Uploaded image for project: 'Maistra'
  1. Maistra
  2. MAISTRA-2630

ossm SMCP 2.0 and 2.1 adding an external ca cert failed in SMCP

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Major Major
    • maistra-2.1.0
    • maistra-2.1.0
    • None
    • None
    • Sprint 9, Sprint 10

      ossm SMCP 2.0 and 2.1 adding an external ca cert failed in SMCP
      When I tested the adding external cert configuration [1],

      [1] https://docs.openshift.com/container-platform/4.8/service_mesh/v2x/ossm-security.html#ossm-cert-manage_ossm-security

      The SMCP reconciliation passed and ready. But sidecar injection failed after that patch.
      All the following sidecar injection stuck in a deployment pod.

      SMCP istiod discovery log error:

      error	klog	github.com/maistra/xns-informer/pkg/informers/informer.go:204: Failed to watch *v1.ServiceMeshExtension: failed to list *v1.ServiceMeshExtension: servicemeshextensions.maistra.io is forbidden: User "system:serviceaccount:istio-system:istiod-service-account-basic" cannot list resource...
...
error	error inserting data for namespace: error when creating configmap istio-ca-root-cert: configmaps "istio-ca-root-cert" already exists

      istiod-basic-7f48d489bc-ht5cvNamespaceNSistio-system
Aug 25, 2021, 3:56 PM
Generated from kubelet on ip-10-0-195-162.us-east-2.compute.internal
Readiness probe failed: Get "http://10.129.2.114:8080/ready": context deadline exceeded (Client.Timeout exceeded while awaiting headers)

      A deployment sleep pod stuck 1/2 Ready

        1. istio-ingressgateway-54849f4db8-2lgqp-istio-proxy.log
          68 kB

              jsantana@redhat.com Jonh Wendell
              yuaxu@redhat.com Yuanlin Xu
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated:
                Resolved: