Uploaded image for project: 'Maistra'
  1. Maistra
  2. MAISTRA-1358

OAuth proxy sidecars need to trust the ca-bundle in the cluster

    XMLWordPrintable

Details

    • MAISTRA 1.1.3

    Description

      Refer to https://access.redhat.com/solutions/4896741 for details and solutions.

      Ingress certificate has been replaced (with one issued by a CA not included in the default CA bundle in the container images) and now Prometheus, Grafana and Jaeger UIs doesn't work after entering credentials with an error 500.

      The pods deployed are not aware of the new CA included in the cluster wide proxy, so unless the CA which issued the Ingress/API certificate is a well known CA and it's already included in the default CA bundle in the container images the connection will fail.

      A new operator version should include this mounts by default.

      On the other hand, is there any risk of applying changes in the deployments? I haven't suffered from issues while the operator is up and running but I'm not sure about the reconcile time. Can you confirm how durable/reliable is this solution without bothering with the operator?

      Attachments

        Issue Links

          clones

          Task - Represents a small unit of work that is not end-user facing. OSSM-165 OAuth proxy sidecars need to trust the ca-bundle in the cluster

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed

          Activity

            People

              jsantana@redhat.com Jonh Wendell
              sgarciam@redhat.com Sergio Garcia Martinez
              Votes:
              5 Vote for this issue
              Watchers:
              8 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: