Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unable to Register New Nodes in HostedCluster When Adding API Server Certificate #3985

Open
alfredtm opened this issue May 5, 2024 · 11 comments
Open

Unable to Register New Nodes in HostedCluster When Adding API Server Certificate #3985

alfredtm opened this issue May 5, 2024 · 11 comments
Assignees
@jparrill
Labels
lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale.

Comments

@alfredtm
Copy link

alfredtm commented May 5, 2024
edited
Loading

Hello! When adding API server certificate to the HostedCluster

apiVersion: hypershift.openshift.io/v1beta1
kind: HostedCluster
metadata:
  name: test
  namespace: test
spec:
  configuration:
    apiServer:
      servingCerts:
        namedCertificates:
        - servingCertificate:
            name: tls-secret

The bootstrap-kubeconfig is no longer trusted

Unable to connect to the server: tls: failed to verify certificate: x509: certificate signed by unknown authority (possibly because of "crypto/rsa: verification error" while trying to verify candidate authority certificate "root-ca")

This seems to be a issue when adding new nodes (using kubevirt) to the cluster. They dont register/show up on the HostedCluster.

When not adding certificate to the apiServer the nodes register fine.
@alfredtm
Copy link
Author

alfredtm commented May 7, 2024

I resolved this by setting servicePublishingStrategy.loadBalancer.hostname to the apiServer's internal service URL.

The certificate-authority-data in bootstrap-kubeconfig is then trusted.

@alfredtm alfredtm closed this as completed May 7, 2024
@alfredtm
Copy link
Author

alfredtm commented May 14, 2024
edited
Loading

Reopening this issue
We are experiencing issues using the apiserver internal service url at a later stage in our deployment.

Ideally we would like to use the external apiserver fqdn in servicePublishingStrategy.loadBalancer.hostname. But adding apiserver certificate the bootstrap-kubeconfig is no longer trusted.

Is there any way to modify the bootstrap-kubeconfig?

I also found this issue that seems to be the same issue I am experiencing
https://issues.redhat.com/browse/OCPBUGS-19067

@alfredtm alfredtm reopened this May 14, 2024
@KiqoCode
Copy link

We have the same issue..

@omlet05
Copy link

omlet05 commented Jul 4, 2024

Same issue here, does anyone solved it?

@jparrill
Copy link
Contributor

jparrill commented Sep 11, 2024
edited
Loading

Hey @alfredtm @KiqoCode @omlet05 Is this a day-2 action?

@omlet05
Copy link

omlet05 commented Sep 11, 2024

@jparrill Same with a brand new cluster or an update to an existing one.

@alfredtm
Copy link
Author

@jparrill This happens with newly created clusters. And existing clusters when adding APIServerCertificate at a later stage.

@jparrill
Copy link
Contributor

Thanks for the info folks, that really helped. I will try to take a look to the issue.

@jparrill
Copy link
Contributor

/assign @jparrill

@KiqoCode
Copy link

KiqoCode commented Sep 12, 2024
edited
Loading

Hello,

There is an open Jira with Redhat now I know which is planned to be fixed in 4.18 I think.
For now it seems custom API Certificate is not supported on HostedCluster.
Documentation have also been updated I know:
https://docs.openshift.com/container-platform/4.16/security/certificates/api-server.html

"In hosted control plane clusters, you cannot replace self-signed certificates from the API."

@openshift-bot
Copy link

Issues go stale after 90d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle stale

@openshift-ci openshift-ci bot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Dec 12, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jparrill jparrill

Labels
lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@jparrill @omlet05 @openshift-bot @KiqoCode @alfredtm