-
Bug
-
Resolution: Done
-
Major
-
None
-
4.12
-
None
-
Critical
-
None
-
Proposed
-
False
-
Description of problem:
The installer has logic that avoids adding the router CAs to the kubeconfig if the console is not available. It's not clear why it does this, but it means that the router CAs don't get added when the console is deliberately disabled (it is now an optional capability in 4.12).
Version-Release number of selected component (if applicable):
Seen in 4.12+4.13
How reproducible:
Always, when starting a cluster w/o the Console capability
Steps to Reproduce:
1. Edit the install-config to set: capabilities: baselineCapabilitySet: None 2. install the cluster 3. check the CAs in the kubeconfig, the wildcard route CA will be missing (compare it w/ a normal cluster)
Actual results:
router CAs missing
Expected results:
router CAs should be present
Additional info:
This needs to be backported to 4.12.
- blocks
-
-
- Closed
-
- is cloned by
-
-
- Closed
-
- links to
[OCPBUGS-3214] Installer does not always add router CA to kubeconfig
Jinyun Ma
added a comment - verified on 4.13.0-0.nightly-2022-11-10-084926 and passed.
$ oc get clusterversion NAME VERSION AVAILABLE PROGRESSING SINCE STATUS version 4.13.0-0.nightly-2022-11-10-084926 True False 10m Cluster version is 4.13.0-0.nightly-2022-11-10-084926 $ oc get co NAME VERSION AVAILABLE PROGRESSING DEGRADED SINCE MESSAGE authentication 4.13.0-0.nightly-2022-11-10-084926 True False False 10m cloud-controller-manager 4.13.0-0.nightly-2022-11-10-084926 True False False 33m cloud-credential 4.13.0-0.nightly-2022-11-10-084926 True False False 36m cluster-autoscaler 4.13.0-0.nightly-2022-11-10-084926 True False False 32m config-operator 4.13.0-0.nightly-2022-11-10-084926 True False False 32m control-plane-machine-set 4.13.0-0.nightly-2022-11-10-084926 True False False 31m dns 4.13.0-0.nightly-2022-11-10-084926 True False False 25m etcd 4.13.0-0.nightly-2022-11-10-084926 True False False 29m image-registry 4.13.0-0.nightly-2022-11-10-084926 True False False 17m ingress 4.13.0-0.nightly-2022-11-10-084926 True False False 20m kube-apiserver 4.13.0-0.nightly-2022-11-10-084926 True False False 28m kube-controller-manager 4.13.0-0.nightly-2022-11-10-084926 True False False 30m kube-scheduler 4.13.0-0.nightly-2022-11-10-084926 True False False 29m kube-storage-version-migrator 4.13.0-0.nightly-2022-11-10-084926 True False False 25m machine-api 4.13.0-0.nightly-2022-11-10-084926 True False False 16m machine-approver 4.13.0-0.nightly-2022-11-10-084926 True False False 32m machine-config 4.13.0-0.nightly-2022-11-10-084926 True False False 31m monitoring 4.13.0-0.nightly-2022-11-10-084926 True False False 14m network 4.13.0-0.nightly-2022-11-10-084926 True False False 33m node-tuning 4.13.0-0.nightly-2022-11-10-084926 True False False 25m openshift-apiserver 4.13.0-0.nightly-2022-11-10-084926 True False False 13m openshift-controller-manager 4.13.0-0.nightly-2022-11-10-084926 True False False 25m operator-lifecycle-manager 4.13.0-0.nightly-2022-11-10-084926 True False False 32m operator-lifecycle-manager-catalog 4.13.0-0.nightly-2022-11-10-084926 True False False 32m operator-lifecycle-manager-packageserver 4.13.0-0.nightly-2022-11-10-084926 True False False 25m service-ca 4.13.0-0.nightly-2022-11-10-084926 True False False 32m
checked that the content of configmap default-ingress-certs under namespace openshift-config-managed is inserted into cluster CA in kubeconfig and oc login is successful this time.
$ oc login -u kubeadmin -p dRZCH-KrAMs-BC59N-KgoW8 Login successful.You have access to 60 projects, the list has been suppressed. You can list all projects with 'oc projects'Using project "default".
Jinyun Ma
added a comment - verified on 4.13.0-0.nightly-2022-11-10-084926 and passed.
$ oc get clusterversion
NAME VERSION AVAILABLE PROGRESSING SINCE STATUS
version 4.13.0-0.nightly-2022-11-10-084926 True False 10m Cluster version is 4.13.0-0.nightly-2022-11-10-084926
$ oc get co
NAME VERSION AVAILABLE PROGRESSING DEGRADED SINCE MESSAGE
authentication 4.13.0-0.nightly-2022-11-10-084926 True False False 10m
cloud-controller-manager 4.13.0-0.nightly-2022-11-10-084926 True False False 33m
cloud-credential 4.13.0-0.nightly-2022-11-10-084926 True False False 36m
cluster-autoscaler 4.13.0-0.nightly-2022-11-10-084926 True False False 32m
config- operator 4.13.0-0.nightly-2022-11-10-084926 True False False 32m
control-plane-machine-set 4.13.0-0.nightly-2022-11-10-084926 True False False 31m
dns 4.13.0-0.nightly-2022-11-10-084926 True False False 25m
etcd 4.13.0-0.nightly-2022-11-10-084926 True False False 29m
image-registry 4.13.0-0.nightly-2022-11-10-084926 True False False 17m
ingress 4.13.0-0.nightly-2022-11-10-084926 True False False 20m
kube-apiserver 4.13.0-0.nightly-2022-11-10-084926 True False False 28m
kube-controller-manager 4.13.0-0.nightly-2022-11-10-084926 True False False 30m
kube-scheduler 4.13.0-0.nightly-2022-11-10-084926 True False False 29m
kube-storage-version-migrator 4.13.0-0.nightly-2022-11-10-084926 True False False 25m
machine-api 4.13.0-0.nightly-2022-11-10-084926 True False False 16m
machine-approver 4.13.0-0.nightly-2022-11-10-084926 True False False 32m
machine-config 4.13.0-0.nightly-2022-11-10-084926 True False False 31m
monitoring 4.13.0-0.nightly-2022-11-10-084926 True False False 14m
network 4.13.0-0.nightly-2022-11-10-084926 True False False 33m
node-tuning 4.13.0-0.nightly-2022-11-10-084926 True False False 25m
openshift-apiserver 4.13.0-0.nightly-2022-11-10-084926 True False False 13m
openshift-controller-manager 4.13.0-0.nightly-2022-11-10-084926 True False False 25m
operator -lifecycle-manager 4.13.0-0.nightly-2022-11-10-084926 True False False 32m
operator -lifecycle-manager-catalog 4.13.0-0.nightly-2022-11-10-084926 True False False 32m
operator -lifecycle-manager-packageserver 4.13.0-0.nightly-2022-11-10-084926 True False False 25m
service-ca 4.13.0-0.nightly-2022-11-10-084926 True False False 32m
checked that the content of configmap default-ingress-certs under namespace openshift-config-managed is inserted into cluster CA in kubeconfig and oc login is successful this time.
$ oc login -u kubeadmin -p dRZCH-KrAMs-BC59N-KgoW8
Login successful.You have access to 60 projects, the list has been suppressed. You can list all projects with 'oc projects' Using project " default " .
Jinyun Ma
added a comment - Reproduced the issue on 4.12.0-0.nightly-2022-11-10-033725.
Deploy cluster with baselineCapabilitySet: None, console operator is not installed.
$ oc get co NAME VERSION AVAILABLE PROGRESSING DEGRADED SINCE MESSAGE authentication 4.12.0-0.nightly-2022-11-10-033725 True False False 168m cloud-controller-manager 4.12.0-0.nightly-2022-11-10-033725 True False False 3h9m cloud-credential 4.12.0-0.nightly-2022-11-10-033725 True False False 3h18m cluster-autoscaler 4.12.0-0.nightly-2022-11-10-033725 True False False 3h7m config-operator 4.12.0-0.nightly-2022-11-10-033725 True False False 3h8m control-plane-machine-set 4.12.0-0.nightly-2022-11-10-033725 True False False 3h8m dns 4.12.0-0.nightly-2022-11-10-033725 True False False 179m etcd 4.12.0-0.nightly-2022-11-10-033725 True False False 3h6m image-registry 4.12.0-0.nightly-2022-11-10-033725 True False False 177m ingress 4.12.0-0.nightly-2022-11-10-033725 True False False 178m kube-apiserver 4.12.0-0.nightly-2022-11-10-033725 True False False 3h4m kube-controller-manager 4.12.0-0.nightly-2022-11-10-033725 True False False 3h5m kube-scheduler 4.12.0-0.nightly-2022-11-10-033725 True False False 3h5m kube-storage-version-migrator 4.12.0-0.nightly-2022-11-10-033725 True False False 179m machine-api 4.12.0-0.nightly-2022-11-10-033725 True False False 175m machine-approver 4.12.0-0.nightly-2022-11-10-033725 True False False 3h8m machine-config 4.12.0-0.nightly-2022-11-10-033725 True False False 178m monitoring 4.12.0-0.nightly-2022-11-10-033725 True False False 173m network 4.12.0-0.nightly-2022-11-10-033725 True False False 3h9m node-tuning 4.12.0-0.nightly-2022-11-10-033725 True False False 3h7m openshift-apiserver 4.12.0-0.nightly-2022-11-10-033725 True False False 179m openshift-controller-manager 4.12.0-0.nightly-2022-11-10-033725 True False False 178m operator-lifecycle-manager 4.12.0-0.nightly-2022-11-10-033725 True False False 3h7m operator-lifecycle-manager-catalog 4.12.0-0.nightly-2022-11-10-033725 True False False 3h8m operator-lifecycle-manager-packageserver 4.12.0-0.nightly-2022-11-10-033725 True False False 179m service-ca 4.12.0-0.nightly-2022-11-10-033725 True False False 3h8m
oc login failed with error:
$ oc login -u kubeadmin -p AIVof-LH4UX-w65Cc-QY2x5 error: x509: certificate signed by unknown authority
And checked that the content of configmap default-ingress-certs under namespace openshift-config-managed is not inserted into cluster CA in kubeconfig.
Jinyun Ma
added a comment - Reproduced the issue on 4.12.0-0.nightly-2022-11-10-033725.
Deploy cluster with baselineCapabilitySet: None, console operator is not installed.
$ oc get co
NAME VERSION AVAILABLE PROGRESSING DEGRADED SINCE MESSAGE
authentication 4.12.0-0.nightly-2022-11-10-033725 True False False 168m
cloud-controller-manager 4.12.0-0.nightly-2022-11-10-033725 True False False 3h9m
cloud-credential 4.12.0-0.nightly-2022-11-10-033725 True False False 3h18m
cluster-autoscaler 4.12.0-0.nightly-2022-11-10-033725 True False False 3h7m
config- operator 4.12.0-0.nightly-2022-11-10-033725 True False False 3h8m
control-plane-machine-set 4.12.0-0.nightly-2022-11-10-033725 True False False 3h8m
dns 4.12.0-0.nightly-2022-11-10-033725 True False False 179m
etcd 4.12.0-0.nightly-2022-11-10-033725 True False False 3h6m
image-registry 4.12.0-0.nightly-2022-11-10-033725 True False False 177m
ingress 4.12.0-0.nightly-2022-11-10-033725 True False False 178m
kube-apiserver 4.12.0-0.nightly-2022-11-10-033725 True False False 3h4m
kube-controller-manager 4.12.0-0.nightly-2022-11-10-033725 True False False 3h5m
kube-scheduler 4.12.0-0.nightly-2022-11-10-033725 True False False 3h5m
kube-storage-version-migrator 4.12.0-0.nightly-2022-11-10-033725 True False False 179m
machine-api 4.12.0-0.nightly-2022-11-10-033725 True False False 175m
machine-approver 4.12.0-0.nightly-2022-11-10-033725 True False False 3h8m
machine-config 4.12.0-0.nightly-2022-11-10-033725 True False False 178m
monitoring 4.12.0-0.nightly-2022-11-10-033725 True False False 173m
network 4.12.0-0.nightly-2022-11-10-033725 True False False 3h9m
node-tuning 4.12.0-0.nightly-2022-11-10-033725 True False False 3h7m
openshift-apiserver 4.12.0-0.nightly-2022-11-10-033725 True False False 179m
openshift-controller-manager 4.12.0-0.nightly-2022-11-10-033725 True False False 178m
operator -lifecycle-manager 4.12.0-0.nightly-2022-11-10-033725 True False False 3h7m
operator -lifecycle-manager-catalog 4.12.0-0.nightly-2022-11-10-033725 True False False 3h8m
operator -lifecycle-manager-packageserver 4.12.0-0.nightly-2022-11-10-033725 True False False 179m
service-ca 4.12.0-0.nightly-2022-11-10-033725 True False False 3h8m
oc login failed with error:
$ oc login -u kubeadmin -p AIVof-LH4UX-w65Cc-QY2x5
error: x509: certificate signed by unknown authority
And checked that the content of configmap default-ingress-certs under namespace openshift-config-managed is not inserted into cluster CA in kubeconfig.
Since the problem described in this issue should be resolved in a recent advisory, it has been closed.
For information on the advisory (Important: OpenShift Container Platform 4.13.0 security update), and where to find the updated files, follow the link below.
If the solution does not work for you, open a new bug report.
https://access.redhat.com/errata/RHSA-2023:1326