StarlingX

oidc-dex container is reporting 3 TLS errors every 10 seconds on subclouds

Bug #1879794 reported by Ghada Khalil on 2020-05-20

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	StarlingX	Invalid	Medium	Teresa Ho

Bug Description

Brief Description
-----------------
After installing the Windows AD OIDC application on the subclouds container log is reporting 3 TLS errors every 10 seconds.

$ kubectl logs -f oidc-dex-5b8d7d6f7c-nnrg2 -n kube-system

2020/04/08 18:34:14 http: TLS handshake error from 169.254.202.2:37268: remote error: tls: bad certificate
2020/04/08 18:34:24 http: TLS handshake error from 169.254.202.2:37346: remote error: tls: bad certificate
2020/04/08 18:34:34 http: TLS handshake error from 169.254.202.2:37418: remote error: tls: bad certificate

Severity
--------
Minor - doesn't seem to have a negative system impact, but floods the logs

Steps to Reproduce
------------------
-Run helm-override update "system helm-override-update oidc-auth-apps dex kube-system --values /home/sysadmin/ssl/dex-overrides.yaml"

-On Subcloud Apply AD OIDC application "System application-apply oidc-auth-apps"

-Run command "kubectl logs -f oidc-dex-5b8d7d6f7c-nnrg2 -n kube-system"

-log message "2020/04/13 13:06:44 http: TLS handshake error from 169.254.202.2:44314: remote error: tls: bad certificate" is seen every 10 seconds.

Expected Behavior
------------------
No error logs

Actual Behavior
----------------
Error logs are generated every 10 seconds

Reproducibility
---------------
Reproducible

System Configuration
--------------------
Distributed Cloud / issue is on the subclouds

Branch/Pull Time/Commit
-----------------------
Any recent stx master load

Last Pass
---------
N/A - this is likely an issue since the introduction of the active directory feature

Timestamp/Logs
--------------
See above

Test Activity
-------------
Feature Testing

Workaround
----------
Unknown

Tags:

Revision history for this message

Ghada Khalil (gkhalil) wrote on 2020-05-20:

stx.4.0 / medium priority - this should be investigated in case it's indicative of a bigger issue

Changed in starlingx:
assignee:	nobody → Jerry Sun (jerry-sun-u)
status:	New → Triaged
importance:	Undecided → Medium
tags:	added: stx.4.0 stx.apps

Ghada Khalil (gkhalil) on 2020-06-20

Changed in starlingx:
assignee:	Jerry Sun (jerry-sun-u) → Teresa Ho (teresaho)

Ghada Khalil (gkhalil) on 2020-06-29

tags:

added: stx.security

Ghada Khalil (gkhalil) on 2020-06-30

Changed in starlingx:
assignee:	Teresa Ho (teresaho) → Jerry Sun (jerry-sun-u)

Ghada Khalil (gkhalil) on 2020-07-02

Changed in starlingx:
status:	Triaged → In Progress

Revision history for this message

Ghada Khalil (gkhalil) wrote on 2020-07-06:

Moving to stx.5.0 as there hasn't been any negative system impact related to this error. The oidc-dex is fully functional.

tags:

added: stx.5.0
removed: stx.4.0

Ghada Khalil (gkhalil) on 2020-08-15

Changed in starlingx:
assignee:	Jerry Sun (jerry-sun-u) → Teresa Ho (teresaho)

Revision history for this message

Ghada Khalil (gkhalil) wrote on 2020-11-11:

Attempts to reproduce this issue were not successful in recent loads.
The suspicion is that the Kubernetes cluster kube-apiserver was perhaps not configured with the issuer_url pointing to the floating oam ip of the subcloud

Changed in starlingx:
status:	In Progress → Invalid

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.