I am having issues when configuring a follower in an OpenShift cluster and the pod logs don’t say much. I suspect it is related with the SSL certificates from the Conjur Master sitting outside of the OpenShift cluster, but, it has been hard to find the right logs to determine the root-cause.
You can get a little more insight into what is going on by looking at the logs for the init container (usually named “authenticator”, but you might have a different name in your deployment). If that doesn’t get you unblocked, then you might need to turn on debug logging on the master. Before going that far though, check to make sure that you’ve initialized the CA for the authenticator, that the follower pod is authorized to use both the authn-k8s webservice as well as the seed service, and that you aren’t doing SSL termination on the load balancer sitting in front of the master (assuming you are using a load balancer). That last one is a common one that trips folks up. When the LB does the SSL offloading, it inadvertently strips the CSR used by our authenticator as well.
I’d also suggest using the latest versions of the appliance and seed-fetcher init container if you aren’t already as we’ve made some improvements in the logging facilities that make troubleshooting a little easier. I hope that helps get you going. Please be sure to let us know what you find as the root cause!
Hi @nathan.whipple, thanks for your reply. I’ll go through it and post more details when possible. I am not using an LB in front of the Conjur master just yet, but will be mindful of that in the future.
From the authenticator pod logs I only see: WARN: Seed URL not found - assuming seedfile exists on the follower!
/root is not writable.
Bundler will use `/tmp/bundler/home/unknown’ as your home directory temporarily.
Rails Error: Unable to access log file. Please ensure that /opt/conjur/possum/log/appliance.log exists and is writable (ie, make it writable for user and group: chmod 0664 /opt/conjur/possum/log/appliance.log). The log level has been raised to WARN and the output directed to STDERR until the problem is fixed.
Populated CA and Key of service conjur/authn-k8s/openshift
To print values:
conjur variable value conjur/authn-k8s/openshift/ca/cert
conjur variable value conjur/authn-k8s/openshift/ca/key
I just noticed the above. I’m pretty confident our CA will not issue certificates with IP addresses in the name. Assuming you’re using self-signed certificates, I wouldn’t expect the SSL handshake on this health probe to work. Can you confirm if the certificate for the follower has IP addresses in the subject or subject alternate names? Does the health probe work if the name in the follower certificate is used for the probe instead?