Skip to main content
Version: 0.9.x

OAP setup in OpenShift

Since TSB 0.8.0, the OAP component in control plane listens for Envoy's ALS requests in secure gRPC connections. This improves security as the connections from all Envoy sidecars or gateways in the mesh to the OAP server will be encrypted.

The certificate for the OAP service is created by istiod and issued by the Kubernetes CA. In most Kubernetes distributions you will see that the OAP pod waits for a secret containing the certificate before starting, and that secret is created by istiod on boot.

In OpenShift clusters though, the CA that signs that certificate is not included in the CA certificate bundle mounted in the pod in the /var/run/secrets/ path. This causes the istiod pod to not be able to verify the newly created certificate which in turn triggers a rollback of the whole process. The result of this being that the OAP pod keeps waiting indefinitely for the secret.

To fix this situation in an OpenShift cluster, apply the following patch to your ControlPlane resource:

- apiVersion:
kind: IstioOperator
name: tsb-istiocontrolplane
- path: spec.meshConfig.defaultConfig.envoyAccessLogService.address
value: oap.istio-system.svc:11800
- path: spec.meshConfig.defaultConfig.envoyAccessLogService.tlsSettings.caCertificates
value: /var/run/secrets/
- apiVersion: extensions/v1beta1
kind: Deployment
name: oap-deployment
- path: spec.template.spec.containers.[name:oap].env.[name:SW_CORE_GRPC_SSL_CERT_CHAIN_PATH].value
value: /skywalking/pkin/tls.crt
- path: spec.template.spec.containers.[name:oap].env.[name:SW_CORE_GRPC_SSL_TRUSTED_CA_PATH].value
value: /skywalking/pkin/tls.crt
annotations: dns.oap-service-account
Istio CNI

The patch above shows overlays for the istio component of the ControlPlane. Note that OpenShift requires the use of Istio CNI so you will need to merge the changes required for the istio component.

The changes above add an annotations to the OAP service, which causes the OpenShift cluster to issue a certificate for that service and store it in the dns.oap-service-account secret. This is what OAP expects, so that will allow the pod to start. And since the keys in the secret that holds the certificate also change from a plain Kubernetes distribution, we need to change the environment variables in the OAP deployment that tells the server where to look for the certificate.