Skip to main content
Version: 0.9.x

OAP setup in OpenShift

Since TSB 0.8.0, the OAP component in control plane listens for Envoy's ALS requests in secure gRPC connections. This improves security as the connections from all Envoy sidecars or gateways in the mesh to the OAP server will be encrypted.

The certificate for the OAP service is created by istiod and issued by the Kubernetes CA. In most Kubernetes distributions you will see that the OAP pod waits for a secret containing the certificate before starting, and that secret is created by istiod on boot.

In OpenShift clusters though, the CA that signs that certificate is not included in the CA certificate bundle mounted in the pod in the /var/run/secrets/kubernetes.io/serviceaccount/ca.crt path. This causes the istiod pod to not be able to verify the newly created certificate which in turn triggers a rollback of the whole process. The result of this being that the OAP pod keeps waiting indefinitely for the secret.

To fix this situation in an OpenShift cluster, apply the following patch to your ControlPlane resource:

spec:
  components:
    istio:
      kubeSpec:
        overlays:
          - apiVersion: install.istio.io/v1alpha1
            kind: IstioOperator
            name: tsb-istiocontrolplane
            patches:
              - path: spec.meshConfig.defaultConfig.envoyAccessLogService.address
                value: oap.istio-system.svc:11800
              - path: spec.meshConfig.defaultConfig.envoyAccessLogService.tlsSettings.caCertificates
                value: /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt
    oap:
      kubeSpec:
        overlays:
          - apiVersion: extensions/v1beta1
            kind: Deployment
            name: oap-deployment
            patches:
              - path: spec.template.spec.containers.[name:oap].env.[name:SW_CORE_GRPC_SSL_CERT_CHAIN_PATH].value
                value: /skywalking/pkin/tls.crt
              - path: spec.template.spec.containers.[name:oap].env.[name:SW_CORE_GRPC_SSL_TRUSTED_CA_PATH].value
                value: /skywalking/pkin/tls.crt
        service:
          annotations:
            service.beta.openshift.io/serving-cert-secret-name: dns.oap-service-account
Istio CNI

The patch above shows overlays for the istio component of the ControlPlane. Note that OpenShift requires the use of Istio CNI so you will need to merge the changes required for the istio component.

The changes above add an annotations to the OAP service, which causes the OpenShift cluster to issue a certificate for that service and store it in the dns.oap-service-account secret. This is what OAP expects, so that will allow the pod to start. And since the keys in the secret that holds the certificate also change from a plain Kubernetes distribution, we need to change the environment variables in the OAP deployment that tells the server where to look for the certificate.