microshift icon indicating copy to clipboard operation
microshift copied to clipboard
verified publisher icon openshift

USHIFT-27: service-ca does not work when run the rook operator with TLS object store

Open yuvalif opened this issue 3 years ago • 9 comments

What happened:

I'm following the instruction from here to install the rook operator on microshift.

No need to follow the entire README, just the part that installs microshift and rook

After setting the object store to use TLS, I'm trying to create a bucket. However, this is failing, and the rook operator (that tries to connect to the RADOS Gateway over TLS) emits the following error:

x509: certificate signed by unknown authority (possibly because of "x509: invalid signature: parent certificate cannot sign this kind of certificate" while trying to verify candidate authority certificate "service-ca")

What you expected to happen:

bucket would be created

How to reproduce it (as minimally and precisely as possible):

see above

Anything else we need to know?:

Environment:

  • Microshift version (use microshift version):
MicroShift Version: 4.8.0-0.microshift-2022-03-11-124751
Base OKD Version: 4.8.0-0.okd-2021-10-10-030117
  • Hardware configuration:
  • OS (e.g: cat /etc/os-release): Fedora35
  • Kernel (e.g. uname -a): Linux my-vm 5.16.18-200.fc35.x86_64 #1 SMP PREEMPT Mon Mar 28 14:10:07 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
  • Others:
 lsblk
NAME   MAJ:MIN RM  SIZE RO TYPE MOUNTPOINTS
sda      8:0    0   30G  0 disk 
├─sda1   8:1    0    1M  0 part 
├─sda2   8:2    0    1G  0 part /boot
└─sda3   8:3    0   29G  0 part /var/lib/containers/storage/overlay
                                /
sdb      8:16   0   30G  0 disk 
nbd0    43:0    0    0B  0 disk 
nbd1    43:32   0    0B  0 disk 
nbd2    43:64   0    0B  0 disk 
nbd3    43:96   0    0B  0 disk 
nbd4    43:128  0    0B  0 disk 
nbd5    43:160  0    0B  0 disk 
nbd6    43:192  0    0B  0 disk 
nbd7    43:224  0    0B  0 disk 
zram0  252:0    0  7.8G  0 disk [SWAP]
nbd8    43:256  0    0B  0 disk 
nbd9    43:288  0    0B  0 disk 
nbd10   43:320  0    0B  0 disk 
nbd11   43:352  0    0B  0 disk 
nbd12   43:384  0    0B  0 disk 
nbd13   43:416  0    0B  0 disk 
nbd14   43:448  0    0B  0 disk 
nbd15   43:480  0    0B  0 disk

Relevant Logs

see above

yuvalif avatar Apr 14 '22 15:04 yuvalif

The service-ca certificate, created here calls this function, doesn't have IsCA: True, that looks the problem

# openssl x509 -in  /var/lib/microshift/resources/service-ca/secrets/service-ca/tls.crt -text -noout  |grep CA
                CA:FALSE

rootfs avatar Apr 14 '22 16:04 rootfs

Thanks for the hint @rootfs

mangelajo avatar Apr 21 '22 12:04 mangelajo

Issues go stale after 90d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle stale. Stale issues rot after an additional 30d of inactivity and eventually close. Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle stale

openshift-bot avatar Jul 20 '22 13:07 openshift-bot

any update on this? any estimation?

yuvalif avatar Jul 20 '22 13:07 yuvalif

Stale issues rot after 30d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle rotten. Rotten issues close after an additional 30d of inactivity. Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle rotten /remove-lifecycle stale

openshift-bot avatar Aug 20 '22 00:08 openshift-bot

@mangelajo are there any plans around this issue?

yuvalif avatar Aug 21 '22 07:08 yuvalif

Hey @yuvalif , this demo is highly tied to the kubevirt-hostpath-provisioner storage backend that was used by MicroShift in the past. Now, we ship TopoLVM, a new CSI driver.

Could you please update the instructions to try to reproduce this issue?

Thanks in advance.

oglok avatar Aug 25 '22 10:08 oglok

/retitle USHIFT-27: service-ca does not work when run the rook operator with TLS object store

ggiguash avatar Aug 28 '22 12:08 ggiguash

Hey @yuvalif , this demo is highly tied to the kubevirt-hostpath-provisioner storage backend that was used by MicroShift in the past. Now, we ship TopoLVM, a new CSI driver.

Could you please update the instructions to try to reproduce this issue?

Thanks in advance.

@oglok thanks. I will try the new version, but i don't think it is related. everything on the storage front is working with the existing version. it is only HTTPS calls that were failing due to certificate issues

yuvalif avatar Sep 08 '22 10:09 yuvalif

Rotten issues close after 30d of inactivity.

Reopen the issue by commenting /reopen. Mark the issue as fresh by commenting /remove-lifecycle rotten. Exclude this issue from closing again by commenting /lifecycle frozen.

/close

openshift-bot avatar Oct 09 '22 00:10 openshift-bot

@openshift-bot: Closing this issue.

In response to this:

Rotten issues close after 30d of inactivity.

Reopen the issue by commenting /reopen. Mark the issue as fresh by commenting /remove-lifecycle rotten. Exclude this issue from closing again by commenting /lifecycle frozen.

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

openshift-ci[bot] avatar Oct 09 '22 00:10 openshift-ci[bot]