Certificate in openshift 4.x

[paologallinaharbur]

Description

When deploying on openshift 4.x the metadata injector doesn't work as expected.
The root cause of the issue seems to be the certificate generation.

We are seeing checking the logs of the nri-bundle-nri-metadata-injection:

2020/10/16 09:45:12 http: TLS handshake error from 10.131.0.29:37428: remote error: tls: unknown certificate authority
2020/10/16 09:53:39 http: TLS handshake error from 10.129.0.1:49314: remote error: tls: bad certificate

We checked the certificate with the CA provided by MutatingWebhookConfiguration and in a random minikube is valid in openshift it is not.

That CA is added by our script, that takes it from /run/secrets/kubernetes.io/serviceaccount/ca.crt, but the certificated generated and placed into nri-bundle-nri-metadata-injection is signed by a different CA

For older version of openshift (3.x) there is a Guide to follow in order to set it up properly, but it does not apply for 4.x

Expected Behavior

The Metadata injection should work properly

Steps to Reproduce

In an openshift 4.x cluster install nri-bundle

[paologallinaharbur]

possible similar issue openshift/installer#3124

[paologallinaharbur]

The CA that is used to sign the certificate it is not the one stored in /run/secrets/kubernetes.io/serviceaccount/ca.crt, but in the secret namespace: openshift-kube-controller-manager secretName: csr-signer.

Having it is enough to patch the mutatingwebhookconfiguration object with that CA and we have those envVars.

To fix it we should upgrade kubectl version and create a if/else condition to grab the correct certificate when running in openshift.

Certificate rotation is still an Issue I believe, in our cluster the TTL is one month