failed to install conjur-oss in OCP

[myeung18]

Summary

Followed the instructions here to install conjur-oss in my OCP environment, but the conjur-oss pod failed as bellow: https://github.com/cyberark/conjur-oss-helm-chart/tree/master/conjur-oss#installation-on-ocp

do you know what happen?

Steps to Reproduce

 CONJUR_NAMESPACE=conjur
 oc create namespace "$CONJUR_NAMESPACE"
 DATA_KEY="$(docker run --rm cyberark/conjur data-key generate)"
 HELM_RELEASE=conjur-oss
 helm install \
   -n "$CONJUR_NAMESPACE" \
   --set image.repository=registry.connect.redhat.com/cyberark/conjur \
   --set image.tag=latest \
   --set nginx.image.repository=registry.connect.redhat.com/cyberark/conjur-nginx \
   --set nginx.image.tag=latest \
   --set postgres.image.repository=registry.redhat.io/rhscl/postgresql-10-rhel7 \
   --set postgres.image.tag=latest \
   --set openshift.enabled=true \
   --set dataKey="$DATA_KEY" \
   "$HELM_RELEASE" \
   https://github.com/cyberark/conjur-oss-helm-chart/releases/download/v2.0.4/conjur-oss-2.0.4.tgz

oc get po
conjur-oss-644cd45b46-zjxwq   0/2     CrashLoopBackOff   4 (22s ago)   84s
conjur-oss-postgres-0         1/1     Running            0             83s

oc get po | awk 'NR>1 {print $1}' | grep conjur-oss-6 | xargs oc logs -f -c conjur-oss
..............................error: Database is still unavailable. Aborting!

oc get po | awk 'NR>1 {print $1}' | grep conjur-oss-6 | xargs oc logs -f -c conjur-oss-nginx 
cp: cannot open '/opt/conjur/etc/ssl/cert/tls.key' for reading: Permission denied

oc get clusterversion                                                                                                                                                                                                  1 ↵
NAME      VERSION   AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.10.11   True        False         2d5h    Cluster version is 4.10.11

Expected Results

A clear and concise description of what you expected to happen.

Actual Results

A clear and concise description of what actually did happen. Include logs and screens shots, whenever possible

Reproducible

• [ ] Always
• [ ] Sometimes
• [ ] Non-Reproducible

Version/Tag number

What version of the product are you running? Any version info that you can share is helpful. For example, you might give the version from Docker logs, the Docker tag, a specific download URL, the output of the /info route, etc.

Environment setup

• Can you describe the environment in which this product is running? Is it running on a VM / in a container / in a cloud?
• Which cloud provider? Which container orchestrator (including version)?
• The more info you can share about your runtime environment, the better we may be able to reproduce the issue.

Additional Information

Add any other context about the problem here.

[rpothier]

Hi @myeung18 , I think the root cause is the error with nginx, is says Permission denied, is the file actually there?

[myeung18]

the pod wasn't fully started, cant access it to see if the file is there. I just need to run the helm install command as stated in the README, isn't it? Do I need to setup something else beforehand?

[rpothier]

you shouldn't need anything else. You have Helm V3+ ? I tried it on my local cluster and I don't see the error, but I'll see if I can try on OCP.

[myeung18]

@rpothier thank you. and I am using helm 3.

helm  version
version.BuildInfo{Version:"v3.6.3", GitCommit:"d506314abfb5d21419df8c7e7e68012379db2354", GitTreeState:"clean", GoVersion:"go1.16.5"}

[rpothier]

@myeung18 I don't see the error with ocp 4.8 ( shown below) Can you run it with the --debug to see if the ssl certs are being generated?

oc get clusterversion
NAME VERSION AVAILABLE PROGRESSING SINCE STATUS version 4.8.2 True False 286d Cluster version is 4.8.2

oc get pods NAME READY STATUS RESTARTS AGE rob-conjur-oss-8666b6ccd6-4sh5b 2/2 Running 0 6m38s rob-conjur-oss-postgres-0 1/1 Running 0 6m38s

oc logs rob-conjur-oss-8666b6ccd6-4sh5b rob-conjur-oss-nginx Verifying that all certs are in place... Checking existence of /opt/conjur/etc/ssl/ca/tls.crt... Checking existence of /opt/conjur/etc/ssl/cert/tls.crt... Checking existence of /tmp/tls.key... Checking NGINX config... nginx: the configuration file /etc/nginx/nginx.conf syntax is ok nginx: configuration file /etc/nginx/nginx.conf test is successful Starting NGINX...

[myeung18]

I do see SSLs are generated and the related secrets are created. conjur-oss-conjur-ssl-cert is the one causing the error. This secrets has the tls.key that nginx container is trying to read. I think the SSLs are ok, and the volume to the secret are mounted properly, but the nginx container failed to read due to permission issue.

oc get secrets                            
NAME                                  TYPE                                  DATA   AGE
builder-dockercfg-5wc42               kubernetes.io/dockercfg               1      44h
builder-token-95px7                   kubernetes.io/service-account-token   4      44h
builder-token-jsk9s                   kubernetes.io/service-account-token   4      44h
conjur-oss-conjur-authenticators      Opaque                                1      18m
conjur-oss-conjur-data-key            Opaque                                1      18m
conjur-oss-conjur-database-password   Opaque                                1      18m
conjur-oss-conjur-database-ssl        kubernetes.io/tls                     2      18m
conjur-oss-conjur-database-url        Opaque                                1      18m
conjur-oss-conjur-ssl-ca-cert         kubernetes.io/tls                     2      18m
conjur-oss-conjur-ssl-cert            kubernetes.io/tls                     2      18m
conjur-oss-dockercfg-dn47q            kubernetes.io/dockercfg               1      18m
conjur-oss-token-5hrr7                kubernetes.io/service-account-token   4      18m
conjur-oss-token-jsv4b                kubernetes.io/service-account-token   4      18m

[myeung18]

ok, works in my OCP4.8 as well. I think the chart has some issue with OCP4.10.

[rpothier]

hmm, that's weird, I tried on OCP4.10 and I don't see it there either. oc get clusterversion NAME VERSION AVAILABLE PROGRESSING SINCE STATUS version 4.10.12 True False 5d23h Cluster version is 4.10.12

oc get pods NAME READY STATUS RESTARTS AGE rob-conjur-oss-54ffb44cc8-w5d69 2/2 Running 0 21m rob-conjur-oss-postgres-0 1/1 Running 0 21m

[myeung18]

ok, I got a new OCP4.10, and tested ok. I dont' know what was going on, but thank you so much for your time and follow up.

[rpothier]

Great! Glad it's working.