[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Fwd: ocp 4.3 nightly install on openstack queens





On Mon, 16 Dec 2019 at 14:41, Dale Bewley <dale bewley net> wrote:


On Sat, Dec 14, 2019 at 3:31 AM Joel Pearson <japearson agiledigital com au> wrote:
I think there is one last thing that is worth trying...

On Sat, 14 Dec 2019 at 18:56, Dale Bewley <dale bewley net> wrote:
Thanks for the tips, Joel, but no luck so far with 4.3.0-0.nightly-2019-12-13-180405.


It's possible you might be able to fix it by modifying the machine-api-controllers deployment to mount in the ssl certificates from the host.

If I touched (mounted within) `/etc/pki` it resulted in a permissions denial when the cert bundle was referenced, so I tried `/tmp/pki`.

When you say touched, do you mean "touch /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt"?

You shouldn't have write access inside the container, but the ca bundle should already have the correct CA certificates. I can go to any worker or master and have a look inside "/etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt" and I see my extra CA's up the top of that file.  Some operator makes sure that the ca bundle is correct on the masters and worker nodes, so it should be safe to just mount /etc/pki (and /etc/ssl/certs) straight from the host.
 

$ oc create secret generic my-ca-bundle --from-file=ca-bundle.crt -n openshift-machine-api
$ oc set volume deployment machine-api-controllers -c machine-controller -n openshift-machine-api --add --mount-path=/tmp/pki -t secret --name=my-ca-bundle --secret-name=my-ca-bundle --overwrite 

Curl within the container was satisfied when I point SSL_CERT_DIR to /tmp/pki. 

sh-4.2$ SSL_CERT_DIR=/tmp/pki curl -I https://openstack.domain.com:13000
HTTP/1.1 300 Multiple Choices
Date: Mon, 16 Dec 2019 03:00:02 GMT
Server: Apache
Vary: X-Auth-Token
Content-Length: 617
Content-Type: application/json

For some reason though, I could not get the deployment to define the env variable in the machine-controller containe, so this isn't yet a workaround.

$ oc set env deployment machine-api-controllers -c machine-controller -n openshift-machine-api SSL_CERT_DIR=/tmp/pki
deployment.extensions/machine-api-controllers updated
$ oc rsh -n openshift-machine-api -c machine-controller $(oc get pod -n openshift-machine-api -l k8s-app=controller -o name) env | grep SSL

 
I had to do something like this for the cluster version operator, because it was failing due to my MITM proxy. Which I had to solve by ensuring the CA certificate of the proxy was available in the container, which I believe is a fairly similar situation to what you have. https://bugzilla.redhat.com/show_bug.cgi?id=1773419

Failing that, are you able to configure your openstack cluster to use real SSL certs from letsencrypt or something like that? I ended up doing that for my openstack cluster, as I found it was hard to make sure that anything talking to openstack had my CA certificate. It was just simpler to have a real SSL cert.


I hear what you are saying, but our enterprise CA is pretty real, and OCP is an enterprise product. :)
 

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]