Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Certificate signed by Custom CA (instead of Openshift CA) is not trusted #1218

Open
mhtgrwl5 opened this issue Sep 20, 2023 · 0 comments
Open

Certificate signed by Custom CA (instead of Openshift CA) is not trusted #1218

mhtgrwl5 opened this issue Sep 20, 2023 · 0 comments

Comments

@mhtgrwl5
Copy link

Environment info

  • NooBaa Operator Version: 5.13.2
  • Platform: OpenShift 4.12

Actual behavior

  1. There is no way to inject custom CA that is known to operator.
  2. As per discussion, there are various ways to pass the CA certificate. The CAs are a part of custom secret and are mounted into the resources. But found no way to tell noobaa-operator that CA certificate to be utilised has to come from /<some-location>/ca.crt
  3. However, validated non-SSL connectivity. It is working fine.

Expected behavior

  1. The operator should allow to use custom CA as well as certificate as per doc - https://github.com/noobaa/noobaa-operator/blob/master/doc/ssl-dns-routing.md
  2. The operator should be smart enough about the CA to be utilised.

Steps to reproduce

  1. Create a certificate for each of the two service mgmt and s3. Without using Openshift CA.
  2. Follow the rest of the instructions from here - https://github.com/noobaa/noobaa-operator/blob/master/doc/ssl-dns-routing.md
  3. Create the noobaa deployment.

More information - Screenshots / Logs / Other output

noobaa-endpoint logs

Sep-13 8:20:12.994 [Endpoint/13]    [L0] core.server.bg_services.namespace_monitor:: namespace_monitor: system_store did not finish initial load
Sep-13 8:20:14.662 [Endpoint/13]    [L0] core.rpc.rpc_base_conn:: RPC CONNECTION CLOSED. got event from connection: [wss://noobaa-mgmt.staging.svc:443](wss://noobaa-mgmt.staging.svc/)(eehmsxr.zzts) Error: unable to verify the first certificate
    at TLSSocket.onConnectSecure (node:_tls_wrap:1538:34)
    at TLSSocket.emit (node:events:513:28)
    at TLSSocket.emit (node:domain:489:12)
    at TLSSocket._finishInit (node:_tls_wrap:952:8)
    at ssl.onhandshakedone (node:_tls_wrap:733:12)
Sep-13 8:20:14.663 [Endpoint/13]    [L0] core.rpc.rpc_base_conn:: RPC CONNECTION CLOSED. got event from connection: [wss://noobaa-mgmt.staging.svc:443](wss://noobaa-mgmt.staging.svc/)(eehmsxr.zzts) WS CLOSED
Sep-13 8:20:14.663 [Endpoint/13]  [WARN] core.rpc.rpc:: RPC RECONNECT FAILED [wss://noobaa-mgmt.staging.svc:443](wss://noobaa-mgmt.staging.svc/) reconn_backoff 5000 unable to verify the first certificate
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@mhtgrwl5