mTLS breaks ingress canary check in OCP 4
Issue
-
Configuring mutual TLS(mTLS) authentication on default IngressController breaks ingress canary check & console health checks.
Ingress and Console cluster operators are in a degraded state after configuring mTLS with the error below:The "default" ingress controller reports Degraded=True: DegradedConditions: One or more other status conditions indicate a degraded state: CanaryChecksSucceeding=False (CanaryChecksRepetitiveFailures: Canary route checks for the default ingress controller are failing) // Canary checks looking for required tls certificate. 2021-11-19T17:17:58.237Z ERROR operator.canary_controller wait/wait.go:155 error performing canary route check {"error": "error sending canary HTTP request to \"canary-openshift-ingress-canary.apps.bruce.openshift.local\": Get \"https://canary-openshift-ingress-canary.apps.bruce.openshift.local\": remote error: tls: certificate required"} // Console operator: RouteHealthDegraded: failed to GET route (https://console-openshift-console.apps.bruce.openshift.local): Get "https://console-openshift-console.apps.bruce.openshift.local": remote error: tls: certificate required
Environment
- Red Hat OpenShift Container Platform (RHOCP)
- 4.9
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.