-
Bug
-
Resolution: Unresolved
-
Undefined
-
4.17
-
None
-
Quality / Stability / Reliability
-
False
-
-
3
-
Critical
-
Yes
-
None
-
Rejected
-
Installer (PB) Sprint 259, Installer Sprint 260, Installer Sprint 261, Installer Sprint 266, Installer Sprint 267, Installer Sprint 268, Installer Sprint 270, Installer Sprint 271, Installer Sprint 272, Installer Sprint 273, Installer Sprint 274, Installer Sprint 278
-
12
-
None
-
None
-
None
-
None
-
None
-
None
-
None
Description of problem:
Created service principal with certificate (following doc[1] to create certificate) , prepared osServicePrincipal.json containing clientId and clientCertificate, then used this sp to create cluster,
CAPI based installer failed when starting cluster-api-provider-azureaso.
time="2024-07-01T01:24:45Z" level=debug msg="E0701 01:24:44.609675 8008 setup.go:149] \"msg\"=\"failed to initialize clients\" \"error\"=\"error while fetching default global credential: unable to get client certificate credential: failed to parse certificate for 'de5f4940-d737-4b4a-b6cd-7a51eff52e38': pkcs12: error reading P12 data: asn1: structure error: tags don't match (16 vs {class:0 tag:15 length:116 isCompound:true}) {optional:false explicit:false application:false private:false defaultValue:<nil> tag:<nil> stringType:0 timeType:0 set:false omitEmpty:false} pfxPdu @2\" \"logger\"=\"setup\""
time="2024-07-01T01:24:46Z" level=error msg="failed to fetch Cluster: failed to generate asset \"Cluster\": failed to create cluster: failed to run cluster api system: failed to run controller \"azureaso infrastructure provider\": failed to start controller \"azureaso infrastructure provider\": timeout waiting for process cluster-api-provider-azureaso to start successfully (it may have failed to start, or stopped unexpectedly before becoming ready)"
time="2024-07-01T01:24:46Z" level=info msg="Shutting down local Cluster API control plane..."
time="2024-07-01T01:24:46Z" level=info msg="Local Cluster API system has completed operations"
Since pfx file in doc azure_client_certs_auth.md is generated specific for Terraform, it might not be applicable for CAPZ, so I tried to generate pfx without specifying certpbe and keypbe (following capz doc[2])
$ openssl pkcs12 -export -out cert.pkcs12 -in cert.pem -inkey key.pem -passout pass: -nokeys
Using this new client certificate to launch installer, got below error:
# ./openshift-install create cluster --dir ipi2
INFO Credentials loaded from file "/root/.azure/osServicePrincipal.json"
WARNING Using client certs to authenticate. Please be warned cluster does not support certs and only the installer does.
ERROR failed to fetch Metadata: failed to load asset "Install Config": failed to create install config: creating Azure session: failed to parse client certificate: pkcs12: unknown digest algorithm: 2.16.840.1.101.3.4.2.1
[1]: https://github.com/openshift/installer/blob/master/docs/dev/azure/azure_client_certs_auth.md
[2]: https://capz.sigs.k8s.io/topics/identities.html?highlight=clientSecrets#service-principal
Version-Release number of selected component (if applicable):
4.17 nightly build
How reproducible:
Always
Steps to Reproduce:
1. Prepare SP with certificate and update osServicePrincipal.json to use this SP
2. Create cluster
3.
Actual results:
Installation failed
Expected results:
Installation succeeded
Additional info:
