On Sat, Dec 14, 2019 at 3:31 AM Joel Pearson <japear...@agiledigital.com.au> wrote:
> I think there is one last thing that is worth trying... > > On Sat, 14 Dec 2019 at 18:56, Dale Bewley <d...@bewley.net> wrote: > >> Thanks for the tips, Joel, but no luck so far with >> 4.3.0-0.nightly-2019-12-13-180405. >> >> > It's possible you might be able to fix it by modifying the > machine-api-controllers deployment to mount in the ssl certificates from > the host. > If I touched (mounted within) `/etc/pki` it resulted in a permissions denial when the cert bundle was referenced, so I tried `/tmp/pki`. $ oc create secret generic my-ca-bundle --from-file=ca-bundle.crt -n openshift-machine-api $ oc set volume deployment machine-api-controllers -c machine-controller -n openshift-machine-api --add --mount-path=/tmp/pki -t secret --name=my-ca-bundle --secret-name=my-ca-bundle --overwrite Curl within the container was satisfied when I point SSL_CERT_DIR to /tmp/pki. sh-4.2$ SSL_CERT_DIR=/tmp/pki curl -I https://openstack.domain.com:13000 HTTP/1.1 300 Multiple Choices Date: Mon, 16 Dec 2019 03:00:02 GMT Server: Apache Vary: X-Auth-Token Content-Length: 617 Content-Type: application/json For some reason though, I could not get the deployment to define the env variable in the machine-controller containe, so this isn't yet a workaround. $ oc set env deployment machine-api-controllers -c machine-controller -n openshift-machine-api SSL_CERT_DIR=/tmp/pki deployment.extensions/machine-api-controllers updated $ oc rsh -n openshift-machine-api -c machine-controller $(oc get pod -n openshift-machine-api -l k8s-app=controller -o name) env | grep SSL > I had to do something like this for the cluster version operator, because > it was failing due to my MITM proxy. Which I had to solve by ensuring the > CA certificate of the proxy was available in the container, which I believe > is a fairly similar situation to what you have. > https://bugzilla.redhat.com/show_bug.cgi?id=1773419 > > Failing that, are you able to configure your openstack cluster to use real > SSL certs from letsencrypt or something like that? I ended up doing that > for my openstack cluster, as I found it was hard to make sure that anything > talking to openstack had my CA certificate. It was just simpler to have a > real SSL cert. > > I hear what you are saying, but our enterprise CA is pretty real, and OCP is an enterprise product. :)
_______________________________________________ users mailing list users@lists.openshift.redhat.com http://lists.openshift.redhat.com/openshiftmm/listinfo/users