Skip to content

certificate is not valid for any names, but wanted to match modelmesh-serving #522

Open
Open
certificate is not valid for any names, but wanted to match modelmesh-serving#522
Labels
bugSomething isn't working
@janekmichalik

Description

@janekmichalik
janekmichalik
opened on Jul 31, 2024

Describe the bug

I have followed the docs how to configure TLS.
I have set tls.secretName and tls.clientAuth.
Modelmesh controller is not able to connect to model mesh serving, because of:

{"level":"info","ts":"2024-08-01T08:35:07Z","logger":"MMService","msg":"Established new MM gRPC connection","namespace":"test","endpoint":"kube:///modelmesh-serving.test:8033","TLS":true}
...
"error":"failed to SetVModel for InferenceService 66a9edd4d028f175007aa90c-active: rpc error: code = Unavailable desc = last connection error: connection error: desc = \"transport: authentication handshake failed: tls: failed to verify certificate: x509: certificate is not valid for any names, but wanted to match modelmesh-serving.test\"","stacktrace":"sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler\n\t/root/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.16.3/pkg/internal/controller/controller.go:329\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem\n\t/root/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.16.3/pkg/internal/controller/controller.go:266\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2\n\t/root/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.16.3/pkg/internal/controller/controller.go:227"

Details of cert on model mesh serving pod:

        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment, Certificate Sign
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Subject Key Identifier:
                B8:9F:57:4E:9A:B4:B4:7B:A8:CF:D3:FB:3F:CE:CB:84:06:88:95:18
            X509v3 Subject Alternative Name:
                DNS:localhost, DNS:modelmesh-serving, DNS:modelmesh-serving.test, DNS:modelmesh-serving.test.svc, DNS:modelmesh-serving.test.svc.cluster.local, IP Address:127.0.0.1

I can't see how to configure the controller to respect my TLS settings.

Am I doing something wrong?

Expected behavior

Connection is working.

Environment (please complete the following information):

  • Version v0.12.0

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions