Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-32139

Failure to create SR-IOV Node Policies due to certificate signed by unknown authority

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Major Major
    • None
    • 4.14.z, 4.15.z, 4.16
    • Networking / SR-IOV
    • None
    • Important
    • CNF Network Sprint 255
    • 1
    • False
    • Hide

      None

      Show
      None
    • Hide
      Cause: CA certificate is overridden during SR-IOV Network Operator webhook reconciliation.
      Consequence: The API server not configured with a valid SR-IOV Network Operator Webhook client certificate causes flakiness in interacting with the SR-IOV Network Operator.
      Workaround: retry applying SR-IOV policies.
      Show
      Cause: CA certificate is overridden during SR-IOV Network Operator webhook reconciliation. Consequence: The API server not configured with a valid SR-IOV Network Operator Webhook client certificate causes flakiness in interacting with the SR-IOV Network Operator. Workaround: retry applying SR-IOV policies.
    • Known Issue
    • Proposed

      Description of problem:

      [elevin@elevin ~]$ oc apply -k policies
sriovnetworknodepolicy.sriovnetwork.openshift.io/test-policy-custom-difflglxs created
sriovnetworknodepolicy.sriovnetwork.openshift.io/test-policy-customnv8pz created
sriovnetworknodepolicy.sriovnetwork.openshift.io/test-policy-jumbo-diffs6z8b created
sriovnetworknodepolicy.sriovnetwork.openshift.io/test-policy-jumbowj6n8 created
sriovnetworknodepolicy.sriovnetwork.openshift.io/test-policy-scalepr9bv created
Error from server (InternalError): error when creating "policies": Internal error occurred: failed calling webhook "operator-webhook.sriovnetwork.openshift.io": failed to call webhook: Post "https://operator-webhook-service.openshift-sriov-network-operator.svc:443/mutating-custom-resource?timeout=10s": tls: failed to verify certificate: x509: certificate signed by unknown authority
Error from server (InternalError): error when creating "policies": Internal error occurred: failed calling webhook "operator-webhook.sriovnetwork.openshift.io": failed to call webhook: Post "https://operator-webhook-service.openshift-sriov-network-operator.svc:443/mutating-custom-resource?timeout=10s": tls: failed to verify certificate: x509: certificate signed by unknown authority
Error from server (InternalError): error when creating "policies": Internal error occurred: failed calling webhook "operator-webhook.sriovnetwork.openshift.io": failed to call webhook: Post "https://operator-webhook-service.openshift-sriov-network-operator.svc:443/validating-custom-resource?timeout=10s": tls: failed to verify certificate: x509: certificate signed by unknown authority

      Version-Release number of selected component (if applicable):
      4.16.0-ec.5

      How reproducible:
      50%

      Steps to Reproduce:
      1. Apply several SR-IOV Node Policies simultaneously
      2.
      3.
      Actual results:
      Not all policies are aplied

      Expected results:
      All policices are aplied

      Additional info:

      $ oc logs operator-webhook-dznkm -n openshift-sriov-network-operator -f
2024-04-11T17:25:00.868002715Z    INFO    sriov-network-operator-webhook    cobra/command.go:944    Run sriov-network-operator-webhook
2024-04-11T17:25:00.887803405Z    INFO    sriov-network-operator-webhook    runtime/asm_amd64.s:1650    start server
2024/04/11 17:28:09 http: TLS handshake error from 10.128.0.2:47032: remote error: tls: bad certificate

        1. webhook-not-working.pcap
          4 kB
        2. webhook-working.pcap
          4 kB

            apanatto@redhat.com Andrea Panattoni
            rhn-cnf-elevin Evgeny Levin
            Sebastian Scheinkman
            Votes:
            0 Vote for this issue
            Watchers:
            23 Start watching this issue

              Created:
              Updated: