mTLS breaks ingress canary check in OCP 4

Solution Verified - Updated -


  • Configuring mutual TLS(mTLS) authentication on default IngressController breaks ingress canary check & console health checks.
    Ingress and Console cluster operators are in a degraded state after configuring mTLS with the error below:

    The "default" ingress controller reports Degraded=True: DegradedConditions: One or more other status conditions indicate a degraded state: CanaryChecksSucceeding=False (CanaryChecksRepetitiveFailures: Canary route checks for the default ingress controller are failing)
    // Canary checks looking for required tls certificate.
    2021-11-19T17:17:58.237Z    ERROR    operator.canary_controller    wait/wait.go:155    error performing canary route check    {"error": "error sending canary HTTP request to \"canary-openshift-ingress-canary.apps.bruce.openshift.local\": Get \"https://canary-openshift-ingress-canary.apps.bruce.openshift.local\": remote error: tls: certificate required"}
    // Console operator:
    RouteHealthDegraded: failed to GET route (https://console-openshift-console.apps.bruce.openshift.local): Get "https://console-openshift-console.apps.bruce.openshift.local": remote error: tls: certificate required


  • Red Hat OpenShift Container Platform (RHOCP)
    • 4.9

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content