<a target="_blank" rel="noopener noreferrer nofollow" href="https://user-images.github

I have one CSV installed though: <div class="snippet-clipboard-content notranslate

The local s install OLM differently than they w

<a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/us

Question: How to "enable" the OLM in the console for Minishift ?,about operator-framework/operator-lifecycle-manager

Comments (16)

ecordell commented on June 1, 2024 1

When you hit the package server apis you should be going through the kube-aggregator which have the same certs as the rest of the cluster.

Could you output the status on the APIService object for packagemanifests?

Also, just so you're aware, OLM on minishift is not well tested. We verify it works on minikube 1.11, 1.12 and openshift 3.11 and 4.0 on AWS. It's possible there is a minishift-specific bug we're hitting here.

from operator-lifecycle-manager.

ecordell commented on June 1, 2024

That message also shows if you have to CSVs in the namespace - do you see packages on the Package Manifests screen?

from operator-lifecycle-manager.

rhuss commented on June 1, 2024

No, I don't (its a naked minishift and make run-local-shift called to install the OLM and friends)

from operator-lifecycle-manager.

rhuss commented on June 1, 2024

I have one CSV installed though:

$ oc get clusterserviceversion -n myproject
NAME              AGE
syndesis.v1.5.4   2h

but not registered any CRDs manually (still on my way to understand how InstallPlans and Subscriptions are working to automatically register CRDs for a subscription).

from operator-lifecycle-manager.

ecordell commented on June 1, 2024

The local scripts install OLM differently than they would be installed in a real cluster - they're configured to just watch one namespace, instead of all. I suspect that you'll see packages if you look at the local namespace, which is where catalog/package-server are running and watching.

It might be easiest to simply remove watchedNamespaces from the olm, catalog, and package server deployment, which will cause them to have the default behavior of watching all namespaces.

The CSV not showing in the UI may be some UI-specific issue I'm not recalling; it may do some checks to see if OLM is running the way it thinks it should be before displaying.

from operator-lifecycle-manager.

rhuss commented on June 1, 2024

I tried it with the 'local' namespace, too, but with the same effect:

Going to reinstall now, with removing the watchedNamespace in local-values-shift.yaml

from operator-lifecycle-manager.

rhuss commented on June 1, 2024

Actually, I did the same now with watchedNamespace set to null, with the same effect.

Interestingly, I'm offered to create a new "Subscriptions" but end up with the following error:

And indeed, there is no PackageManifest CRD registered, after a make run-local-shift

oc get customresourcedefinition
NAME                                                                     AGE
catalogsources.operators.coreos.com                                      5m
clusterserviceversions.operators.coreos.com                              5m
installplans.operators.coreos.com                                        5m
openshiftwebconsoleconfigs.webconsole.operator.openshift.io              12m
servicecertsigneroperatorconfigs.servicecertsigner.config.openshift.io   14m
subscriptions.operators.coreos.com                                       5m

from operator-lifecycle-manager.

alecmerdler commented on June 1, 2024

@rhuss PackageManifest is actually not a CRD, but provided by an aggregated API server. Make sure you have it installed.

from operator-lifecycle-manager.

rhuss commented on June 1, 2024

@alecmerdler yes, it is (I used make run-local-shift which created all resources from the helm templates):

oc get apiservice v1alpha1.packages.apps.redhat.com
NAME                                AGE
v1alpha1.packages.apps.redhat.com   1h

Still I get the error above.

To recap, that's what I did to get there:

minishift start
minishift addon enable admin-user

oc login -u system:admin

# See https://github.com/operator-framework/operator-lifecycle-manager/pull/537
perl -p -i -e 's/alm/olm/' Documentation/install/local-values-shift.yaml

# For testing ...
oc adm policy add-cluster-role-to-user cluster-admin system:serviceaccount:kube-system:default

make run-local-shift
scripts/run_console_local.sh

open https://localhost:9000

from operator-lifecycle-manager.

rhuss commented on June 1, 2024

I think that "404" is a bit misleading, because when I look into the browser's debugging console, I see a 503 as only error:

with this response body:

from operator-lifecycle-manager.

alecmerdler commented on June 1, 2024

@rhuss Ah, clearly there is an error with certificates for package-server deployment. @njhale do you have any idea why this is happening?

from operator-lifecycle-manager.

rhuss commented on June 1, 2024

Sure:

oc get apiservice v1alpha1.packages.apps.redhat.com -o yaml

apiVersion: apiregistration.k8s.io/v1
kind: APIService
metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"apiregistration.k8s.io/v1beta1","kind":"APIService","metadata":{"annotations":{},"name":"v1alpha1.packages.apps.redhat.com","namespace":""},"spec":{"caBundle":"LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURCRENDQWV5Z0F3SUJBZ0lRTjlHNTN1S2UrY3pRUnRHK3dCbzh2akFOQmdrcWhraUc5dzBCQVFzRkFEQWMKTVJvd0dBWURWUVFERXhGd1lXTnJZV2RsTFhObGNuWmxjaTFqWVRBZUZ3MHhPREV3TWpVeE5UTTRNREZhRncweQpPREV3TWpJeE5UTTRNREZhTUJ3eEdqQVlCZ05WQkFNVEVYQmhZMnRoWjJVdGMyVnlkbVZ5TFdOaE1JSUJJakFOCkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQTJJZnlnTmNNRUlING1DSzRWODNvL0NNNC94dWcKNjUxdlpBKzN2OTJZWGJGMmhENFYvSjZDdEhIa2NRTnFKQ1pVVW00dXF3MElueDZXN3NJWUJKMFpQZDZEWWZVTgovT3EwRkM0RGxyWjd2R1JsZWJRKzVKWXFlTkdCQzFOU0Zma1pMeGJKekxiQ25ubG40Z005U2M1MjNTQ3lYdk5wCmdLdDB4QUpxNnp3RnZITE5KbnhPS2d3SjNpUTNTSWphVXMzWElIT01RUGZ0WWJramxrRFI5MDl4aC84dVBCNzgKdTV3TXRIVzdnQnRyeDIrN214L2xqQVhqekMwUmkrRTZ1QzdVcGNFbDFpTHQyclhRYzVRL25scitITXR4OFB4VAo3bHVuMWUxLzNxSUI0VUtyRFFnRE5NQXQ1MHdiM1pZWjRSWWdJVGg3dWhRM2VML3VIV2tYd3g0NGdRSURBUUFCCm8wSXdRREFPQmdOVkhROEJBZjhFQkFNQ0FxUXdIUVlEVlIwbEJCWXdGQVlJS3dZQkJRVUhBd0VHQ0NzR0FRVUYKQndNQ01BOEdBMVVkRXdFQi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFJdTl6cEpaZWRzbgpPVHE4b0k3V3A4V2VHVXNJcDd4NDl0OWRNVjh1OFA2RmJGSmFoYjhPRTlBM3hLN1FQV0VqM3BHUm5JZjJGL0RmCkl2cGNCYzFmcUVaVGFDdGkzU2lmRThIVUllYm8zem85RGllUlZ5TFRWVm5OSDMrV0RRZW9JamFYRzVBUG56V0kKc0FSbmpRTE9aeXVFMkZsUWpTN1ZKelJoc0N4OUxYSDlYSk10Z2ViM3pmWFA2NDBBVS8wVkttSVluTTl6cVJNSgprT0xFa3lSZmUwMTlWUWQ0VEtYMFRqSHVSZEVJelNJNW5JTDl3cC9rQ3lNckpZcHMrM0tqQWJGWWxvWGtMcjVWCjFweUpEYThyWldwL0lzNTZXaCtFQ21JcFdzdGFKb1lwM2lzRmVwaXk0NDVUUmFLUklxUWcwQ0FES0N4YldSSGMKUTR5TTBzSEhZREk9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K","group":"packages.apps.redhat.com","groupPriorityMinimum":2000,"service":{"name":"package-server","namespace":"local"},"version":"v1alpha1","versionPriority":15}}
  creationTimestamp: 2018-10-25T15:38:08Z
  name: v1alpha1.packages.apps.redhat.com
  resourceVersion: "3963"
  selfLink: /apis/apiregistration.k8s.io/v1/apiservices/v1alpha1.packages.apps.redhat.com
  uid: f8e37514-d86b-11e8-8e75-8e91d40e974c
spec:
  caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURCRENDQWV5Z0F3SUJBZ0lRTjlHNTN1S2UrY3pRUnRHK3dCbzh2akFOQmdrcWhraUc5dzBCQVFzRkFEQWMKTVJvd0dBWURWUVFERXhGd1lXTnJZV2RsTFhObGNuWmxjaTFqWVRBZUZ3MHhPREV3TWpVeE5UTTRNREZhRncweQpPREV3TWpJeE5UTTRNREZhTUJ3eEdqQVlCZ05WQkFNVEVYQmhZMnRoWjJVdGMyVnlkbVZ5TFdOaE1JSUJJakFOCkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQTJJZnlnTmNNRUlING1DSzRWODNvL0NNNC94dWcKNjUxdlpBKzN2OTJZWGJGMmhENFYvSjZDdEhIa2NRTnFKQ1pVVW00dXF3MElueDZXN3NJWUJKMFpQZDZEWWZVTgovT3EwRkM0RGxyWjd2R1JsZWJRKzVKWXFlTkdCQzFOU0Zma1pMeGJKekxiQ25ubG40Z005U2M1MjNTQ3lYdk5wCmdLdDB4QUpxNnp3RnZITE5KbnhPS2d3SjNpUTNTSWphVXMzWElIT01RUGZ0WWJramxrRFI5MDl4aC84dVBCNzgKdTV3TXRIVzdnQnRyeDIrN214L2xqQVhqekMwUmkrRTZ1QzdVcGNFbDFpTHQyclhRYzVRL25scitITXR4OFB4VAo3bHVuMWUxLzNxSUI0VUtyRFFnRE5NQXQ1MHdiM1pZWjRSWWdJVGg3dWhRM2VML3VIV2tYd3g0NGdRSURBUUFCCm8wSXdRREFPQmdOVkhROEJBZjhFQkFNQ0FxUXdIUVlEVlIwbEJCWXdGQVlJS3dZQkJRVUhBd0VHQ0NzR0FRVUYKQndNQ01BOEdBMVVkRXdFQi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFJdTl6cEpaZWRzbgpPVHE4b0k3V3A4V2VHVXNJcDd4NDl0OWRNVjh1OFA2RmJGSmFoYjhPRTlBM3hLN1FQV0VqM3BHUm5JZjJGL0RmCkl2cGNCYzFmcUVaVGFDdGkzU2lmRThIVUllYm8zem85RGllUlZ5TFRWVm5OSDMrV0RRZW9JamFYRzVBUG56V0kKc0FSbmpRTE9aeXVFMkZsUWpTN1ZKelJoc0N4OUxYSDlYSk10Z2ViM3pmWFA2NDBBVS8wVkttSVluTTl6cVJNSgprT0xFa3lSZmUwMTlWUWQ0VEtYMFRqSHVSZEVJelNJNW5JTDl3cC9rQ3lNckpZcHMrM0tqQWJGWWxvWGtMcjVWCjFweUpEYThyWldwL0lzNTZXaCtFQ21JcFdzdGFKb1lwM2lzRmVwaXk0NDVUUmFLUklxUWcwQ0FES0N4YldSSGMKUTR5TTBzSEhZREk9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
  group: packages.apps.redhat.com
  groupPriorityMinimum: 2000
  service:
    name: package-server
    namespace: local
  version: v1alpha1
  versionPriority: 15
status:
  conditions:
  - lastTransitionTime: 2018-10-25T15:38:12Z
    message: all checks passed
    reason: Passed
    status: "True"
    type: Available

from operator-lifecycle-manager.

rhuss commented on June 1, 2024

For me it looks like that the error message comes from the aggretator service as it involves the package-server service DNS. Naiively I would say that the packag-server serves a server cert valid for "localhost" but not valid with its proper service name. (package-server.local.svc)

But when I look at the certs used by package-server with

oc get secrets package-server-certs -o json \
    | jq '.data."tls.crt"' -r \
    | base64 --decode \
    | openssl x509 -text -noout

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            71:23:35:fb:59:d7:b3:47:f8:ad:28:27:a8:c9:ac:83
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=package-server-ca
        Validity
            Not Before: Oct 25 15:38:02 2018 GMT
            Not After : Oct 25 15:38:02 2019 GMT
        Subject: CN=package-server
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:e9:ed:57:dc:3d:32:8d:00:f1:ae:41:c3:c4:f4:
                    cd:b9:74:57:b7:f6:e0:0a:5f:d0:c4:70:a1:ba:a7:
                    69:e0:51:ac:57:a0:45:b9:86:a9:59:66:9a:61:b0:
                    75:38:fc:bd:97:a9:a4:e1:7b:ef:6b:e9:b5:48:5b:
                    f8:51:8a:6c:4f:16:eb:48:b4:9b:8f:7d:3d:9f:f7:
                    63:d0:62:58:2a:db:94:76:a0:52:ac:8e:75:13:a5:
                    f6:02:92:f8:db:d4:4e:ba:f3:f8:60:a9:00:b3:da:
                    ec:da:45:e3:d9:5a:a2:cc:41:74:e3:6c:f4:3e:b9:
                    42:c9:e4:ab:04:ca:6e:92:ad:1e:11:62:9c:43:36:
                    e6:01:05:40:25:23:0e:76:6e:51:37:34:b1:de:1e:
                    4d:03:c2:0e:d2:7d:24:9b:49:41:29:29:53:3f:2c:
                    fb:08:cd:a5:f7:4e:60:5c:a6:2e:18:48:9a:24:d8:
                    2f:98:c9:0c:3e:b9:75:61:97:e0:0d:88:45:69:73:
                    aa:05:c4:09:2b:e0:23:fa:42:25:98:8e:0d:43:5d:
                    32:48:44:0e:ed:f6:6d:6d:73:9c:67:48:0b:15:e1:
                    09:8f:ab:bb:24:b8:45:3e:5c:73:6c:af:83:23:30:
                    04:86:38:6c:07:ed:e7:4c:33:31:b2:7d:95:83:ca:
                    fb:45
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Subject Alternative Name: 
                DNS:package-server.local, DNS:package-server.local.svc
    Signature Algorithm: sha256WithRSAEncryption
         a1:69:c4:48:2a:67:96:e3:6d:86:90:4c:8e:ae:bf:fd:4b:67:
         c8:58:81:ea:8a:76:24:10:d7:36:1d:84:a0:10:90:a2:aa:fd:
         68:3e:27:8c:a0:97:32:1b:1f:7e:a8:72:1a:8f:85:c1:b8:6d:
         ec:d7:70:a9:8b:df:0f:ba:49:7d:a7:1b:78:8b:ba:6a:9e:1e:
         e1:ab:07:41:52:a0:81:51:b9:f9:ce:c5:9c:6c:f0:5e:12:32:
         17:a6:1c:46:78:69:35:35:61:f3:7e:64:da:81:3d:32:b3:db:
         72:42:b1:77:7f:7d:aa:2f:0e:af:be:5c:1c:16:31:f1:69:1f:
         be:8a:23:2c:9a:f6:40:9a:7e:48:cc:56:1e:1d:c6:fa:af:4e:
         48:02:90:40:89:dd:5e:b1:11:02:0b:69:b7:2c:7d:da:6b:e6:
         c4:9d:49:db:d8:be:de:2e:6f:b5:4c:fc:23:2b:a9:0b:a2:c7:
         05:7b:fe:ed:20:6a:93:50:6a:3e:f3:b9:f5:27:bf:da:d8:c4:
         93:c6:da:f4:84:2b:f9:cb:b5:58:0f:4c:13:7d:dc:cf:f0:31:
         5f:ad:7c:93:b2:e0:5b:16:29:f4:7a:69:3b:fb:b3:52:47:77:
         00:2c:54:67:4a:ff:37:70:ee:8e:42:b0:61:43:4c:f0:31:19:
         da:21:1f:db

its clear that it serves for DNS:package-server.local, DNS:package-server.local.svc and not localhost.

Also interesting the log of the package-server pod:

I1025 18:14:00.828093       1 logs.go:49] http: TLS handshake error from 192.168.64.159:50180: remote error: tls: bad certificate
I1025 18:14:01.691384       1 wrap.go:42] GET /healthz: (84.215µs) 200 [[kube-probe/1.11+] 172.17.0.1:56870]
I1025 18:14:02.053662       1 logs.go:49] http: TLS handshake error from 192.168.64.159:50184: remote error: tls: bad certificate
I1025 18:14:05.046505       1 logs.go:49] http: TLS handshake error from 192.168.64.159:50196: remote error: tls: bad certificate
I1025 18:14:05.545423       1 wrap.go:42] GET /healthz: (129.261µs) 200 [[kube-probe/1.11+] 172.17.0.1:56888]
I1025 18:14:07.002477       1 logs.go:49] http: TLS handshake error from 192.168.64.159:50214: remote error: tls: bad certificate
I1025 18:14:08.713936       1 logs.go:49] http: TLS handshake error from 192.168.64.159:50220: remote error: tls: bad certificate

which indicates that the controller doing the healtchecks is not happy with the cert served.

from operator-lifecycle-manager.

rhuss commented on June 1, 2024

Actually I'm not a helm expert or even user, but where does this

operator-lifecycle-manager/deploy/chart/templates/0000_30_13-packageserver.yaml

Lines 78 to 81 in b8f267d

 {{- $altNames := list ( printf "package-server.%s" .Values.namespace ) ( printf "package-server.%s.svc" .Values.namespace ) -}} 

 {{- $cert := genSignedCert "package-server" nil $altNames 365 $ca }} 

 tls.crt: {{ b64enc $cert.Cert }} 

 tls.key: {{ b64enc $cert.Key }}

"genSignedCert" come from and which CA is it using ?

from operator-lifecycle-manager.

rhuss commented on June 1, 2024

@ecordell I can confirm that the setup works for me with Minikube 0.30, Kuebernetes 1.11.4, origin-console v3.11 without any tweaks (origin-console:latest doesn't work as described in #540)

So I agree that it has to be an issue with Minishift. My Minishift setup is: v1.26.0+2fb32c8 with OpenShift 3.11

from operator-lifecycle-manager.

ecordell commented on June 1, 2024

Since this was opened we have changed how we deploy the packages server entirely. I will close this and we can re-open if we find problems with the latest version of OLM (although minishift is not supported by the installer, libvirt instead)

from operator-lifecycle-manager.

Question: How to "enable" the OLM in the console for Minishift ? about operator-lifecycle-manager HOT 16 CLOSED

Comments (16)

Related Issues (20)

Recommend Projects

React

Vue.js

Typescript

TensorFlow

Django

Laravel

D3

Recommend Topics

javascript

web

server

Machine learning

Visualization

Game

Recommend Org

Facebook

Microsoft

Google

Alibaba

D3

Tencent

	{{- $altNames := list ( printf "package-server.%s" .Values.namespace ) ( printf "package-server.%s.svc" .Values.namespace ) -}}
	{{- $cert := genSignedCert "package-server" nil $altNames 365 $ca }}
	tls.crt: {{ b64enc $cert.Cert }}
	tls.key: {{ b64enc $cert.Key }}