On Sat, Dec 14, 2019 at 3:31 AM Joel Pearson <japearson agiledigital com au> wrote:I think there is one last thing that is worth trying...On Sat, 14 Dec 2019 at 18:56, Dale Bewley <dale bewley net> wrote:Thanks for the tips, Joel, but no luck so far with 4.3.0-0.nightly-2019-12-13-180405.It's possible you might be able to fix it by modifying the machine-api-controllers deployment to mount in the ssl certificates from the host.If I touched (mounted within) `/etc/pki` it resulted in a permissions denial when the cert bundle was referenced, so I tried `/tmp/pki`.
$ oc create secret generic my-ca-bundle --from-file=ca-bundle.crt -n openshift-machine-api
$ oc set volume deployment machine-api-controllers -c machine-controller -n openshift-machine-api --add --mount-path=/tmp/pki -t secret --name=my-ca-bundle --secret-name=my-ca-bundle --overwriteCurl within the container was satisfied when I point SSL_CERT_DIR to /tmp/pki.sh-4.2$ SSL_CERT_DIR=/tmp/pki curl -I https://openstack.domain.com:13000
HTTP/1.1 300 Multiple Choices
Date: Mon, 16 Dec 2019 03:00:02 GMT
Content-Length: 617Content-Type: application/jsonFor some reason though, I could not get the deployment to define the env variable in the machine-controller containe, so this isn't yet a workaround.$ oc set env deployment machine-api-controllers -c machine-controller -n openshift-machine-api SSL_CERT_DIR=/tmp/pki
deployment.extensions/machine-api-controllers updated$ oc rsh -n openshift-machine-api -c machine-controller $(oc get pod -n openshift-machine-api -l k8s-app=controller -o name) env | grep SSLI had to do something like this for the cluster version operator, because it was failing due to my MITM proxy. Which I had to solve by ensuring the CA certificate of the proxy was available in the container, which I believe is a fairly similar situation to what you have. https://bugzilla.redhat.com/show_bug.cgi?id=1773419Failing that, are you able to configure your openstack cluster to use real SSL certs from letsencrypt or something like that? I ended up doing that for my openstack cluster, as I found it was hard to make sure that anything talking to openstack had my CA certificate. It was just simpler to have a real SSL cert.I hear what you are saying, but our enterprise CA is pretty real, and OCP is an enterprise product. :)