SSL endpoints fail to be reached by controller manager
Bug #1708452 reported by
Mohammed Naser
This bug affects 2 people
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| Magnum |
Fix Released
|
Undecided
|
Spyros Trigazis | ||
Bug Description
Under Fedora Atomic, the `/etc/ssl/certs` folder contains the ca-bundle for all verified CAs, however, that file is a symbolic link to another path on the system
[root@k8-
lrwxrwxrwx. 1 root root 49 Jul 23 22:43 /etc/ssl/
Therefore, when k8s-controller-
The hyperkube image ships with a built in list of vetted CAs which should be enough for most users, so it's probably better to rely on it.
| Changed in magnum: | |
| assignee: | nobody → Mohammed Naser (mnaser) |
| status: | New → In Progress |
| Changed in magnum: | |
| assignee: | Mohammed Naser (mnaser) → Spyros Trigazis (strigazi) |
Revision history for this message
| OpenStack Infra (hudson-openstack) wrote Fix merged to magnum (master) | #1 |
| Changed in magnum: | |
| status: | In Progress → Fix Released |
Revision history for this message
| OpenStack Infra (hudson-openstack) wrote Fix included in openstack/magnum 5.0.0 | #2 |
To post a comment you must log in.
Reviewed: https:/
Committed: https:/
Submitter: Jenkins
Branch: master
commit ae15aa6c28e4209
Author: Mohammed Naser <email address hidden>
Date: Fri Jul 28 12:08:31 2017 -0400
Remove /etc/ssl/certs in the controller manager pod
For system such as Fedora Atomic, the CA bundle files which are
contained in /etc/ssl/certs are symbolic links to /etc/pki. When
configuring the controller manager to use an SSL endpoint, it will
raise an error as it is unable to authenticate the SSL endpoint.
This patch removes the host mount at /etc/ssl/certs. The Hyperkube
images already ship a collection of CAs which are likely good for
all needs.
Closes-Bug: #1708452
Change-Id: Ife2b60d1968482