Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-45074

authentication CO is degraded with x509: certificate is valid for *.apps-sharded.basedomain.example.net, not oauth-openshift.apps.ci-ln-9v1md1b-c1627.vmc-ci.devcluster.openshift.com

XMLWordPrintable

    • Important
    • None
    • Rejected
    • False
    • Hide

      None

      Show
      None

      Description of problem:

      The authentication cluster operator is going into degraded state when traffic goes to custom router pods created by custom ingress controller instead of the default router pods :
~~~
OAuthServerRouteEndpointAccessibleControllerAvailable: Get "https://oauth-openshift.apps.xxx.devcluster.openshift.com/healthz": x509: certificate is valid for *.apps-sharded.basedomain.example.net, not oauth-openshift.apps.xxx.devcluster.openshift.com
~~~

      Version-Release number of selected component (if applicable):

      Reproduced on 4.13

      How reproducible:

      100%

      Steps to Reproduce:

      1. Create a custom ingresscontroller in the cluster
~~~
$ cat ing.yaml
apiVersion: operator.openshift.io/v1
kind: IngressController
metadata:
  name: sharded
  namespace: openshift-ingress-operator
spec:
  endpointPublishingStrategy:
   type: HostNetwork
  domain: apps-sharded.basedomain.example.net
  nodePlacement:
  routeSelector:
    matchLabels:
      type: sharded
~~~

2. Change the replica of default router pod to 0 :
~~~
$ oc edit ingresscontroller default -n openshift-ingress-operator
changed replicas: 0
~~~

3. Check if new router pods are running :
~~~
$ oc get pods -n openshift-ingress
NAME                              READY   STATUS    RESTARTS   AGE
router-sharded-5c9898b495-7mrwt   1/1     Running   0          2m48s
router-sharded-5c9898b495-sqvbs   1/1     Running   0          2m48s
~~~

4. Check the status of authentication operator 
~~~
$ oc get co authentication
NAME             VERSION                              AVAILABLE   PROGRESSING   DEGRADED   SINCE   MESSAGE
authentication   4.13.0-0.nightly-2024-11-23-101305   False       False         False      45s     OAuthServerRouteEndpointAccessibleControllerAvailable: Get "https://oauth-openshift.apps.xxx.devcluster.openshift.com/healthz": x509: certificate is valid for *.apps-sharded.basedomain.example.net, not oauth-openshift.apps.xxx.devcluster.openshift.com
~~~

      Actual results:

      The authentication cluster operator is going into degraded state if the request goes to custom router pods.

      Expected results:

      The authentication cluster operator should not go into degraded state if the request goes to custom router pods.

      Additional info:

      At customer's end : 
There are two ingresscontroller present in the cluster - one is default and another one is custom ingresscontroller.
While upgrading the cluster, the authentication cluster operator went to degarded state.

              mmasters1@redhat.com Miciah Masters
              rhn-support-sdharma Suruchi Dharma
              Ishmam Amin Ishmam Amin
              Suruchi Dharma
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated: