Error in ovirt-volume-provisioner pods.

[nicexe2e4]

Description Hi, after deploying, I get an error in ovirt-volume-provisioner pods. Google didn't give information, maybe help me here?

Versions:

• OS: Debian GNU/Linux 9 (stretch)
• Kubernetes version: v1.13.1
• oVirt version 4.2.8.2-1

Logs:

• master and node: master июн 18 13:26:46 k8s-master-v1 kubelet[1223]: E0618 13:26:46.769258 1223 driver-call.go:267] Failed to unmarshal output for command: init, output: "Post https://ovirt.example.com//ovirt-engine/sso/oauth/token: tls: failed to parse certificate from server: asn1: time did not serialize back to the original value and may be invalid: given \"131015052859+0000\", but serialized as \"131015052859Z\"", error: invalid character 'P' looking for beginning of value июн 18 13:26:46 k8s-master-v1 kubelet[1223]: W0618 13:26:46.769284 1223 driver-call.go:150] FlexVolume: driver call failed: executable: /usr/libexec/kubernetes/kubelet-plugins/volume/exec/ovirt~ovirt-flexvolume-driver/ovirt-flexvolume-driver, args: [init], error: exit status 1, output: "Post https://ovirt.example.com//ovirt-engine/sso/oauth/token: tls: failed to parse certificate from server: asn1: time did not serialize back to the original value and may be invalid: given \"131015052859+0000\", but serialized as \"131015052859Z\"" июн 18 13:26:46 k8s-master-v1 kubelet[1223]: E0618 13:26:46.769305 1223 plugins.go:642] Error dynamically probing plugins: Error creating Flexvolume plugin from directory ovirt~ovirt-flexvolume-driver, skipping. Error: invalid character 'P' looking for beginning of value node similarly master
• volume-provisioner pod: I0618 10:23:12.150178 1 ovirt-provisioner.go:48] Provisioner ovirt-volume-provisioner specified I0618 10:23:12.150269 1 ovirt-provisioner.go:77] Building kube configs for running in cluster... F0618 10:23:12.654999 1 ovirt-provisioner.go:53] Failed to initialize ovirt client: Post https://ovirt.example.com//ovirt-engine/sso/oauth/token: tls: failed to parse certificate from server: asn1: time did not serialize back to the original value and may be invalid: given "131015052859+0000", but serialized as "131015052859Z"

[rgolangh]

ovirt must answer back with a token with 'exp' in the format of YYMMDDhhmm[ss]Z the +0000 is not utc. I'll look into ovirt-engine to see what can cause that. For more debug purposes run this:

// export PASS=yourpass ENGINE_URL=https://ovirt-engine-fqdn
curl -k --data "grant_type=password&scope=ovirt-app-api&username=admin@internal&password=$PASS" -H "Accept: application/json" -H "Content-Type: application/x-www-form-urlencoded" $ENGINE_URL/ovirt-engine/sso/oauth/token

[nicexe2e4]

For more debug purposes run this:

{"access_token":"8o57iEcrSzh5wX-HbOlkCvTfnpUjTo4AWCR4Abo3Xee5z86XDZueI4ubqEYf3QWD8dKz_EXwhLaQXO6hjBN4LQ","scope":"ovirt-app-api ovirt-ext=token-info:authz-search ovirt-ext=token-info:public-authz-search ovirt-ext=token-info:validate ovirt-ext=token:password-access","exp":"9223372036854775807","token_type":"bearer"}

p.s. I log in not through the internal administrator, but through myusername@mydomain

[rgolangh]

Ok sorry this is the tls complaining on the certificate, not related to the token. Can we examine you ca.pem? openssl x509 -in /etc/pki/ovirt-engine/ca.pem -text

[k0ste]

@rgolangh

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 4096 (0x1000)
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=US, O=opentech.local, CN=control1.opentech.local.54279
        Validity
            Not Before: Jan 18 15:50:52 2016 GMT
            Not After : Jan 15 15:50:52 2026 GMT
        Subject: C=US, O=opentech.local, CN=control1.opentech.local.54279
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:aa:92:da:8a:cb:7c:30:96:18:03:6b:10:7d:43:
                    c5:90:fd:d2:b6:53:1e:88:4f:3b:2b:5f:42:06:87:
                    32:ea:6c:0d:2b:25:f8:87:16:3e:63:db:9a:3b:1a:
                    6f:2d:a9:8b:24:53:23:df:5f:88:87:95:36:8d:1d:
                    5a:82:65:2b:a8:4a:77:ef:d3:c4:86:90:35:73:67:
                    64:64:94:8f:eb:89:9a:c3:ea:9e:c3:8b:e0:d6:2c:
                    ac:53:78:1f:a1:57:d4:e6:c9:6e:34:9b:b7:61:a9:
                    30:01:9b:ee:71:45:b1:50:14:71:c7:e2:ad:2e:60:
                    50:d7:35:ac:8d:95:91:b6:c2:88:f6:b2:1a:66:49:
                    da:80:48:a3:fb:f7:50:66:4a:18:fc:c4:1b:1a:8a:
                    91:af:ec:7f:45:69:74:7d:cf:44:90:36:bd:56:16:
                    ea:cd:ba:12:e1:b6:11:88:be:82:48:47:b3:30:ed:
                    57:ae:fd:e8:b5:99:12:63:bc:ae:92:5f:6c:9a:4a:2016
                    b0:31:35:72:80:c1:14:33:ee:81:8e:c2:82:81:12:
                    31:ca:d6:80:18:35:11:af:0e:08:c6:2f:af:00:c4:
                    ff:89:1f:9d:19:a8:60:30:6d:47:6c:f0:79:17:4f:
                    c6:14:f4:a8:ca:fb:18:da:be:03:2b:5c:4e:17:6b:
                    07:73
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                E6:B9:A9:C0:FE:D2:D7:7B:FB:68:7E:10:AC:63:22:57:16:6B:E0:9B
            X509v3 Authority Key Identifier: 
                keyid:E6:B9:A9:C0:FE:D2:D7:7B:FB:68:7E:10:AC:63:22:57:16:6B:E0:9B
                DirName:/C=US/O=opentech.local/CN=control1.opentech.local.54279
                serial:10:00

            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Key Usage: critical
                Certificate Sign, CRL Sign
    Signature Algorithm: sha1WithRSAEncryption
         98:4f:1e:53:75:c8:0b:00:fd:57:26:af:c4:42:fb:c0:ca:eb:
         1f:27:3e:4f:a8:3e:ab:85:5e:e1:9c:db:9c:e5:19:ca:82:c3:
         cd:04:6e:8d:62:f8:39:f7:db:da:07:0e:0e:ac:06:8f:28:33:
         87:3f:83:c1:2f:b5:5c:01:37:13:1f:77:cb:7d:b8:7a:28:76:
         7f:07:8f:f1:b3:c9:93:0f:0e:9e:5f:f4:6a:10:07:a5:25:7e:
         54:b3:31:70:57:12:af:45:20:55:bb:63:15:10:5a:fd:e7:0b:
         1c:e8:9d:4d:fb:63:80:ab:26:1c:12:0e:aa:3e:73:a5:ca:00:
         fc:a0:f0:04:de:5f:d8:3d:79:b1:72:38:b1:ed:ce:1a:b9:7e:
         9c:1b:29:a2:28:d7:26:ac:83:60:0d:47:74:f6:35:81:b9:0c:
         ab:21:c6:ad:d6:ee:95:4b:61:08:35:9c:0e:3f:dd:a9:1c:bf:
         cd:14:60:9b:29:c0:b0:79:09:85:84:20:29:26:7a:c5:ea:3c:
         95:3c:59:8c:6d:61:b2:cb:08:b8:ee:97:ea:24:a5:aa:1e:b8:
         0f:08:a7:17:e2:22:89:a4:88:af:22:0f:d2:19:2b:7c:aa:44:
         d9:67:7d:a2:73:94:9b:04:f0:12:51:34:82:25:2d:45:ab:bb:
         f3:06:73:0e

[nicexe2e4]

@rgolangh Hi, sorry, is there a new info?

[rgolangh]

@nicexe2e4 is this still happening? can you add the relevant ovirt engine.log from /var/log/ovirt-engine/engine.log if it does?