Uploaded image for project: 'Maistra'
  1. Maistra
  2. MAISTRA-1358

OAuth proxy sidecars need to trust the ca-bundle in the cluster

    XMLWordPrintable

Details

    Description

      Refer to https://access.redhat.com/solutions/4896741 for details and solutions.

      Ingress certificate has been replaced (with one issued by a CA not included in the default CA bundle in the container images) and now Prometheus, Grafana and Jaeger UIs doesn't work after entering credentials with an error 500.

      The pods deployed are not aware of the new CA included in the cluster wide proxy, so unless the CA which issued the Ingress/API certificate is a well known CA and it's already included in the default CA bundle in the container images the connection will fail.

      A new operator version should include this mounts by default.

      On the other hand, is there any risk of applying changes in the deployments? I haven't suffered from issues while the operator is up and running but I'm not sure about the reconcile time. Can you confirm how durable/reliable is this solution without bothering with the operator?

      Attachments

        Issue Links

          Activity

            People

              jsantana@redhat.com Jonh Wendell
              sgarciam@redhat.com Sergio Garcia Martinez
              Votes:
              5 Vote for this issue
              Watchers:
              8 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: