Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Custom CA not recognized by pelorus pods (grafana and prometheus) #91

Closed
kevin-anderson-redhat opened this issue Jun 11, 2020 · 6 comments · Fixed by #101 or #112
Closed

Custom CA not recognized by pelorus pods (grafana and prometheus) #91

kevin-anderson-redhat opened this issue Jun 11, 2020 · 6 comments · Fixed by #101 or #112
Assignees
@etsauer
Labels
kind/bug Categorizes issue or PR as related to a bug.
Milestone
v1.2

Comments

@kevin-anderson-redhat
Copy link

Attempts to login to prometheus and grafana fail with Error Page 500 Internal Error
Logs indicate that
oauth fails with "certificate signed by unknown authority"
@etsauer
Copy link
Collaborator

etsauer commented Jun 11, 2020

This is something we'll have to fix in our helm chart, but for now the proper workaround is to:

  1. Create an empty ConfigMap in the pelorus namespace:
apiVersion: v1
kind: ConfigMap
metadata:
  annotations:
    config.openshift.io/inject-trusted-cabundle: true
  name: cluster-ca-bundle
data:
  1. Add a volume and volumeMount to the prometheus/pelorus-prometheus resource in the pelorus namespace:
  ...
  containers:
    name: prometheus-proxy
    ...
    volumeMounts:
    ...
    - mountPath: /etc/pki/ca-trust/extracted/pem/
      name: prometheus-trusted-ca-bundle
      readOnly: true
  ...
  volumes:
  ...
  - configMap:
      items:
      - key: ca-bundle.crt
        path: tls-ca-bundle.pem
      name: prometheus-trusted-ca-bundle-39man1pbaa8jq
      optional: true
    name: prometheus-trusted-ca-bundle

References: https://docs.openshift.com/container-platform/4.4/networking/configuring-a-custom-pki.html#certificate-injection-using-operators_configuring-a-custom-pki

@etsauer
Copy link
Collaborator

etsauer commented Jun 11, 2020

This should fix the prometheus component, but since the thanos-sidecar container is added by the operator, we need to figure out how to control that

@etsauer etsauer added the kind/bug Categorizes issue or PR as related to a bug. label Jun 11, 2020
@kevin-anderson-redhat
Copy link
Author

kevin-anderson-redhat commented Jun 12, 2020
edited

Does the issue at the following link mean that the grafana-operator is not easily resolved? grafana/grafana-operator#190

@garethahealy
Copy link
Contributor

@robbbbh ; did you have to do this for our prev customer?

@redhat-cop-ci-bot
Copy link

@kevin-anderson-redhat no, I think there are ways to make it happen with grafana, its just the oauth container that needs it, and that config gets pretty customizable.

If you can try the above and give some feedback, we can try to help troubleshoot.

@kevin-anderson-redhat
Copy link
Author

@etsauer We were not able to get grafana to operate. Still getting an untrusted cert failure in the grafana-proxy container.

@etsauer etsauer self-assigned this Jun 23, 2020
@etsauer etsauer added this to the v1.2 milestone Jun 23, 2020
@etsauer etsauer mentioned this issue Jun 23, 2020
Merged
@etsauer etsauer mentioned this issue Jun 27, 2020
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@etsauer etsauer

Labels
kind/bug Categorizes issue or PR as related to a bug.
Projects
None yet
Milestone
v1.2
Development

Successfully merging a pull request may close this issue.

Support custom ca
Resolve several outstanding issues with thanos component
4 participants
@etsauer @garethahealy @kevin-anderson-redhat @redhat-cop-ci-bot