Registration failed on invalid ceritficate

[cezhang]

Hi, I follow the Quick start section, and do that in two scenario :

1. hub(k3s) - spoke(k3s), k3s created by k3d(running on my local macbook), registration ok
2. hub(azure ack) - spoke(k3s), k3 s created by k3d(running on my local macbook), registration failed

logs show in klusterlet-registration-agent in open-cluster-management-agent namespace:

k8s.io/client-go@v0.24.3/tools/cache/reflector.go:167: failed to list *v1.CertificateSigningRequest: Get "https://*******:443/apis/certificates.k8s.io/v1/certificatesigningrequests?limit=500&resourceVersion=0": x509: certificate signed by unknown authority
k8s.io/client-go@v0.24.3/tools/cache/reflector.go:167: Failed to watch *v1.CertificateSigningRequest: failed to list *v1.CertificateSigningRequest: Get "https://*******:443/apis/certificates.k8s.io/v1/certificatesigningrequests?limit=500&resourceVersion=0": x509: certificate signed by unknown authority

I also check the log from cluster-manager

W0207 03:25:39.607494       1 cmd.go:213] Using insecure, self-signed certificates
I0207 03:25:40.066363       1 observer_polling.go:159] Starting file observer
W0207 03:25:40.101862       1 builder.go:230] unable to get owner reference (falling back to namespace): pods is forbidden: User "system:serviceaccount:open-cluster-management:cluster-manager" cannot list resource "pods" in API group "" in the namespace "open-cluster-management"
I0207 03:25:40.102038       1 builder.go:262] clustermanager version v0.9.0-0-g919dae6-919dae6
W0207 03:25:40.541528       1 secure_serving.go:69] Use of insecure cipher 'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256' detected.
W0207 03:25:40.541550       1 secure_serving.go:69] Use of insecure cipher 'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256' detected.
...

Same in both scenario

What am I missing?

[skeeey]

it seems the bootstrap kubeconfig has problems, would you try to expose the bootstrap kubeconfig from the managed cluster bootstrap kubeconfig secret kubectl -n open-cluster-management-agent get secrets bootstrap-hub-kubeconfig -oyaml and use it to connect the hub

[skeeey]

or would you try the command clusteradm https://github.com/open-cluster-management-io/clusteradm to registration your clusters, I think the clusteradm is more easy than make scripts, thanks

[cezhang]

or would you try the command clusteradm https://github.com/open-cluster-management-io/clusteradm to registration your clusters, I think the clusteradm is more easy than make scripts, thanks

I was using clusteradm. Already try twice, still the same problem

[qiujian16]

which version of clusteradm are you using? we are testing k3s and update the doc here https://github.com/open-cluster-management-io/open-cluster-management-io.github.io/pull/318/files#diff-d98b6f00dd920af6592871b061781aaa7e9e350aa1eafaf6ee62f689bf43a4e2

[cezhang]

which version of clusteradm are you using? we are testing k3s and update the doc here https://github.com/open-cluster-management-io/open-cluster-management-io.github.io/pull/318/files#diff-d98b6f00dd920af6592871b061781aaa7e9e350aa1eafaf6ee62f689bf43a4e2

client      version :v0.4.1

server release  version :v1.24.4+k3s1
default bundle  version :0.9.1

[qiujian16]

hrm I think the failed case is running AKS as a hub (or ACK?). We met some issue by running aks as hub before. Will recheck and come back later.

[cezhang]

yes, Azure k8s service as hub

[skeeey]

OK, we will try it on our side, thanks

[skeeey]

/cc @ldpliu

[ldpliu]

@cezhang I tried aks(with default config) in my env, and it works fine. Do you have any special config like CNI when you create the aks cluster?

[cezhang]

I try it in a new aks env(1.25.1), it's ok, but not with my 1.22(aks), all with default config. Let me take a deep look in this before I get back here.

BTW, thanks.