Migration Toolkit for virtualization is failing

Posted on

Error msgHi team,

I downloaded the migration toolkit - Forklift operator, all pods are running but there is some with certificate during authentication.

Attached screenshot for reference.

Available to server only: {
META_FILE: '/etc/forklift-ui/meta.json',
EXPRESS_PORT: undefined,
STATIC_DIR: undefined,
UI_TLS_ENABLED: 'true',
UI_TLS_KEY: '/var/run/secrets/forklift-ui-serving-cert/tls.key',
UI_TLS_CERTIFICATE: '/var/run/secrets/forklift-ui-serving-cert/tls.crt'
}

Values from meta.json: {
namespace: 'openshift-mtv',
configNamespace: 'openshift-mtv',
clusterApi: 'https://kubernetes.default.svc.cluster.local',
inventoryApi: 'https://forklift-inventory.openshift-mtv.svc.cluster.local:8443',
mustGatherApi: 'https://forklift-must-gather-api.openshift-mtv.svc.cluster.local:8443',
oauth: {
clientId: 'forklift-ui',
redirectUrl: 'https://virt-openshift-mtv.apps.rcc-openshift.rcc.local/login/callback',
userScope: 'user:full',
clientSecret: 'YzU2ZGVkN2ItMjQxMi01OWE5LWFkMzgtMThlMjYzNDNjM2E3'
}
}
[HPM] Proxy created: / -> https://kubernetes.default.svc.cluster.local
[HPM] Proxy rewrite rule created: "^/cluster-api/" ~> "/"
[HPM] Proxy created: / -> https://forklift-inventory.openshift-mtv.svc.cluster.local:8443
[HPM] Proxy rewrite rule created: "^/inventory-api/" ~> "/"
[HPM] Proxy created: / -> https://forklift-must-gather-api.openshift-mtv.svc.cluster.local:8443
[HPM] Proxy rewrite rule created: "^/must-gather-api/" ~> "/"
FetchError: request to https://kubernetes.default.svc.cluster.local/.well-known/oauth-authorization-server failed, reason: Hostname/IP does not match certificate's altnames: Host: kubernetes.default.svc.cluster.local. is not in the cert's altnames: DNS:*.apps.rcc-openshift.rcc.local
at ClientRequest. (/opt/app-root/src/node_modules/node-fetch/lib/index.js:1491:11)
at ClientRequest.emit (node:events:527:28)
at TLSSocket.socketErrorListener (node:_http_client:454:9)
at TLSSocket.emit (node:events:527:28)
at emitErrorNT (node:internal/streams/destroy:157:8)
at emitErrorCloseNT (node:internal/streams/destroy:122:3)
at processTicksAndRejections (node:internal/process/task_queues:83:21) {
type: 'system',
errno: 'ERR_TLS_CERT_ALTNAME_INVALID',
code: 'ERR_TLS_CERT_ALTNAME_INVALID'
}


On checking OAuth certificate below are the DNS entry,

[root]# openssl x509 -text -noout -in tlsgather.crt | grep DNS
DNS:forklift-must-gather-api.openshift-mtv.svc, DNS:forklift-must-gather-api.openshift-mtv.svc.cluster.local

[root]# openssl x509 -text -noout -in api.crt | grep DNS
DNS:*.apps.rcc-openshift.rcc.local

Can someone please suggest any kind of workaround, I am stuck since 2 days.