authentication operator degraded

Comments

I just installed a bare metal three node cluster (version 4.12.5) on three BL460 HP blades, following the instructions at Installing a user-provisioned bare metal cluster on a restricted network, but the authentication operator shows degraded.

$ oc get clusteroperators
NAME                                       VERSION   AVAILABLE   PROGRESSING   DEGRADED   SINCE   MESSAGE
authentication                             4.12.5    False       False         True       3h51m   OAuthServerRouteEndpointAccessibleControllerAvailable: Get "https://oauth-openshift.app
s.csvocp.csv.uschi.nsn-rdnet.net/healthz": x509: certificate is valid for api-int.csvocp.csv.uschi.nsn-rdnet.net, not oauth-openshift.apps.csvocp.csv.uschi.nsn-rdnet.net
baremetal                                  4.12.5    True        False         False      3h50m
cloud-controller-manager                   4.12.5    True        False         False      4h
cloud-credential                           4.12.5    True        False         False      4h57m
cluster-autoscaler                         4.12.5    True        False         False      3h51m
config-operator                            4.12.5    True        False         False      3h51m
console                                    4.12.5    False       True          False      3h41m   DeploymentAvailable: 0 replicas available for console deployment...
control-plane-machine-set                  4.12.5    True        False         False      3h50m
csi-snapshot-controller                    4.12.5    True        False         False      3h51m
dns                                        4.12.5    True        False         False      3h50m
etcd                                       4.12.5    True        False         False      3h49m
image-registry                             4.12.5    True        False         False      3h42m
ingress                                    4.12.5    True        False         True       3h43m   The "default" ingress controller reports Degraded=True: DegradedConditions: One or more
 other status conditions indicate a degraded state: CanaryChecksSucceeding=False (CanaryChecksRepetitiveFailures: Canary route checks for the default ingress controller are failing)
insights                                   4.12.5    False       False         True       124m    Unable to report: unable to build request to connect to Insights server: Post "https://
console.redhat.com/api/ingress/v1/upload": dial tcp: lookup console.redhat.com on 172.30.0.10:53: no such host
kube-apiserver                             4.12.5    True        False         False      3h43m
kube-controller-manager                    4.12.5    True        False         False      3h48m
kube-scheduler                             4.12.5    True        False         False      3h43m
kube-storage-version-migrator              4.12.5    True        False         False      3h51m
machine-api                                4.12.5    True        False         False      3h50m
machine-approver                           4.12.5    True        False         False      3h50m
machine-config                             4.12.5    True        False         False      3h49m
marketplace                                4.12.5    True        False         False      3h50m
monitoring                                 4.12.5    True        False         False      3h39m
network                                    4.12.5    True        False         False      3h52m
node-tuning                                4.12.5    True        False         False      3h51m
openshift-apiserver                        4.12.5    True        False         False      3h37m
openshift-controller-manager               4.12.5    True        False         False      3h42m
openshift-samples                          4.12.5    True        False         False      3h36m
operator-lifecycle-manager                 4.12.5    True        False         False      3h51m
operator-lifecycle-manager-catalog         4.12.5    True        False         False      3h51m
operator-lifecycle-manager-packageserver   4.12.5    True        False         False      3h43m
service-ca                                 4.12.5    True        False         False      3h51m
storage                                    4.12.5    True        False         False      3h51m

As a consequence, as seen in the snipped above too, the console pods cannot start either, and I can see messages like this in their logs.

$ oc logs -n openshift-console console-59857c965f-v97vf | tail -n 3
E0310 20:20:10.649939       1 auth.go:232] error contacting auth provider (retrying in 10s): request to OAuth issuer endpoint https://oauth-openshift.apps.csvocp.csv.uschi.nsn-rdnet.net/oauth/token failed: Head "https://oauth-openshift.apps.csvocp.csv.uschi.nsn-rdnet.net": x509: certificate is valid for api-int.csvocp.csv.uschi.nsn-rdnet.net, not oauth-openshift.apps.csvocp.csv.uschi.nsn-rdnet.net
E0310 20:20:20.660907       1 auth.go:232] error contacting auth provider (retrying in 10s): request to OAuth issuer endpoint https://oauth-openshift.apps.csvocp.csv.uschi.nsn-rdnet.net/oauth/token failed: Head "https://oauth-openshift.apps.csvocp.csv.uschi.nsn-rdnet.net": x509: certificate is valid for api-int.csvocp.csv.uschi.nsn-rdnet.net, not oauth-openshift.apps.csvocp.csv.uschi.nsn-rdnet.net
E0310 20:20:30.669558       1 auth.go:232] error contacting auth provider (retrying in 10s): request to OAuth issuer endpoint https://oauth-openshift.apps.csvocp.csv.uschi.nsn-rdnet.net/oauth/token failed: Head "https://oauth-openshift.apps.csvocp.csv.uschi.nsn-rdnet.net": x509: certificate is valid for api-int.csvocp.csv.uschi.nsn-rdnet.net, not oauth-openshift.apps.csvocp.csv.uschi.nsn-rdnet.net

I tried replacing the ingress certificates as described at Replacing the default ingress certificate, but it didn't help.

I believe the problem I am having trying to log in is related to this, too.

$ oc login -u kubeadmin -p pySNL-HUIJL-GJIb7-TD5zg https://api.csvocp.csv.uschi.nsn-rdnet.net:6443 --loglevel=9
I0310 14:25:22.352362  141180 loader.go:374] Config loaded from file:  csvocp/auth/kubeconfig
I0310 14:25:22.353031  141180 round_trippers.go:466] curl -v -XHEAD  'https://api.csvocp.csv.uschi.nsn-rdnet.net:6443/'
I0310 14:25:22.354514  141180 round_trippers.go:495] HTTP Trace: DNS Lookup for api.csvocp.csv.uschi.nsn-rdnet.net resolved to [{10.4.185.75 }]
I0310 14:25:22.354825  141180 round_trippers.go:510] HTTP Trace: Dial to tcp:10.4.185.75:6443 succeed
I0310 14:25:22.360841  141180 round_trippers.go:553] HEAD https://api.csvocp.csv.uschi.nsn-rdnet.net:6443/ 403 Forbidden in 7 milliseconds
I0310 14:25:22.360880  141180 round_trippers.go:570] HTTP Statistics: DNSLookup 1 ms Dial 0 ms TLSHandshake 4 ms ServerProcessing 0 ms Duration 7 ms
I0310 14:25:22.360899  141180 round_trippers.go:577] Response Headers:
I0310 14:25:22.360921  141180 round_trippers.go:580]     Date: Fri, 10 Mar 2023 20:25:30 GMT
I0310 14:25:22.360940  141180 round_trippers.go:580]     Cache-Control: no-cache, private
I0310 14:25:22.360958  141180 round_trippers.go:580]     Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
I0310 14:25:22.360977  141180 round_trippers.go:580]     X-Content-Type-Options: nosniff
I0310 14:25:22.360997  141180 round_trippers.go:580]     X-Kubernetes-Pf-Flowschema-Uid: 3d29411f-1f04-4fd6-a3ff-7aa305d1d239
I0310 14:25:22.361015  141180 round_trippers.go:580]     X-Kubernetes-Pf-Prioritylevel-Uid: dc5e6c2c-3bd5-41b4-9a4c-5acf0ed9a449
I0310 14:25:22.361034  141180 round_trippers.go:580]     Audit-Id: d60c46fe-31d0-4cf5-9e92-7df793b2a80d
I0310 14:25:22.361052  141180 round_trippers.go:580]     Content-Type: application/json
I0310 14:25:22.361070  141180 round_trippers.go:580]     Content-Length: 186
I0310 14:25:22.361125  141180 request_token.go:93] GSSAPI Enabled
I0310 14:25:22.361187  141180 round_trippers.go:466] curl -v -XGET  -H "X-Csrf-Token: 1" 'https://api.csvocp.csv.uschi.nsn-rdnet.net:6443/.well-known/oauth-authorization-server'
I0310 14:25:22.362381  141180 round_trippers.go:553] GET https://api.csvocp.csv.uschi.nsn-rdnet.net:6443/.well-known/oauth-authorization-server 200 OK in 1 milliseconds
I0310 14:25:22.362423  141180 round_trippers.go:570] HTTP Statistics: GetConnection 0 ms ServerProcessing 0 ms Duration 1 ms
I0310 14:25:22.362441  141180 round_trippers.go:577] Response Headers:
I0310 14:25:22.362479  141180 round_trippers.go:580]     Date: Fri, 10 Mar 2023 20:25:30 GMT
I0310 14:25:22.362499  141180 round_trippers.go:580]     Audit-Id: 544efe6d-a58d-40ff-b749-92e6331029df
I0310 14:25:22.362517  141180 round_trippers.go:580]     Cache-Control: no-cache, private
I0310 14:25:22.362536  141180 round_trippers.go:580]     Content-Type: application/json
I0310 14:25:22.362554  141180 round_trippers.go:580]     Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
I0310 14:25:22.362573  141180 round_trippers.go:580]     X-Kubernetes-Pf-Flowschema-Uid: 3d29411f-1f04-4fd6-a3ff-7aa305d1d239
I0310 14:25:22.362592  141180 round_trippers.go:580]     X-Kubernetes-Pf-Prioritylevel-Uid: dc5e6c2c-3bd5-41b4-9a4c-5acf0ed9a449
I0310 14:25:22.362611  141180 round_trippers.go:580]     Content-Length: 630
I0310 14:25:22.407679  141180 request_token.go:467] falling back to kubeconfig CA due to possible x509 error: x509: certificate is valid for api-int.csvocp.csv.uschi.nsn-rdnet.net, not oauth-openshift.apps.csvocp.csv.uschi.nsn-rdnet.net
I0310 14:25:22.407795  141180 round_trippers.go:466] curl -v -XGET  -H "X-Csrf-Token: 1" 'https://oauth-openshift.apps.csvocp.csv.uschi.nsn-rdnet.net/oauth/authorize?client_id=openshift-challenging-client&code_challenge=sgC5DRN59-kU3iS_4ItafZQsXrcyKDGN3TS2Ymw4Als&code_challenge_method=S256&redirect_uri=https%3A%2F%2Foauth-openshift.apps.csvocp.csv.uschi.nsn-rdnet.net%2Foauth%2Ftoken%2Fimplicit&response_type=code'
I0310 14:25:22.408715  141180 round_trippers.go:495] HTTP Trace: DNS Lookup for oauth-openshift.apps.csvocp.csv.uschi.nsn-rdnet.net resolved to [{10.4.185.75 }]
I0310 14:25:22.408961  141180 round_trippers.go:510] HTTP Trace: Dial to tcp:10.4.185.75:443 succeed
I0310 14:25:22.416136  141180 round_trippers.go:553] GET https://oauth-openshift.apps.csvocp.csv.uschi.nsn-rdnet.net/oauth/authorize?client_id=openshift-challenging-client&code_challenge=sgC5DRN59-kU3iS_4ItafZQsXrcyKDGN3TS2Ymw4Als&code_challenge_method=S256&redirect_uri=https%3A%2F%2Foauth-openshift.apps.csvocp.csv.uschi.nsn-rdnet.net%2Foauth%2Ftoken%2Fimplicit&response_type=code  in 8 milliseconds
I0310 14:25:22.416176  141180 round_trippers.go:570] HTTP Statistics: DNSLookup 0 ms Dial 0 ms TLSHandshake 7 ms Duration 8 ms
I0310 14:25:22.416196  141180 round_trippers.go:577] Response Headers:
I0310 14:25:22.416777  141180 round_trippers.go:466] curl -v -XGET  -H "Accept: application/json, */*" -H "User-Agent: oc/4.12.0 (linux/amd64) kubernetes/b05f7d4" 'https://api.csvocp.csv.uschi.nsn-rdnet.net:6443/api/v1/namespaces/openshift/configmaps/motd'
I0310 14:25:22.417886  141180 round_trippers.go:553] GET https://api.csvocp.csv.uschi.nsn-rdnet.net:6443/api/v1/namespaces/openshift/configmaps/motd 403 Forbidden in 1 milliseconds
I0310 14:25:22.417937  141180 round_trippers.go:570] HTTP Statistics: GetConnection 0 ms ServerProcessing 0 ms Duration 1 ms
I0310 14:25:22.417955  141180 round_trippers.go:577] Response Headers:
I0310 14:25:22.417977  141180 round_trippers.go:580]     Audit-Id: d0693f44-ab60-402d-8b3f-810ff465c2da
I0310 14:25:22.417996  141180 round_trippers.go:580]     Cache-Control: no-cache, private
I0310 14:25:22.418015  141180 round_trippers.go:580]     Content-Type: application/json
I0310 14:25:22.418034  141180 round_trippers.go:580]     X-Content-Type-Options: nosniff
I0310 14:25:22.418053  141180 round_trippers.go:580]     Date: Fri, 10 Mar 2023 20:25:30 GMT
I0310 14:25:22.418072  141180 round_trippers.go:580]     Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
I0310 14:25:22.418091  141180 round_trippers.go:580]     X-Kubernetes-Pf-Flowschema-Uid: 3d29411f-1f04-4fd6-a3ff-7aa305d1d239
I0310 14:25:22.418112  141180 round_trippers.go:580]     X-Kubernetes-Pf-Prioritylevel-Uid: dc5e6c2c-3bd5-41b4-9a4c-5acf0ed9a449
I0310 14:25:22.418131  141180 round_trippers.go:580]     Content-Length: 303
I0310 14:25:22.418175  141180 request.go:1154] Response Body: {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"configmaps \"motd\" is forbidden: User \"system:anonymous\" cannot get resource \"configmaps\" in API group \"\" in the namespace \"openshift\"","reason":"Forbidden","details":{"name":"motd","kind":"configmaps"},"code":403}
error: x509: certificate is valid for api-int.csvocp.csv.uschi.nsn-rdnet.net, not oauth-openshift.apps.csvocp.csv.uschi.nsn-rdnet.net

Started 2023-03-10T20:30:14+00:00 by

Miklos Gal

Newbie 15 points

Select Your Language

Responses

Quick Links

Help

Site Info

Related Sites

About

Red Hat legal and privacy links

Red Hat legal and privacy links

Responses

Quick Links

Help

Site Info

Related Sites

Systems Status

About

Red Hat legal and privacy links

Red Hat legal and privacy links