On Mon, 16 Dec 2019 at 14:41, Dale Bewley <d...@bewley.net> wrote: > > > On Sat, Dec 14, 2019 at 3:31 AM Joel Pearson < > japear...@agiledigital.com.au> wrote: > >> I think there is one last thing that is worth trying... >> >> On Sat, 14 Dec 2019 at 18:56, Dale Bewley <d...@bewley.net> wrote: >> >>> Thanks for the tips, Joel, but no luck so far with >>> 4.3.0-0.nightly-2019-12-13-180405. >>> >>> >> It's possible you might be able to fix it by modifying the >> machine-api-controllers deployment to mount in the ssl certificates from >> the host. >> > > If I touched (mounted within) `/etc/pki` it resulted in a permissions > denial when the cert bundle was referenced, so I tried `/tmp/pki`. >
When you say touched, do you mean "touch /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt"? You shouldn't have write access inside the container, but the ca bundle should already have the correct CA certificates. I can go to any worker or master and have a look inside "/etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt" and I see my extra CA's up the top of that file. Some operator makes sure that the ca bundle is correct on the masters and worker nodes, so it should be safe to just mount /etc/pki (and /etc/ssl/certs) straight from the host. > > $ oc create secret generic my-ca-bundle --from-file=ca-bundle.crt -n > openshift-machine-api > $ oc set volume deployment machine-api-controllers -c machine-controller > -n openshift-machine-api --add --mount-path=/tmp/pki -t secret > --name=my-ca-bundle --secret-name=my-ca-bundle --overwrite > > Curl within the container was satisfied when I point SSL_CERT_DIR to > /tmp/pki. > > sh-4.2$ SSL_CERT_DIR=/tmp/pki curl -I https://openstack.domain.com:13000 > HTTP/1.1 300 Multiple Choices > Date: Mon, 16 Dec 2019 03:00:02 GMT > Server: Apache > Vary: X-Auth-Token > Content-Length: 617 > Content-Type: application/json > > For some reason though, I could not get the deployment to define the env > variable in the machine-controller containe, so this isn't yet a workaround. > > $ oc set env deployment machine-api-controllers -c machine-controller -n > openshift-machine-api SSL_CERT_DIR=/tmp/pki > deployment.extensions/machine-api-controllers updated > $ oc rsh -n openshift-machine-api -c machine-controller $(oc get pod -n > openshift-machine-api -l k8s-app=controller -o name) env | grep SSL > > > >> I had to do something like this for the cluster version operator, because >> it was failing due to my MITM proxy. Which I had to solve by ensuring the >> CA certificate of the proxy was available in the container, which I believe >> is a fairly similar situation to what you have. >> https://bugzilla.redhat.com/show_bug.cgi?id=1773419 >> >> Failing that, are you able to configure your openstack cluster to use >> real SSL certs from letsencrypt or something like that? I ended up doing >> that for my openstack cluster, as I found it was hard to make sure that >> anything talking to openstack had my CA certificate. It was just simpler to >> have a real SSL cert. >> >> > I hear what you are saying, but our enterprise CA is pretty real, and OCP > is an enterprise product. :) > >
_______________________________________________ users mailing list users@lists.openshift.redhat.com http://lists.openshift.redhat.com/openshiftmm/listinfo/users
