Uploaded image for project: 'Red Hat OpenStack Services on OpenShift'
  1. Red Hat OpenStack Services on OpenShift
  2. OSPRH-6766

Setting quota limits fails with certificate error

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Major Major
    • rhos-18.0.0
    • rhos-18.0.0
    • glance-operator
    • None
    • False
    • Hide

      None

      Show
      None
    • False
    • ?
    • glance-operator-bundle-container-1.0.0-44
    • None
    • Moderate

      Setting any non zero value to OpenStackControlPlane.spec.glance.quotas fileds results in certificate errors in the glance-operator logs and Glance will not be Ready.

          - lastTransitionTime: "2024-05-06T10:32:42Z"
      message: 'GlanceAPI error occured Get "https://keystone-public-openstack.apps-crc.testing/":
        tls: failed to verify certificate: x509: certificate signed by unknown authority'
      reason: Error
      severity: Warning
      status: "False"
      type: Ready

      2024-05-06T10:32:42Z	INFO	glance-resource	default	{"name": "glance"}
2024-05-06T10:32:42Z	INFO	glance-resource	validate update	{"diff": "  &v1beta1.Glance{\n  \tTypeMeta: {Kind: \"Glance\", APIVersion: \"glance.openstack.org/v1beta1\"},\n  \tObjectMeta: v1.ObjectMeta{\n  \t\t... // 4 identical fields\n  \t\tUID:               \"f222521b-d420-4615-9030-8ce1bfb65766\",\n  \t\tResourceVersion:   \"57225\",\n- \t\tGeneration:        2,\n+ \t\tGeneration:        3,\n  \t\tCreationTimestamp: {Time: s\"2024-05-06 10:09:39 +0000 UTC\"},\n  \t\tDeletionTimestamp: nil,\n  \t\t... // 3 identical fields\n  \t\tOwnerReferences: {{APIVersion: \"core.openstack.org/v1beta1\", Kind: \"OpenStackControlPlane\", Name: \"openstack-galera-network-isolation\", UID: \"0f30d393-8737-40c9-a822-341d251008d2\", ...}},\n  \t\tFinalizers:      {\"Glance\"},\n  \t\tManagedFields: []v1.ManagedFieldsEntry{\n- \t\t\t{\n- \t\t\t\tManager:    \"manager\",\n- \t\t\t\tOperation:  \"Update\",\n- \t\t\t\tAPIVersion: \"glance.openstack.org/v1beta1\",\n- \t\t\t\tTime:       s\"2024-05-06 10:11:20 +0000 UTC\",\n- \t\t\t\tFieldsType: \"FieldsV1\",\n- \t\t\t\tFieldsV1:   s`{\"f:metadata\":{\"f:finalizers\":{\".\":{},\"v:\\\"Glance\\\"\":{}},\"f:ownerReferences\":{\".\":{},\"k:{\\\"uid\\\":\\\"0f30d393-8737-40c9-a822-341d2`...,\n- \t\t\t},\n  \t\t\t{Manager: \"manager\", Operation: \"Update\", APIVersion: \"glance.openstack.org/v1beta1\", Time: s\"2024-05-06 10:12:15 +0000 UTC\", ...},\n+ \t\t\t{\n+ \t\t\t\tManager:    \"manager\",\n+ \t\t\t\tOperation:  \"Update\",\n+ \t\t\t\tAPIVersion: \"glance.openstack.org/v1beta1\",\n+ \t\t\t\tTime:       s\"2024-05-06 10:32:42 +0000 UTC\",\n+ \t\t\t\tFieldsType: \"FieldsV1\",\n+ \t\t\t\tFieldsV1:   s`{\"f:metadata\":{\"f:finalizers\":{\".\":{},\"v:\\\"Glance\\\"\":{}},\"f:ownerReferences\":{\".\":{},\"k:{\\\"uid\\\":\\\"0f30d393-8737-40c9-a822-341d2`...,\n+ \t\t\t},\n  \t\t},\n  \t},\n  \tSpec: v1beta1.GlanceSpec{\n  \t\tContainerImage: \"quay.io/podified-antelope-centos9/openstack-glance-api@sha256:58\"...,\n  \t\tGlanceSpecCore: v1beta1.GlanceSpecCore{\n  \t\t\t... // 12 identical fields\n  \t\t\tGlanceAPIs:  {\"default\": {Replicas: &1, ContainerImage: \"quay.io/podified-antelope-centos9/openstack-glance-api@sha256:58\"..., NetworkAttachments: {\"storage\"}, Override: {Service: {\"internal\": {OverrideSpec: {EmbeddedLabelsAnnotations: &{Labels: {\"osctlplane\": \"\", \"osctlplane-service\": \"glance\", \"tlGlanceAPI\": \"glance-default-single\"}, Annotations: {\"metallb.universe.tf/address-pool\": \"internalapi\", \"metallb.universe.tf/allow-shared-ip\": \"internalapi\", \"metallb.universe.tf/loadBalancerIPs\": \"172.17.0.80\"}}, Spec: &{Type: \"LoadBalancer\"}}}, \"public\": {OverrideSpec: {EmbeddedLabelsAnnotations: &{Labels: {\"osctlplane\": \"\", \"osctlplane-service\": \"glance\", \"tlGlanceAPI\": \"glance-default-single\"}}}, EndpointURL: &\"https://glance-default-public-openstack.apps-crc.testing\"}}}, ...}},\n  \t\t\tExtraMounts: nil,\n  \t\t\tQuotas: v1beta1.QuotaLimits{\n  \t\t\t\tImageSizeTotal:   0,\n  \t\t\t\tImageStageTotal:  0,\n- \t\t\t\tImageCountTotal:  0,\n+ \t\t\t\tImageCountTotal:  15,\n  \t\t\t\tImageCountUpload: 0,\n  \t\t\t},\n  \t\t\tImageCache:       {},\n  \t\t\tKeystoneEndpoint: \"default\",\n  \t\t\tDBPurge:          {Age: 30, Schedule: \"1 0 * * *\"},\n  \t\t},\n  \t},\n  \tStatus: {Hash: {\"dbsync\": \"n59fh87h5bh568h69h64dh5fbh5d9h79h64ch546h564h65hddhf5h569h67dh5d\"...}, APIEndpoints: {\"default-internal\": \"https://glance-default-internal.openstack.svc:9292\", \"default-public\": \"https://glance-default-public-openstack.apps-crc.testing\"}, ServiceID: \"3673354dff274135b7196400716a0376\", Conditions: {{Type: \"Ready\", Status: \"True\", LastTransitionTime: {Time: s\"2024-05-06 10:12:15 +0000 UTC\"}, Reason: \"Ready\", ...}, {Type: \"CronJobReady\", Status: \"True\", LastTransitionTime: {Time: s\"2024-05-06 10:10:57 +0000 UTC\"}, Reason: \"Ready\", ...}, {Type: \"DBReady\", Status: \"True\", LastTransitionTime: {Time: s\"2024-05-06 10:10:35 +0000 UTC\"}, Reason: \"Ready\", ...}, {Type: \"DBSyncReady\", Status: \"True\", LastTransitionTime: {Time: s\"2024-05-06 10:10:57 +0000 UTC\"}, Reason: \"Ready\", ...}, ...}, ...},\n  }\n"}
2024-05-06T10:32:42Z	INFO	controllers.Glance	Reconciling Service 'glance'
2024-05-06T10:32:42Z	INFO	controllers.Glance	Successfully ensured MariaDBAccount glance exists; database username is glance_de5e	{"ObjectType": "*v1beta1.MariaDBAccount", "ObjectNamespace": "openstack", "ObjectName": "glance"}
2024-05-06T10:32:42Z	INFO	controllers.Glance	Applied new databasehostname openstack.openstack.svc to MariaDBDatabase glance
2024-05-06T10:32:42Z	INFO	controllers.Glance	Reconciling Service 'glance' init
2024-05-06T10:32:42Z	INFO	controllers.Glance	Reconciled Service 'glance' init successfully
2024-05-06T10:32:42Z	ERROR	Reconciler error	{"controller": "glance", "controllerGroup": "glance.openstack.org", "controllerKind": "Glance", "Glance": {"name":"glance","namespace":"openstack"}, "namespace": "openstack", "name": "glance", "reconcileID": "d8220468-0183-4a94-b91d-4535f5ac892a", "error": "Get \"https://keystone-public-openstack.apps-crc.testing/\": tls: failed to verify certificate: x509: certificate signed by unknown authority"}
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler
	/opt/app-root/src/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.16.5/pkg/internal/controller/controller.go:329
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem
	/opt/app-root/src/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.16.5/pkg/internal/controller/controller.go:266
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2
	/opt/app-root/src/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.16.5/pkg/internal/controller/controller.go:227

      I guess this is broken since we enabled TLS. Based on the keystone code we need to pass tlsconfig to the client https://github.com/openstack-k8s-operators/keystone-operator/blob/7e1e3b111ee9f16b5354d3b7c923267d36228842/api/v1beta1/keystoneapi.go#L143

              fpantano@redhat.com Francesco Pantano
              rh-ee-bgibizer Balazs Gibizer
              rhos-storage-glance
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated:
                Resolved: