Loading...

XML

Word

Printable

Type: Bug
Resolution: Unresolved
Priority: Major
Fix Version/s: None
Affects Version/s: 4.19.z
Component/s: HyperShift
Labels:
- triaged

Activity Type:
Quality / Stability / Reliability
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Story Points:
None
Severity:
Important
Regression:
None

Target Backport Versions:
None
Target Version:
None
Release Blocker:
None
Sprint:
None

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

PX Impact Score:

Release Note Status:
None
Release Note Type:
None
Release Note Text:
None

Escape Reason:
None
Escape Impact:
None
Corrective Measures:
None
SDLC stage when should've been found:
None

Description of problem:

Reporting this issue as a follow up to OCPBUGS-56896.

When https proxy is configured, nodes can not properly start. The kubelet can't communicate with the KAS and fails:

Jun 03 11:27:43 ip-10-0-129-15 kubenswrapper[2436]: E0603 11:27:43.168986    2436 kubelet_node_status.go:110] "Unable to register node with API server" err="Post \"https://a7ff164001b37429e89c0fdc1432452a-cfabcbf764fb12be.elb.us-east-1.amazonaws.com:6443/api/v1/nodes\": proxyconnect tcp: tls: failed to verify certificate: x509: certificate signed by unknown authority" node="ip-10-0-129-15.ec2.internal"

Version-Release number of selected component (if applicable):

    4.19

How reproducible:

    Always

Steps to Reproduce:

    1. Start a hosted cluster with --enable-secure-proxy option:
  
hypershift create cluster aws \
    --name=${CLUSTER_NAME} \
    --namespace=${NAMESPACE} \
    --node-pool-replicas=${REPLICAS} \
    --base-domain=${BASE_DOMAIN} \
    --endpoint-access=${ENDPOINT_ACCESS} \
    --region=${REGION} \
    --pull-secret=${PULL_SECRET} \
    --release-image=${RELEASE_IMAGE} \
    --generate-ssh \
    --aws-creds=${AWS_CREDS} \
    --enable-secure-proxy

Actual results:

The HostedCluster then has this config:

spec:
  configuration:
    proxy:
      httpProxy: http://10.0.132.128:3128
      httpsProxy: https://10.0.132.128:3128
      trustedCA:
        name: hc1-proxy-ca

There are no nodes and the NodePool reports this status:

    - lastTransitionTime: "2025-06-03T11:21:03Z"
      message: Minimum availability requires 5 replicas, current 0 available
      observedGeneration: 1
      reason: WaitingForAvailableMachines
      status: "False"
      type: Ready

Expected results:

    The hosted cluster properly starts

Additional info:

More information in comments on OCPBUGS-56896

relates to

OCPBUGS-44439 When creating a cluster with KubeVirt virtual machines as nodes on a bare metal cluster using Hosted Control Plane in an environment that requires a proxy certificate, the NodePool fails to be created.

ASSIGNED

OCPBUGS-56896 ignition config doesn't include the proxy trusted CA for hosted cluter's proxy

Closed

Assignee:: Ahmed Abdalla Abdelrehim

Reporter:: Martin Gencur

Need Info From:: None

Contributors:: None

QA Contact:: Martin Gencur

Doc Contact:: None

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Created:: 2025/06/04 12:21 PM

Updated:: 2025/07/12 1:21 PM

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates

Hide