ODF noobaa certificate - thanos fails with tls: failed to verify certificate: x509: certificate signed by unknown authority

Solution In Progress - Updated -

Issue

  • Thanos fails to connect to noobaa bucket, configured like this:
apiVersion: v1
kind: Secret
metadata:
  name: thanos-object-storage
  namespace: open-cluster-management-observability
type: Opaque
stringData:
  thanos.yaml: |
    type: s3
    config:
      bucket: openshift-storage-thanos-123456
      endpoint: s3.openshift-storage.svc:443
      insecure: false
      access_key: xxxaaabbb
      secret_key: cccdddeee
      http_config:
        tls_config:
          insecure_skip_verify: true
  • On thanos-store pod we can see:
2025-04-03T05:47:59.999967251Z caller=grpc.go:164 level=info service=gRPC/server component=store msg="internal server is shutdown gracefully" err="bucket store initial sync: sync block: BaseFetcher: iter bucket: Get \"https://s3.openshift-storage.svc/openshift-storage-thanos-123456/?location=\": tls: failed to verify certificate: x509: certificate signed by unknown authority"

2025-04-03T05:48:00.000129269Z caller=main.go:161 level=error err="Get \"https://s3.openshift-storage.svc/openshift-storage-thanos-123456/?location=\": tls: failed to verify certificate: x509: certificate signed by unknown authority\nBaseFetcher: iter bucket\ngithub.com/thanos-io/thanos/pkg/block....

Environment

  • OCP 4.16
  • ODF 4.16

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content