Comments (16)
When you hit the package server apis you should be going through the kube-aggregator which have the same certs as the rest of the cluster.
Could you output the status on the APIService
object for packagemanifests?
Also, just so you're aware, OLM on minishift is not well tested. We verify it works on minikube 1.11, 1.12 and openshift 3.11 and 4.0 on AWS. It's possible there is a minishift-specific bug we're hitting here.
from operator-lifecycle-manager.
That message also shows if you have to CSVs in the namespace - do you see packages on the Package Manifests
screen?
from operator-lifecycle-manager.
No, I don't (its a naked minishift and make run-local-shift
called to install the OLM and friends)
from operator-lifecycle-manager.
I have one CSV installed though:
$ oc get clusterserviceversion -n myproject
NAME AGE
syndesis.v1.5.4 2h
but not registered any CRDs manually (still on my way to understand how InstallPlan
s and Subscriptions
are working to automatically register CRDs for a subscription).
from operator-lifecycle-manager.
The local
scripts install OLM differently than they would be installed in a real cluster - they're configured to just watch one namespace, instead of all. I suspect that you'll see packages if you look at the local
namespace, which is where catalog/package-server are running and watching.
It might be easiest to simply remove watchedNamespaces
from the olm, catalog, and package server deployment, which will cause them to have the default behavior of watching all namespaces.
The CSV not showing in the UI may be some UI-specific issue I'm not recalling; it may do some checks to see if OLM is running the way it thinks it should be before displaying.
from operator-lifecycle-manager.
I tried it with the 'local' namespace, too, but with the same effect:
Going to reinstall now, with removing the watchedNamespace
in local-values-shift.yaml
from operator-lifecycle-manager.
Actually, I did the same now with watchedNamespace
set to null, with the same effect.
Interestingly, I'm offered to create a new "Subscriptions" but end up with the following error:
And indeed, there is no PackageManifest
CRD registered, after a make run-local-shift
oc get customresourcedefinition
NAME AGE
catalogsources.operators.coreos.com 5m
clusterserviceversions.operators.coreos.com 5m
installplans.operators.coreos.com 5m
openshiftwebconsoleconfigs.webconsole.operator.openshift.io 12m
servicecertsigneroperatorconfigs.servicecertsigner.config.openshift.io 14m
subscriptions.operators.coreos.com 5m
from operator-lifecycle-manager.
@rhuss PackageManifest
is actually not a CRD, but provided by an aggregated API server. Make sure you have it installed.
from operator-lifecycle-manager.
@alecmerdler yes, it is (I used make run-local-shift
which created all resources from the helm templates):
oc get apiservice v1alpha1.packages.apps.redhat.com
NAME AGE
v1alpha1.packages.apps.redhat.com 1h
Still I get the error above.
To recap, that's what I did to get there:
minishift start
minishift addon enable admin-user
oc login -u system:admin
# See https://github.com/operator-framework/operator-lifecycle-manager/pull/537
perl -p -i -e 's/alm/olm/' Documentation/install/local-values-shift.yaml
# For testing ...
oc adm policy add-cluster-role-to-user cluster-admin system:serviceaccount:kube-system:default
make run-local-shift
scripts/run_console_local.sh
open https://localhost:9000
from operator-lifecycle-manager.
I think that "404" is a bit misleading, because when I look into the browser's debugging console, I see a 503 as only error:
with this response body:
from operator-lifecycle-manager.
@rhuss Ah, clearly there is an error with certificates for package-server
deployment. @njhale do you have any idea why this is happening?
from operator-lifecycle-manager.
Sure:
oc get apiservice v1alpha1.packages.apps.redhat.com -o yaml
apiVersion: apiregistration.k8s.io/v1
kind: APIService
metadata:
annotations:
kubectl.kubernetes.io/last-applied-configuration: |
{"apiVersion":"apiregistration.k8s.io/v1beta1","kind":"APIService","metadata":{"annotations":{},"name":"v1alpha1.packages.apps.redhat.com","namespace":""},"spec":{"caBundle":"LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURCRENDQWV5Z0F3SUJBZ0lRTjlHNTN1S2UrY3pRUnRHK3dCbzh2akFOQmdrcWhraUc5dzBCQVFzRkFEQWMKTVJvd0dBWURWUVFERXhGd1lXTnJZV2RsTFhObGNuWmxjaTFqWVRBZUZ3MHhPREV3TWpVeE5UTTRNREZhRncweQpPREV3TWpJeE5UTTRNREZhTUJ3eEdqQVlCZ05WQkFNVEVYQmhZMnRoWjJVdGMyVnlkbVZ5TFdOaE1JSUJJakFOCkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQTJJZnlnTmNNRUlING1DSzRWODNvL0NNNC94dWcKNjUxdlpBKzN2OTJZWGJGMmhENFYvSjZDdEhIa2NRTnFKQ1pVVW00dXF3MElueDZXN3NJWUJKMFpQZDZEWWZVTgovT3EwRkM0RGxyWjd2R1JsZWJRKzVKWXFlTkdCQzFOU0Zma1pMeGJKekxiQ25ubG40Z005U2M1MjNTQ3lYdk5wCmdLdDB4QUpxNnp3RnZITE5KbnhPS2d3SjNpUTNTSWphVXMzWElIT01RUGZ0WWJramxrRFI5MDl4aC84dVBCNzgKdTV3TXRIVzdnQnRyeDIrN214L2xqQVhqekMwUmkrRTZ1QzdVcGNFbDFpTHQyclhRYzVRL25scitITXR4OFB4VAo3bHVuMWUxLzNxSUI0VUtyRFFnRE5NQXQ1MHdiM1pZWjRSWWdJVGg3dWhRM2VML3VIV2tYd3g0NGdRSURBUUFCCm8wSXdRREFPQmdOVkhROEJBZjhFQkFNQ0FxUXdIUVlEVlIwbEJCWXdGQVlJS3dZQkJRVUhBd0VHQ0NzR0FRVUYKQndNQ01BOEdBMVVkRXdFQi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFJdTl6cEpaZWRzbgpPVHE4b0k3V3A4V2VHVXNJcDd4NDl0OWRNVjh1OFA2RmJGSmFoYjhPRTlBM3hLN1FQV0VqM3BHUm5JZjJGL0RmCkl2cGNCYzFmcUVaVGFDdGkzU2lmRThIVUllYm8zem85RGllUlZ5TFRWVm5OSDMrV0RRZW9JamFYRzVBUG56V0kKc0FSbmpRTE9aeXVFMkZsUWpTN1ZKelJoc0N4OUxYSDlYSk10Z2ViM3pmWFA2NDBBVS8wVkttSVluTTl6cVJNSgprT0xFa3lSZmUwMTlWUWQ0VEtYMFRqSHVSZEVJelNJNW5JTDl3cC9rQ3lNckpZcHMrM0tqQWJGWWxvWGtMcjVWCjFweUpEYThyWldwL0lzNTZXaCtFQ21JcFdzdGFKb1lwM2lzRmVwaXk0NDVUUmFLUklxUWcwQ0FES0N4YldSSGMKUTR5TTBzSEhZREk9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K","group":"packages.apps.redhat.com","groupPriorityMinimum":2000,"service":{"name":"package-server","namespace":"local"},"version":"v1alpha1","versionPriority":15}}
creationTimestamp: 2018-10-25T15:38:08Z
name: v1alpha1.packages.apps.redhat.com
resourceVersion: "3963"
selfLink: /apis/apiregistration.k8s.io/v1/apiservices/v1alpha1.packages.apps.redhat.com
uid: f8e37514-d86b-11e8-8e75-8e91d40e974c
spec:
caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURCRENDQWV5Z0F3SUJBZ0lRTjlHNTN1S2UrY3pRUnRHK3dCbzh2akFOQmdrcWhraUc5dzBCQVFzRkFEQWMKTVJvd0dBWURWUVFERXhGd1lXTnJZV2RsTFhObGNuWmxjaTFqWVRBZUZ3MHhPREV3TWpVeE5UTTRNREZhRncweQpPREV3TWpJeE5UTTRNREZhTUJ3eEdqQVlCZ05WQkFNVEVYQmhZMnRoWjJVdGMyVnlkbVZ5TFdOaE1JSUJJakFOCkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQTJJZnlnTmNNRUlING1DSzRWODNvL0NNNC94dWcKNjUxdlpBKzN2OTJZWGJGMmhENFYvSjZDdEhIa2NRTnFKQ1pVVW00dXF3MElueDZXN3NJWUJKMFpQZDZEWWZVTgovT3EwRkM0RGxyWjd2R1JsZWJRKzVKWXFlTkdCQzFOU0Zma1pMeGJKekxiQ25ubG40Z005U2M1MjNTQ3lYdk5wCmdLdDB4QUpxNnp3RnZITE5KbnhPS2d3SjNpUTNTSWphVXMzWElIT01RUGZ0WWJramxrRFI5MDl4aC84dVBCNzgKdTV3TXRIVzdnQnRyeDIrN214L2xqQVhqekMwUmkrRTZ1QzdVcGNFbDFpTHQyclhRYzVRL25scitITXR4OFB4VAo3bHVuMWUxLzNxSUI0VUtyRFFnRE5NQXQ1MHdiM1pZWjRSWWdJVGg3dWhRM2VML3VIV2tYd3g0NGdRSURBUUFCCm8wSXdRREFPQmdOVkhROEJBZjhFQkFNQ0FxUXdIUVlEVlIwbEJCWXdGQVlJS3dZQkJRVUhBd0VHQ0NzR0FRVUYKQndNQ01BOEdBMVVkRXdFQi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFJdTl6cEpaZWRzbgpPVHE4b0k3V3A4V2VHVXNJcDd4NDl0OWRNVjh1OFA2RmJGSmFoYjhPRTlBM3hLN1FQV0VqM3BHUm5JZjJGL0RmCkl2cGNCYzFmcUVaVGFDdGkzU2lmRThIVUllYm8zem85RGllUlZ5TFRWVm5OSDMrV0RRZW9JamFYRzVBUG56V0kKc0FSbmpRTE9aeXVFMkZsUWpTN1ZKelJoc0N4OUxYSDlYSk10Z2ViM3pmWFA2NDBBVS8wVkttSVluTTl6cVJNSgprT0xFa3lSZmUwMTlWUWQ0VEtYMFRqSHVSZEVJelNJNW5JTDl3cC9rQ3lNckpZcHMrM0tqQWJGWWxvWGtMcjVWCjFweUpEYThyWldwL0lzNTZXaCtFQ21JcFdzdGFKb1lwM2lzRmVwaXk0NDVUUmFLUklxUWcwQ0FES0N4YldSSGMKUTR5TTBzSEhZREk9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
group: packages.apps.redhat.com
groupPriorityMinimum: 2000
service:
name: package-server
namespace: local
version: v1alpha1
versionPriority: 15
status:
conditions:
- lastTransitionTime: 2018-10-25T15:38:12Z
message: all checks passed
reason: Passed
status: "True"
type: Available
from operator-lifecycle-manager.
For me it looks like that the error message comes from the aggretator service as it involves the package-server service DNS. Naiively I would say that the packag-server
serves a server cert valid for "localhost" but not valid with its proper service name. (package-server.local.svc)
But when I look at the certs used by package-server with
oc get secrets package-server-certs -o json \
| jq '.data."tls.crt"' -r \
| base64 --decode \
| openssl x509 -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
71:23:35:fb:59:d7:b3:47:f8:ad:28:27:a8:c9:ac:83
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=package-server-ca
Validity
Not Before: Oct 25 15:38:02 2018 GMT
Not After : Oct 25 15:38:02 2019 GMT
Subject: CN=package-server
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:e9:ed:57:dc:3d:32:8d:00:f1:ae:41:c3:c4:f4:
cd:b9:74:57:b7:f6:e0:0a:5f:d0:c4:70:a1:ba:a7:
69:e0:51:ac:57:a0:45:b9:86:a9:59:66:9a:61:b0:
75:38:fc:bd:97:a9:a4:e1:7b:ef:6b:e9:b5:48:5b:
f8:51:8a:6c:4f:16:eb:48:b4:9b:8f:7d:3d:9f:f7:
63:d0:62:58:2a:db:94:76:a0:52:ac:8e:75:13:a5:
f6:02:92:f8:db:d4:4e:ba:f3:f8:60:a9:00:b3:da:
ec:da:45:e3:d9:5a:a2:cc:41:74:e3:6c:f4:3e:b9:
42:c9:e4:ab:04:ca:6e:92:ad:1e:11:62:9c:43:36:
e6:01:05:40:25:23:0e:76:6e:51:37:34:b1:de:1e:
4d:03:c2:0e:d2:7d:24:9b:49:41:29:29:53:3f:2c:
fb:08:cd:a5:f7:4e:60:5c:a6:2e:18:48:9a:24:d8:
2f:98:c9:0c:3e:b9:75:61:97:e0:0d:88:45:69:73:
aa:05:c4:09:2b:e0:23:fa:42:25:98:8e:0d:43:5d:
32:48:44:0e:ed:f6:6d:6d:73:9c:67:48:0b:15:e1:
09:8f:ab:bb:24:b8:45:3e:5c:73:6c:af:83:23:30:
04:86:38:6c:07:ed:e7:4c:33:31:b2:7d:95:83:ca:
fb:45
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Alternative Name:
DNS:package-server.local, DNS:package-server.local.svc
Signature Algorithm: sha256WithRSAEncryption
a1:69:c4:48:2a:67:96:e3:6d:86:90:4c:8e:ae:bf:fd:4b:67:
c8:58:81:ea:8a:76:24:10:d7:36:1d:84:a0:10:90:a2:aa:fd:
68:3e:27:8c:a0:97:32:1b:1f:7e:a8:72:1a:8f:85:c1:b8:6d:
ec:d7:70:a9:8b:df:0f:ba:49:7d:a7:1b:78:8b:ba:6a:9e:1e:
e1:ab:07:41:52:a0:81:51:b9:f9:ce:c5:9c:6c:f0:5e:12:32:
17:a6:1c:46:78:69:35:35:61:f3:7e:64:da:81:3d:32:b3:db:
72:42:b1:77:7f:7d:aa:2f:0e:af:be:5c:1c:16:31:f1:69:1f:
be:8a:23:2c:9a:f6:40:9a:7e:48:cc:56:1e:1d:c6:fa:af:4e:
48:02:90:40:89:dd:5e:b1:11:02:0b:69:b7:2c:7d:da:6b:e6:
c4:9d:49:db:d8:be:de:2e:6f:b5:4c:fc:23:2b:a9:0b:a2:c7:
05:7b:fe:ed:20:6a:93:50:6a:3e:f3:b9:f5:27:bf:da:d8:c4:
93:c6:da:f4:84:2b:f9:cb:b5:58:0f:4c:13:7d:dc:cf:f0:31:
5f:ad:7c:93:b2:e0:5b:16:29:f4:7a:69:3b:fb:b3:52:47:77:
00:2c:54:67:4a:ff:37:70:ee:8e:42:b0:61:43:4c:f0:31:19:
da:21:1f:db
its clear that it serves for DNS:package-server.local, DNS:package-server.local.svc
and not localhost.
Also interesting the log of the package-server pod:
I1025 18:14:00.828093 1 logs.go:49] http: TLS handshake error from 192.168.64.159:50180: remote error: tls: bad certificate
I1025 18:14:01.691384 1 wrap.go:42] GET /healthz: (84.215µs) 200 [[kube-probe/1.11+] 172.17.0.1:56870]
I1025 18:14:02.053662 1 logs.go:49] http: TLS handshake error from 192.168.64.159:50184: remote error: tls: bad certificate
I1025 18:14:05.046505 1 logs.go:49] http: TLS handshake error from 192.168.64.159:50196: remote error: tls: bad certificate
I1025 18:14:05.545423 1 wrap.go:42] GET /healthz: (129.261µs) 200 [[kube-probe/1.11+] 172.17.0.1:56888]
I1025 18:14:07.002477 1 logs.go:49] http: TLS handshake error from 192.168.64.159:50214: remote error: tls: bad certificate
I1025 18:14:08.713936 1 logs.go:49] http: TLS handshake error from 192.168.64.159:50220: remote error: tls: bad certificate
which indicates that the controller doing the healtchecks is not happy with the cert served.
from operator-lifecycle-manager.
Actually I'm not a helm expert or even user, but where does this
"genSignedCert" come from and which CA is it using ?
from operator-lifecycle-manager.
@ecordell I can confirm that the setup works for me with Minikube 0.30, Kuebernetes 1.11.4, origin-console v3.11 without any tweaks (origin-console:latest
doesn't work as described in #540)
So I agree that it has to be an issue with Minishift. My Minishift setup is: v1.26.0+2fb32c8 with OpenShift 3.11
from operator-lifecycle-manager.
Since this was opened we have changed how we deploy the packages server entirely. I will close this and we can re-open if we find problems with the latest version of OLM (although minishift is not supported by the installer, libvirt instead)
from operator-lifecycle-manager.
Related Issues (20)
- Subscription Conditions should be set to false, instead of being removed.
- Cannot render multiple bundles with same name in semver template
- Allow force recreate of controller-manager pods through CSV upgrade options and be smarter about upgrade monitoring
- CSV stuck in install loop with auth-delegator already exists error
- OLM generate bundle silently drops k8s resources existing in manifests HOT 5
- InstallPlan is missing expected OwnerReference to Subscription HOT 1
- I want to use my privet registry for all images
- The catalog source pod can not migrate when the node becomes NotReady HOT 2
- Subscription is stuck when installing same operator multiple times into different namespaces at different dates
- Improve Makefile to avoid unnecessarily shelling out multiple times for the same variables
- support cacheless catalogsources
- Deployment "olm/packageserver" never appears on install HOT 1
- Startup Probe kills "/bin/opm serve" process and prevents operatorhubio pod to start HOT 1
- Unpin prometheus library versions from go.mod
- Unpin google.golang.org/grpc from go.mod
- Move away from actions/create-release@v1 HOT 1
- Remove downstream e2e test
- error: the server doesn't have a resource type "packagemanifest"; operator-lifecycle-manager apiServices not installed [GKE] HOT 3
- Automate test image (re)generation
- Drop quay.io/olmtest
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from operator-lifecycle-manager.