.3/pkg/internal/controller/controller.go:320
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem
	/remote-source/deps/gomod/pkg/mod/sigs.k8s.io/controller-runtime.3/pkg/internal/controller/controller.go:273
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2
	/remote-source/deps/gomod/pkg/mod/sigs.k8s.io/controller-runtime.3/pkg/internal/controller/controller.go:234
1.659112230642963e+09	ERROR	Reconciler error	{"controller": "discoveryconfig", "controllerGroup": "discovery.open-cluster-management.io", "controllerKind": "DiscoveryConfig", "discoveryConfig": {"name":"discovery","namespace":"aut-disco-ns"}, "namespace": "aut-disco-ns", "name": "discovery", "reconcileID": "2a401570-dda6-400f-bc96-fa63b70139c6", "error": "couldn't get token: Post \"https://sso.redhat.com/auth/realms/redhat-external/protocol/openid-connect/token\": x509: certificate signed by unknown authority"}
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem
	/remote-source/deps/gomod/pkg/mod/sigs.k8s.io/controller-runtime.3/pkg/internal/controller/controller.go:273
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2
	/remote-source/deps/gomod/pkg/mod/sigs.k8s.io/controller-runtime.3/pkg/internal/controller/controller.go:234
```

Comment 1 Cameron Wall 2022-08-09 14:15:30 UTC

This bug has been taking care of in this PR: https://github.com/stolostron/backplane-operator/pull/269

Comment 3 bot-tracker-sync 2022-08-15 16:36:01 UTC

G2Bsync 1210958281 comment 
 thuyn-581 Wed, 10 Aug 2022 16:28:00 UTC 
 G2BSync -
Validated on 2.6.0-FC4.

Comment 5 errata-xmlrpc 2022-09-06 22:35:24 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: Red Hat Advanced Cluster Management 2.6.0 security updates and bug fixes), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:6370

Note You need to log in before you can comment on or make changes to this bug.