search

kserve / modelmesh-serving

Controller for ModelMesh
Apache License 2.0
205 stars 114 forks source link

certificate is not valid for any names, but wanted to match modelmesh-serving #522

Open janekmichalik opened 3 months ago

janekmichalik commented 3 months ago

Describe the bug

I have followed the docs how to configure TLS. I have set tls.secretName and tls.clientAuth. Modelmesh controller is not able to connect to model mesh serving, because of:

{"level":"info","ts":"2024-08-01T08:35:07Z","logger":"MMService","msg":"Established new MM gRPC connection","namespace":"test","endpoint":"kube:///modelmesh-serving.test:8033","TLS":true}
...
"error":"failed to SetVModel for InferenceService 66a9edd4d028f175007aa90c-active: rpc error: code = Unavailable desc = last connection error: connection error: desc = \"transport: authentication handshake failed: tls: failed to verify certificate: x509: certificate is not valid for any names, but wanted to match modelmesh-serving.test\"","stacktrace":"sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler\n\t/root/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.16.3/pkg/internal/controller/controller.go:329\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem\n\t/root/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.16.3/pkg/internal/controller/controller.go:266\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2\n\t/root/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.16.3/pkg/internal/controller/controller.go:227"

Details of cert on model mesh serving pod:

        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment, Certificate Sign
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Subject Key Identifier:
                B8:9F:57:4E:9A:B4:B4:7B:A8:CF:D3:FB:3F:CE:CB:84:06:88:95:18
            X509v3 Subject Alternative Name:
                DNS:localhost, DNS:modelmesh-serving, DNS:modelmesh-serving.test, DNS:modelmesh-serving.test.svc, DNS:modelmesh-serving.test.svc.cluster.local, IP Address:127.0.0.1

I can't see how to configure the controller to respect my TLS settings.

Am I doing something wrong?

Expected behavior

Connection is working.

Environment (please complete the following information):