Unable to Register New Nodes in HostedCluster When Adding API Server Certificate
alfredtm opened this issue · comments
Hello! When adding API server certificate to the HostedCluster
apiVersion: hypershift.openshift.io/v1beta1
kind: HostedCluster
metadata:
name: test
namespace: test
spec:
configuration:
apiServer:
servingCerts:
namedCertificates:
- servingCertificate:
name: tls-secret
The bootstrap-kubeconfig is no longer trusted
Unable to connect to the server: tls: failed to verify certificate: x509: certificate signed by unknown authority (possibly because of "crypto/rsa: verification error" while trying to verify candidate authority certificate "root-ca")
This seems to be a issue when adding new nodes (using kubevirt) to the cluster. They dont register/show up on the HostedCluster.
When not adding certificate to the apiServer the nodes register fine.
I resolved this by setting servicePublishingStrategy.loadBalancer.hostname
to the apiServer's internal service URL.
The certificate-authority-data in bootstrap-kubeconfig is then trusted.
Reopening this issue
We are experiencing issues using the apiserver internal service url at a later stage in our deployment.
Ideally we would like to use the external apiserver fqdn in servicePublishingStrategy.loadBalancer.hostname
. But adding apiserver certificate the bootstrap-kubeconfig is no longer trusted.
Is there any way to modify the bootstrap-kubeconfig?
I also found this issue that seems to be the same issue I am experiencing
https://issues.redhat.com/browse/OCPBUGS-19067
We have the same issue..
Same issue here, does anyone solved it?