When I say touched I mean mounted /etc/pki and from the host into the container.
$ oc set volume deployment machine-api-controllers -c machine-controller -n openshift-machine-api --add -t hostPath --path=/etc/pki --mount-path=/etc/pki --name=host-pki --overwrite $ oc set volume deployment machine-api-controllers -c machine-controller -n openshift-machine-api --add -t hostPath --path=/etc/ssl/certs --mount-path=/etc/ssl/certs --name=host-certs --overwrite $ oc rsh -n openshift-machine-api -c machine-controller $(oc get pod -n openshift-machine-api -l k8s-app=controller -o name) sh-4.2$ df /etc/pki Filesystem 1K-blocks Used Available Use% Mounted on /dev/mapper/coreos-luks-root 25662444 11717480 13944964 46% /etc/pki sh-4.2$ id uid=65534(65534) gid=0(root) groups=0(root) sh-4.2$ ls /etc/pki ls: cannot open directory /etc/pki: Permission denied sh-4.2$ ls -ld /etc/pki drwxr-xr-x. 6 root root 81 Dec 14 07:17 /etc/pki sh-4.2$ curl https://openstack.domain.com:13000 curl: (77) Problem with the SSL CA cert (path? access rights?) On Sun, Dec 15, 2019 at 7:52 PM Joel Pearson <japear...@agiledigital.com.au> wrote: > > > On Mon, 16 Dec 2019 at 14:41, Dale Bewley <d...@bewley.net> wrote: > >> >> >> On Sat, Dec 14, 2019 at 3:31 AM Joel Pearson < >> japear...@agiledigital.com.au> wrote: >> >>> I think there is one last thing that is worth trying... >>> >>> On Sat, 14 Dec 2019 at 18:56, Dale Bewley <d...@bewley.net> wrote: >>> >>>> Thanks for the tips, Joel, but no luck so far with >>>> 4.3.0-0.nightly-2019-12-13-180405. >>>> >>>> >>> It's possible you might be able to fix it by modifying the >>> machine-api-controllers deployment to mount in the ssl certificates from >>> the host. >>> >> >> If I touched (mounted within) `/etc/pki` it resulted in a permissions >> denial when the cert bundle was referenced, so I tried `/tmp/pki`. >> > > When you say touched, do you mean > "touch /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt"? > > You shouldn't have write access inside the container, but the ca > bundle should already have the correct CA certificates. I can go to any > worker or master and have a look inside > "/etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt" and I see my > extra CA's up the top of that file. Some operator makes sure that the ca > bundle is correct on the masters and worker nodes, so it should be safe to > just mount /etc/pki (and /etc/ssl/certs) straight from the host. > > >> >> $ oc create secret generic my-ca-bundle --from-file=ca-bundle.crt -n >> openshift-machine-api >> $ oc set volume deployment machine-api-controllers -c machine-controller >> -n openshift-machine-api --add --mount-path=/tmp/pki -t secret >> --name=my-ca-bundle --secret-name=my-ca-bundle --overwrite >> >> Curl within the container was satisfied when I point SSL_CERT_DIR to >> /tmp/pki. >> >> sh-4.2$ SSL_CERT_DIR=/tmp/pki curl -I https://openstack.domain.com:13000 >> HTTP/1.1 300 Multiple Choices >> Date: Mon, 16 Dec 2019 03:00:02 GMT >> Server: Apache >> Vary: X-Auth-Token >> Content-Length: 617 >> Content-Type: application/json >> >> For some reason though, I could not get the deployment to define the env >> variable in the machine-controller containe, so this isn't yet a workaround. >> >> $ oc set env deployment machine-api-controllers -c machine-controller -n >> openshift-machine-api SSL_CERT_DIR=/tmp/pki >> deployment.extensions/machine-api-controllers updated >> $ oc rsh -n openshift-machine-api -c machine-controller $(oc get pod -n >> openshift-machine-api -l k8s-app=controller -o name) env | grep SSL >> >> >> >>> I had to do something like this for the cluster version operator, >>> because it was failing due to my MITM proxy. Which I had to solve by >>> ensuring the CA certificate of the proxy was available in the container, >>> which I believe is a fairly similar situation to what you have. >>> https://bugzilla.redhat.com/show_bug.cgi?id=1773419 >>> >>> Failing that, are you able to configure your openstack cluster to use >>> real SSL certs from letsencrypt or something like that? I ended up doing >>> that for my openstack cluster, as I found it was hard to make sure that >>> anything talking to openstack had my CA certificate. It was just simpler to >>> have a real SSL cert. >>> >>> >> I hear what you are saying, but our enterprise CA is pretty real, and OCP >> is an enterprise product. :) >> >> >
_______________________________________________ users mailing list users@lists.openshift.redhat.com http://lists.openshift.redhat.com/openshiftmm/listinfo/users