[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: ocp 4.3 nightly install on openstack queens

On Sat, Dec 14, 2019 at 3:31 AM Joel Pearson <japearson agiledigital com au> wrote:
I think there is one last thing that is worth trying...

On Sat, 14 Dec 2019 at 18:56, Dale Bewley <dale bewley net> wrote:
Thanks for the tips, Joel, but no luck so far with 4.3.0-0.nightly-2019-12-13-180405.

It's possible you might be able to fix it by modifying the machine-api-controllers deployment to mount in the ssl certificates from the host.

If I touched (mounted within) `/etc/pki` it resulted in a permissions denial when the cert bundle was referenced, so I tried `/tmp/pki`.

$ oc create secret generic my-ca-bundle --from-file=ca-bundle.crt -n openshift-machine-api
$ oc set volume deployment machine-api-controllers -c machine-controller -n openshift-machine-api --add --mount-path=/tmp/pki -t secret --name=my-ca-bundle --secret-name=my-ca-bundle --overwrite 

Curl within the container was satisfied when I point SSL_CERT_DIR to /tmp/pki. 

sh-4.2$ SSL_CERT_DIR=/tmp/pki curl -I https://openstack.domain.com:13000
HTTP/1.1 300 Multiple Choices
Date: Mon, 16 Dec 2019 03:00:02 GMT
Server: Apache
Vary: X-Auth-Token
Content-Length: 617
Content-Type: application/json

For some reason though, I could not get the deployment to define the env variable in the machine-controller containe, so this isn't yet a workaround.

$ oc set env deployment machine-api-controllers -c machine-controller -n openshift-machine-api SSL_CERT_DIR=/tmp/pki
deployment.extensions/machine-api-controllers updated
$ oc rsh -n openshift-machine-api -c machine-controller $(oc get pod -n openshift-machine-api -l k8s-app=controller -o name) env | grep SSL

I had to do something like this for the cluster version operator, because it was failing due to my MITM proxy. Which I had to solve by ensuring the CA certificate of the proxy was available in the container, which I believe is a fairly similar situation to what you have. https://bugzilla.redhat.com/show_bug.cgi?id=1773419

Failing that, are you able to configure your openstack cluster to use real SSL certs from letsencrypt or something like that? I ended up doing that for my openstack cluster, as I found it was hard to make sure that anything talking to openstack had my CA certificate. It was just simpler to have a real SSL cert.

I hear what you are saying, but our enterprise CA is pretty real, and OCP is an enterprise product. :)

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]