Uploaded image for project: 'Maistra'
  1. Maistra
  2. MAISTRA-2630

ossm SMCP 2.0 and 2.1 adding an external ca cert failed in SMCP

    XMLWordPrintable

Details

    • Bug
    • Resolution: Done
    • Major
    • maistra-2.1.0
    • maistra-2.1.0
    • None
    • None
    • Sprint 9, Sprint 10

    Description

      ossm SMCP 2.0 and 2.1 adding an external ca cert failed in SMCP
      When I tested the adding external cert configuration [1],

      [1] https://docs.openshift.com/container-platform/4.8/service_mesh/v2x/ossm-security.html#ossm-cert-manage_ossm-security

      The SMCP reconciliation passed and ready. But sidecar injection failed after that patch.
      All the following sidecar injection stuck in a deployment pod.

      SMCP istiod discovery log error:

      error	klog	github.com/maistra/xns-informer/pkg/informers/informer.go:204: Failed to watch *v1.ServiceMeshExtension: failed to list *v1.ServiceMeshExtension: servicemeshextensions.maistra.io is forbidden: User "system:serviceaccount:istio-system:istiod-service-account-basic" cannot list resource...
...
error	error inserting data for namespace: error when creating configmap istio-ca-root-cert: configmaps "istio-ca-root-cert" already exists

      istiod-basic-7f48d489bc-ht5cvNamespaceNSistio-system
Aug 25, 2021, 3:56 PM
Generated from kubelet on ip-10-0-195-162.us-east-2.compute.internal
Readiness probe failed: Get "http://10.129.2.114:8080/ready": context deadline exceeded (Client.Timeout exceeded while awaiting headers)

      A deployment sleep pod stuck 1/2 Ready

      Attachments

        Issue Links

          is documented by

          Task - Represents a small unit of work that is not end-user facing. OSSM-2836 Updated instructions for external certificates

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed
          relates to

          Bug - A problem that impairs or prevents the functions of the product. MAISTRA-2649 OSSM 2.1 error inserting data for namespace: error when creating configmap istio-ca-root-cert: configmaps "istio-ca-root-cert" already exists

          • Critical - To be worked on immediately following BLOCKER issues.
          • Closed

          Activity

            People

              jsantana@redhat.com Jonh Wendell
              yuaxu@redhat.com Yuanlin Xu
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: