search

kubernetes / cloud-provider-openstack

Apache License 2.0
616 stars 602 forks source link

occm: could not init cloud provider "openstack": x509: certificate signed by unknown authority #2034

Closed GarbageYard closed 1 year ago

GarbageYard commented 1 year ago

Is this a BUG REPORT or FEATURE REQUEST?:

/kind bug

/kind feature

What happened: When trying to install occm on minikube, I get error:

$ kubectl logs openstack-cloud-controller-manager-xfz45 -f
...
...
I1115 17:47:39.348774       1 requestheader_controller.go:244] Loaded a new request header values for RequestHeaderAuthRequestController
W1115 17:47:39.349374       1 client_config.go:617] Neither --kubeconfig nor --master was specified.  Using the inClusterConfig.  This might not work.
W1115 17:47:39.376300       1 openstack.go:165] New openstack client created failed with config: Get "https://keystone.it.net/": x509: certificate signed by unknown authority
F1115 17:47:39.376513       1 main.go:84] Cloud provider could not be initialized: could not init cloud provider "openstack": Get "https://keystone.it.net/": x509: certificate signed by unknown authority

What you expected to happen: I wanted it to work with insecure setting as default and may be just throw a warning for the same. This is a demo env where I want to set up gardener on Openstack.

How to reproduce it: 1) Openstack cluster with minikube installed on a nova instance 2) Following helm commands:

helm repo add cpo https://kubernetes.github.io/cloud-provider-openstack
helm repo update
helm install openstack-ccm cpo/openstack-cloud-controller-manager --values openstack-ccm.yaml```

Content of openstack-ccm.yaml:

cloudConfig:
  global:
    auth-url: https://keystone.it.net/
    username: admin
    password: <password>
    domain-name: <domain-name>
    tenant-name: <tenant-name>
    region: <region-name>
    os-TLSInsecure: true
  loadbalancer:
    use-octavia: true
    floating-network-id: <floating-nw-id>
    subnet-id: <subnet-id>

Anything else we need to know?: I referred this link for os-TLSInsecure: https://github.com/kubernetes/cloud-provider-openstack/pull/1310

Environment:

jichenjc commented 1 year ago

I wanted it to work with insecure setting as default and may be just throw a warning for the same

if it's a demo env why not use http directly :)

Get "https://keystone.it.net/": x509: certificate signed by unknown authority

are you able to talk to this site without CPO? through CLI directly..

https://github.com/kubernetes/cloud-provider-openstack/issues/1306 is the purpose of #1310 they seems different to your reported issue above

GarbageYard commented 1 year ago

I agree about using http but this openstack set up has been provided by a company for evaluation and it's having Keystone set up using https.

I have to use --insecure when using the openstack CLI. From browser too, I have to accept the risk and continue to access the Horizon URL.

GarbageYard commented 1 year ago

You were right about the issue. That was a different issue. Sorry for that.

Finally found the right flag: tls-insecure: true

chunji08 commented 1 year ago

Sorry for the interruption. I am desperately try to find a way to solve my own k8s issue, which is posted here, https://stackoverflow.com/questions/74468846/openstack-pod-keeps-failing-for-this-x509-error?noredirect=1#comment131488740_74468846m,

Does anyone know if it was of the same issue ? By using kubespray framework to have a k8s setup, does anyone know how to have it resolved ?