Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-8296

metrics signer certificate inside openshift-etcd should be copied from the one in openshift-config

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Cannot Reproduce
    • Icon: Undefined Undefined
    • None
    • 4.11.z
    • Etcd
    • None
    • No
    • False
    • Hide

      None

      Show
      None

      Description of problem:

      
I have a customer where 

oc -n openshift-config get secret etcd-metric-signer -o jsonpath='{.data.tls\.crt}' | base64 -d | openssl x509 -noout -text

is different than:

/etc/kubernetes/static-pod-certs/configmaps/etcd-metrics-proxy-serving-ca/ca-bundle.crt

that is to say different to:

oc get configmaps -n openshift-etcd etcd-metrics-proxy-serving-ca -o jsonpath="{.data.ca-bundle\.crt}" | openssl x509 -noout -text

just to instantiate this:

the CA client certificate in openshift-etcd is newer:

        Issuer: OU = openshift, CN = etcd-metric-signer
        Validity
            Not Before: Sep 21 08:29:53 2022 GMT
            Not After : Sep 18 08:29:54 2032 GMT
        Subject: OU = openshift, CN = etcd-metric-signer
        Subject Public Key Info:

than the one in openshift config:

        Issuer: OU = openshift, CN = etcd-metric-signer
        Validity
            Not Before: Sep 20 18:07:52 2022 GMT
            Not After : Sep 17 18:07:53 2032 GMT
        Subject: OU = openshift, CN = etcd-metric-signer

This would not be a problem since the certificates are both valid.

Except that the metrics server certificate has been signed, not by the CA in openshift-etcd but the one in openshift-config.

For instance, this request: 

oc exec -n openshift-etcd etcd-master-0 -- curl -vs --cert /etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-serving-metrics-master-0.crt --key /etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-serving-metrics-master-0.key --cacert /etc/kubernetes/static-pod-certs/configmaps/etcd-metrics-proxy-serving-ca/ca-bundle.crt https://localhost:9979

will show:

* TLSv1.2 (OUT), TLS alert, unknown CA (560):
} [2 bytes data]
* SSL certificate problem: self signed certificate in certificate chain

removing the different secrets or configmaps have not helped to generate the right certs.

The problem is that prometheus is doing this request to extract metrics and it's failing.

Either if we don't know how we have managed to get into this situation that is not frequent, we would need that the reconciliation checks the metrics signer and copies the one from openshift-config to openshift-etcd

      Version-Release number of selected component (if applicable):

      How reproducible:

      Steps to Reproduce:

      1.
2.
3.

      Actual results:

      Expected results:

      Additional info:

              dwest@redhat.com Dean West
              rhn-support-gparente German Parente
              Ge Liu Ge Liu
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: