Unable to patch cluster proxy with trusted custom CA certificate
Environment
Red Hat OpenShift Service on AWS
- 4.x
Issue
- After patching the cluster proxy and deploying the app, the deployed custom CA cert is not recognize by the application.
Error from server (Prevented from accessing Red Hat managed resources. This is in an effort to prevent harmful actions that may cause unintended consequences or affect the stability of the cluster. If you have any questions about this, please reach out to Red Hat support at https://access.redhat.com/support): admission webhook "regular-user-validation.managed.openshift.io" denied the request: Prevented from accessing Red Hat managed resources. This is in an effort to prevent harmful actions that may cause unintended consequences or affect the stability of the cluster. If you have any questions about this, please reach out to Red Hat support at https://access.redhat.com/support
Resolution
- This is an ROSA cluster. Please edit the cluster proxy configuration by using command "rosa edit" to add or update the cluster-wide proxy details. Please refer proxy configuration document for more information.
# rosa edit cluster --cluster=<cluster_name> --additional-trust-bundle-file=<path_to_ca_bundle_file>/<filename>.crt
Root Cause
- In the ROSA cluster, “oc patch proxy” command is not supported for patching or updating the cluster proxy configurations.
Diagnostic Steps
- Check cluster proxy status, the name will automatically be picked up.
# oc get proxy -o yaml
spec:
trustedCA:
name: custom-ca
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments