Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-32139

Failure to create SR-IOV Node Policies due to certificate signed by unknown authority

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done-Errata
    • Icon: Major Major
    • 4.16
    • 4.14.z, 4.15.z, 4.16
    • Networking / SR-IOV
    • None
    • +
    • Important
    • None
    • CNF Network Sprint 255
    • 1
    • False
    • Hide

      None

      Show
      None
    • Hide
      KNOWN ISSUE ALREADY DOCUMENTED IN THE 4.16 NOTES

      After applying a SriovNetworkNodePolicy resource, the CA certificate might be replaced during SR-IOV Network Operator webhook reconciliation. As a consequence, you might see unknown authority errors when applying SR-IOV Network node policies. As a workaround, try to re-apply the failed policies. (link:https://issues.redhat.com/browse/OCPBUGS-32139[*OCPBUGS-32139*])
      Show
      KNOWN ISSUE ALREADY DOCUMENTED IN THE 4.16 NOTES After applying a SriovNetworkNodePolicy resource, the CA certificate might be replaced during SR-IOV Network Operator webhook reconciliation. As a consequence, you might see unknown authority errors when applying SR-IOV Network node policies. As a workaround, try to re-apply the failed policies. (link: https://issues.redhat.com/browse/OCPBUGS-32139 [* OCPBUGS-32139 *])
    • Known Issue
    • Done

      Description of problem:

      [elevin@elevin ~]$ oc apply -k policies
sriovnetworknodepolicy.sriovnetwork.openshift.io/test-policy-custom-difflglxs created
sriovnetworknodepolicy.sriovnetwork.openshift.io/test-policy-customnv8pz created
sriovnetworknodepolicy.sriovnetwork.openshift.io/test-policy-jumbo-diffs6z8b created
sriovnetworknodepolicy.sriovnetwork.openshift.io/test-policy-jumbowj6n8 created
sriovnetworknodepolicy.sriovnetwork.openshift.io/test-policy-scalepr9bv created
Error from server (InternalError): error when creating "policies": Internal error occurred: failed calling webhook "operator-webhook.sriovnetwork.openshift.io": failed to call webhook: Post "https://operator-webhook-service.openshift-sriov-network-operator.svc:443/mutating-custom-resource?timeout=10s": tls: failed to verify certificate: x509: certificate signed by unknown authority
Error from server (InternalError): error when creating "policies": Internal error occurred: failed calling webhook "operator-webhook.sriovnetwork.openshift.io": failed to call webhook: Post "https://operator-webhook-service.openshift-sriov-network-operator.svc:443/mutating-custom-resource?timeout=10s": tls: failed to verify certificate: x509: certificate signed by unknown authority
Error from server (InternalError): error when creating "policies": Internal error occurred: failed calling webhook "operator-webhook.sriovnetwork.openshift.io": failed to call webhook: Post "https://operator-webhook-service.openshift-sriov-network-operator.svc:443/validating-custom-resource?timeout=10s": tls: failed to verify certificate: x509: certificate signed by unknown authority

      Version-Release number of selected component (if applicable):
      4.16.0-ec.5

      How reproducible:
      50%

      Steps to Reproduce:
      1. Apply several SR-IOV Node Policies simultaneously
      2.
      3.
      Actual results:
      Not all policies are aplied

      Expected results:
      All policices are aplied

      Additional info:

      $ oc logs operator-webhook-dznkm -n openshift-sriov-network-operator -f
2024-04-11T17:25:00.868002715Z    INFO    sriov-network-operator-webhook    cobra/command.go:944    Run sriov-network-operator-webhook
2024-04-11T17:25:00.887803405Z    INFO    sriov-network-operator-webhook    runtime/asm_amd64.s:1650    start server
2024/04/11 17:28:09 http: TLS handshake error from 10.128.0.2:47032: remote error: tls: bad certificate

        1. webhook-not-working.pcap
          4 kB
        2. webhook-working.pcap
          4 kB

              apanatto@redhat.com Andrea Panattoni
              rhn-cnf-elevin Evgeny Levin
              Zhanqi Zhao Zhanqi Zhao
              Sebastian Scheinkman
              Votes:
              1 Vote for this issue
              Watchers:
              28 Start watching this issue

                Created:
                Updated:
                Resolved: