Uploaded image for project: 'Red Hat Advanced Cluster Management'
  1. Red Hat Advanced Cluster Management
  2. ACM-12215

Provisioning OpenShift on OpenStack fails. The bootstrap node is failing to get the ignition image from Glance. Failing with tls: failed to verify certificate: x509: certificate signed by unknown authority.

XMLWordPrintable

    • False
    • None
    • False
    • Moderate
    • Customer Facing, Customer Reported
    • ?
    • No

      Description of problem:

      The install is successfully creating the required CoreOS image and ignition image in glance and then deploying x3 masters and x1 bootstrap. Which is where the install now fails. Looking at the console on the bootstrap node we can see that it is attempting to pull the ignition image from glance and failing with the below error:

       

      GET error: Get "https://openstack-disconnected.co.uk:13292//v2/images/<< imageID >>/file" tls: failed to verify certificate: x509: certificate signed by unknown authority.

      Deloying on OpenStack

      Version-Release number of selected component (if applicable):

      • ACM 2.10

      How reproducible:

      Always

      Steps to Reproduce:

      1. Set own cacert in clouds.yaml

      Actual results:

      Expected results:

      Additional info:

      The issue is with the OpenStack Credentials, specifically under the section "Red Hat OpenStack Platform" 
      It requires 3 inputs 

      •  OpenStack clouds.yaml
      •  Cloud name
      •  Internal CA  

      When you provide it with the clouds.yaml provided by OpenStack it doesn't include a section for "cacert" which is used for when you are using a custom CA. This line gets injected by ACM into the clouds.yaml files when you put the CA into the "Internal CA" input field. However, it is putting the cacert entry into the wrong section (e.g. incorrectly indented - See below) As it is incorrectly indented it is ignored. 

      Example of where ACM inserts the cacert line 

       

      clouds:
  openstack:
    auth:
      auth_url: ..
      username: ....
      password: ...
      project_id: ...
      project_name: ...
      user_domain_name: ...
      cacert: /etc/openstack-ca/ca.crt <<<<<<<---- ACM is inserting the cacert line here 
    region_name: "regionOne"
    interface: "public"
    identity_api_version: 3

      Example of where it should have inserted the cacert line 

       

      clouds:
  openstack:
    auth:
      auth_url: ..
      username: ....
      password: ...
      project_id: ...
      project_name: ...
      user_domain_name: ...
    cacert: /etc/openstack-ca/ca.crt  <<<<<<<---- Correct indentation for the cacert line here 
    region_name: "regionOne"
    interface: "public"
    identity_api_version: 3

      Current work around is to duplicate the line entry but with the correct indentation e.g. working config below:

      clouds:
  openstack:
    auth:
      auth_url: ..
      username: ....
      password: ...
      project_id: ...
      project_name: ...
      user_domain_name: ...
      cacert: /etc/openstack-ca/ca.crt  <<<<<<<---- ACM is inserting the cacert line here
    cacert: /etc/openstack-ca/ca.crt  <<<<<<<---- Duplicate Correct indentation for the cacert line here  
    region_name: "regionOne"
    interface: "public"
    identity_api_version: 3

      With this config I can now successfully deploy a cluster and ACM / OCP Installer is now trusting the CA on the OpenStack endpoints.

       

            jswanke@redhat.com John Swanke
            rhn-support-mheppler Michal Heppler
            David Huynh David Huynh
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated: