equinix / terraform-equinix-metal-openshift-on-baremetal

OpenShift 4.9 Installer for Equinix Metal
https://registry.terraform.io/modules/equinix/openshift-on-baremetal/metal/latest
Apache License 2.0
10 stars 13 forks source link

Cluster certificate is not trusted #4

Open displague opened 3 years ago

displague commented 3 years ago

The generated certificate for external access to the cluster is not trusted.

This may be due to failure reported by provisioners:

module.openshift_install.null_resource.ocp_approve_pending_csrs (remote-exec): error: one or more CSRs must be specified as <name> or -f <filename>
module.openshift_install.null_resource.ocp_approve_pending_csrs (remote-exec): W0225 10:50:20.232961   29397 warnings.go:67] certificates.k8s.io/v1beta1 CertificateSigningRequest is deprecated in v1.19+, unavailable in v1.22+; use certificates.k8s.io/v1 CertificateSigningRequest
module.openshift_install.null_resource.ocp_approve_pending_csrs (remote-exec): error: one or more CSRs must be specified as <name> or -f <filename>

These provisioner errors do not reappear on subsequent provisions, but the certificate is invalid (bad issuer?):

subject=/CN=*.apps.clustername.example.com
issuer=/CN=ingress-operator@1614149495

I think this may be related to assets/letsencrypt/1_configure_ingresscerts.sh not being called (and requiring Cloudflare credentials). The older CSR records may be a problem too.

To keep this simple, we may need to enable LetsEncrypt (by default) using an HTTP prover instead of DNS.

Originally posted by @displague in https://github.com/equinix/terraform-metal-openshift-on-baremetal/pull/2#issuecomment-786281757

displague commented 3 years ago

https://github.com/equinix/terraform-metal-openshift-on-baremetal/blob/main/NEXTSTEPS.md#lets-encrypt-wildcard-certificates should be updated with the current script paths and should be automated.

https://github.com/vancluever/terraform-provider-acme (perhaps?) https://registry.terraform.io/modules/nephosolutions/certificate/acme/latest (related module)