Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unable to use OpenShift 4.3 for CRC #978

Closed
gbraad opened this issue Jan 29, 2020 · 4 comments
Closed

Unable to use OpenShift 4.3 for CRC #978

gbraad opened this issue Jan 29, 2020 · 4 comments
Labels
kind/bug Something isn't working points/3 priority/critical

Comments

@gbraad
Copy link
Contributor

gbraad commented Jan 29, 2020

Currently we are unable to produce usable images for CRC that run OpenShift 4.3. Details for this can be found in: https://bugzilla.redhat.com/show_bug.cgi?id=1795163

If you need to run 4.3, please consider using the installer to create a regular cluster (avoiding to set up a SNC).
@gbraad gbraad mentioned this issue Jan 29, 2020
Closed
@gbraad gbraad pinned this issue Jan 30, 2020
@gbraad gbraad mentioned this issue Jan 30, 2020
Closed
@tmds
Copy link

tmds commented Feb 12, 2020

@gbraad I'd like to run OpenShift 4.3 on my dev machine and found this issue.
Any recommendation on how I can run 4.3 (other can crc)?
Do you think there will be a version of crc soon that supports 4.3?

@gbraad
Copy link
Contributor Author

gbraad commented Feb 12, 2020

We have a workaround that is planned for the coming release. Code freeze is this Friday.

praveenkumar added a commit that referenced this issue Feb 12, 2020
@praveenkumar
Issue #978 Wait for update of client-ca request header
1937a9c 
In Openshift 4.3, when cluster comes up, the following happens
1. After the openshift-apiserver pod is started, its log contains multiple occurrences of `certificate has expired or is not yet valid`
2. Initially there is no request-header's client-ca crt available to `extension-apiserver-authentication` configmap
3. In the pod logs `missing content for CA bundle "client-ca::kube-system::extension-apiserver-authentication::requestheader-client-ca-file"`
4. After ~1 min /etc/kubernetes/static-pod-resources/kube-apiserver-certs/configmaps/aggregator-client-ca/ca-bundle.crt is regenerated
5. It is now also appear to `extension-apiserver-authentication` configmap as part of request-header's client-ca content
6. Openshift-apiserver is able to load the CA which was regenerated
7. Now apiserver pod log contains multiple occurrences of `error x509: certificate signed by unknown authority`
When the openshift-apiserver is in this state, the cluster is non functional.
A restart of the openshift-apiserver pod is enough to clear that error and get a working cluster.
This is a work-around while the root cause is being identified.

More info: https://bugzilla.redhat.com/show_bug.cgi?id=1795163
@praveenkumar
Copy link
Member

I am closing this issue since now we have a workaround which works for 4.3.x and also made a release.

@gbraad
Copy link
Contributor Author

gbraad commented Feb 27, 2020

We still have issues with 4.3.x and 4.4 that are tracked on our projects boards https://github.com/code-ready/crc/projects/24

@gbraad gbraad unpinned this issue Feb 27, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug Something isn't working points/3 priority/critical
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@gbraad @praveenkumar @tmds