Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-48830

OLMv1: Proxy CA mount does not wait until ca-bundle.crt is ready

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done-Errata
    • Icon: Major Major
    • None
    • 4.18.0, 4.19.0
    • OLM
    • None
    • Quality / Stability / Reliability
    • False
    • Hide

      None

      Show
      None
    • None
    • Important
    • None
    • Proposed
    • None
    • Done
    • Bug Fix
    • Hide
      * Previously, {olmv1} did not wait for certificates to reach a ready state before mounting Operator Controller and catalogd pods. These updates fix the issue. link:https://issues.redhat.com/browse/OCPBUGS-48830[OCPBUGS-48830] and link:https://issues.redhat.com/browse/OCPBUGS-49418[OCPBUGS-49418]
      Show
      * Previously, {olmv1} did not wait for certificates to reach a ready state before mounting Operator Controller and catalogd pods. These updates fix the issue. link: https://issues.redhat.com/browse/OCPBUGS-48830 [ OCPBUGS-48830 ] and link: https://issues.redhat.com/browse/OCPBUGS-49418 [ OCPBUGS-49418 ]
    • None
    • None
    • None
    • None

      Description of problem:

      When the catalogd and operator-controller pods start, it sometimes happens that the "trusted-ca-bundle" ConfigMap has not yet had its "ca-bundle.crt" data item populated yet. When this happens, a directory is mounted at /var/trusted-cas/ca-bundle.crt instead of the expected CA file.
      
      The only way to resolve the problem is to manually delete the pod and let it be re-created AFTER the ca-bundle.crt data item is populated in the ConfigMap, at which point the file will mount correctly.

      Version-Release number of selected component (if applicable):

          

      How reproducible:

      Not trivially reproducible because it is a race condition between the controller populating the ConfigMap and the OLMv1 controllers    

      Steps to Reproduce:

          1. 
          2.
          3.
          

      Actual results:

      When a Proxy CA is configured, catalogd and operator controller may be unable to pull images because they may fail to parse /var/trusted-cas/ca-bundle.crt (which is sometimes a directory)  

      Expected results:

      Operator controller and catalogd pods always wait to start until the "trusted-ca-bundle" is populated with "ca-bundle.crt", thus ensuring the correct mount type for the CA certs.

      Additional info:

          

              jlanford@redhat.com Joe Lanford
              jlanford@redhat.com Joe Lanford
              None
              None
              Xia Zhao Xia Zhao
              None
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated:
                Resolved: