Uploaded image for project: 'Red Hat Advanced Cluster Management'
  1. Red Hat Advanced Cluster Management
  2. ACM-17237

Multiple ACM components reporting "tls: failed to verify certificate: x509: certificate signed by unknown authority" in kube-apiserver-operator

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Minor Minor
    • None
    • None
    • Image Based Install Operator
    • None
    • False
    • Hide

      None

      Show
      None
    • False
    • Low
    • None

      Description of problem:

      **

      $ oc logs -n openshift-kube-apiserver-operator kube-apiserver-operator-665776f9f-pmjqm --follow

E0117 16:46:28.922035       1 degraded_webhook.go:68] applications.apps.open-cluster-management.webhook: dial tcp 172.30.21.199:443: connect: connection refused
W0117 16:46:29.000754       1 degraded_webhook.go:147] failed to connect to webhook "agentclusterinstallvalidators.admission.agentinstall.openshift.io" via service "kubernetes.default.svc:443": tls: failed to verify certificate: x509: certificate signed by unknown authority
W0117 16:46:30.023257       1 degraded_webhook.go:147] failed to connect to webhook "agentclusterinstallvalidators.admission.agentinstall.openshift.io" via service "kubernetes.default.svc:443": tls: failed to verify certificate: x509: certificate signed by unknown authority
W0117 16:46:32.076099       1 degraded_webhook.go:147] failed to connect to webhook "clusterdeploymentvalidators.admission.hive.openshift.io" via service "kubernetes.default.svc:443": tls: failed to verify certificate: x509: certificate signed by unknown authority
W0117 16:46:33.087297       1 degraded_webhook.go:147] failed to connect to webhook "clusterdeploymentvalidators.admission.hive.openshift.io" via service "kubernetes.default.svc:443": tls: failed to verify certificate: x509: certificate signed by unknown authority
W0117 16:46:35.106734       1 degraded_webhook.go:147] failed to connect to webhook "machinepoolvalidators.admission.hive.openshift.io" via service "kubernetes.default.svc:443": tls: failed to verify certificate: x509: certificate signed by unknown authority
W0117 16:46:36.120532       1 degraded_webhook.go:147] failed to connect to webhook "machinepoolvalidators.admission.hive.openshift.io" via service "kubernetes.default.svc:443": tls: failed to verify certificate: x509: certificate signed by unknown authority
W0117 16:46:38.256856       1 degraded_webhook.go:147] failed to connect to webhook "agents.agent-install.openshift.io" via service "webhook-service.multicluster-engine.svc:443": tls: failed to verify certificate: x509: certificate signed by unknown authority
W0117 16:46:39.269995       1 degraded_webhook.go:147] failed to connect to webhook "agents.agent-install.openshift.io" via service "webhook-service.multicluster-engine.svc:443": tls: failed to verify certificate: x509: certificate signed by unknown authority
W0117 16:46:41.324440       1 degraded_webhook.go:147] failed to connect to webhook "infraenvs.agent-install.openshift.io" via service "webhook-service.multicluster-engine.svc:443": tls: failed to verify certificate: x509: certificate signed by unknown authority
W0117 16:46:42.346685       1 degraded_webhook.go:147] failed to connect to webhook "infraenvs.agent-install.openshift.io" via service "webhook-service.multicluster-engine.svc:443": tls: failed to verify certificate: x509: certificate signed by unknown authority
W0117 16:46:44.368290       1 degraded_webhook.go:147] failed to connect to webhook "agentclassifications.agent-install.openshift.io" via service "webhook-service.multicluster-engine.svc:443": tls: failed to verify certificate: x509: certificate signed by unknown authority
W0117 16:46:45.386124       1 degraded_webhook.go:147] failed to connect to webhook "agentclassifications.agent-install.openshift.io" via service "webhook-service.multicluster-engine.svc:443": tls: failed to verify certificate: x509: certificate signed by unknown authority

       

       

      Multiple QE hub clusters are seeing this error reported in various pod logs. It does not seem to be causing any problems with functionality of the hub cluster. We have observed this in hubs running OCP 4.17 and 4.18 using ACM 2.12 and 2.13

      Version-Release number of selected component (if applicable): ACM 2.12, 2.13, OCP 4.17. 4.18

      How reproducible: 

      Always. Reproducable in many, if not all, QE hub clusters.

      Steps to Reproduce:

      1. Deploy OCP to hub using QE IPI CI job
      2. Deploy ACM and MCE using QE olm-setup job.
      3. Observe kube-apiserver-operator pod logs for error

      Actual results:

      tls: failed to verify certificate: x509: certificate signed by unknown authority

      Expected results:

      Additional info:

              Unassigned Unassigned
              josclark@redhat.com Joshua Clark
              Votes:
              1 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated: