You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
On Calico OSS clusters connected to Calico Cloud via ManagementClusterConnection, Goldmane cannot sustain flow uploads to Guardian after Calico 3.32. The cluster shows Connected in Calico Cloud but Service Graph / flow data stays empty.
After fixing calico-system tier egress (#4804), Goldmane reaches Guardian but the flow emitter fails TLS verification:
Error emitting flows to https://guardian.calico-system.svc.cluster.local:443/api/v1/flows/bulk:
tls: failed to verify certificate: x509: certificate signed by unknown authority
(possibly because of "crypto/rsa: verification error" while trying to verify
candidate authority certificate "tigera-operator-signer")
Root cause
pkg/render/goldmane/component.go (v1.42.0) sets PUSH_URL when ManagementClusterConnection != nil:
It sets CA_CERT_PATH to the operator localgoldmane-ca-bundle ConfigMap (TrustedCertBundle). It does not include the Calico Cloud tigera-operator-signer delivered in Secret tigera-voltron-linseed-certs-public (tigera-operator namespace).
The Guardian Service maps port 443 → pod port 8080 (Voltron tunnel). Flow bulk POSTs terminate TLS with the Cloud tigera-linseed leaf (issuer: Cloud tigera-operator-signer), not the local guardian-key-pair material.
CA comparison (SHA-256 fingerprint prefix)
Material
Subject CN
Fingerprint
Local goldmane-ca-bundle
tigera-operator-signer
03:AE:C3:19:…
Cloud CA in tigera-voltron-linseed-certs-public (2nd PEM in tls.crt)
tigera-operator-signer
5B:58:B7:69:…
Same CN, different keys. A combined bundle (local + Cloud operator-signer) verifies both Felix→Goldmane gRPC (local mTLS) and the emitter upload path.
SERVER_NAME=guardian.calico-system.svc.cluster.local only
TLS verify errors may pause; uploads still fail with EOF; operator reverts Deployment patches on reconcile
CLIENT_CERT_PATH / CLIENT_KEY_PATH from tigera-managed-cluster-connection
No sustained uploads
Merge Cloud CA into goldmane-ca-bundle → tigera-ca-bundle.crt
Successfully emitted flows after retries in Goldmane logs
Expected behavior
When ManagementClusterConnection is configured, operator should populate Goldmane trusted CA material with a combined bundle: local tigera-operator-signer plus the Cloud tigera-operator-signer from tigera-voltron-linseed-certs-public.
Workaround (until operator fix)
Patch ConfigMap goldmane-ca-bundle to append the Cloud tigera-operator-signer (2nd certificate in tigera-voltron-linseed-certs-public / tls.crt).
Because the operator may revert the ConfigMap on reconcile, run a small reconciler (Deployment + RBAC) on an interval (~45s) to re-merge when only one cert is present. The reconciler pod needs calico-system tier egress to the Kubernetes API.
Description
On Calico OSS clusters connected to Calico Cloud via
ManagementClusterConnection, Goldmane cannot sustain flow uploads to Guardian after Calico 3.32. The cluster shows Connected in Calico Cloud but Service Graph / flow data stays empty.After fixing
calico-systemtier egress (#4804), Goldmane reaches Guardian but the flow emitter fails TLS verification:Root cause
pkg/render/goldmane/component.go(v1.42.0) setsPUSH_URLwhenManagementClusterConnection != nil:{Name: "PUSH_URL", Value: fmt.Sprintf("%s/api/v1/flows/bulk", guardianSvc)},It sets
CA_CERT_PATHto the operator localgoldmane-ca-bundleConfigMap (TrustedCertBundle). It does not include the Calico Cloudtigera-operator-signerdelivered in Secrettigera-voltron-linseed-certs-public(tigera-operatornamespace).Goldmane uses the same
CA_CERT_PATHfor gRPC server trust and the HTTP flow emitter (goldmane/pkg/daemon/daemon.gov3.32.0).The Guardian Service maps port 443 → pod port 8080 (Voltron tunnel). Flow bulk POSTs terminate TLS with the Cloud
tigera-linseedleaf (issuer: Cloudtigera-operator-signer), not the localguardian-key-pairmaterial.CA comparison (SHA-256 fingerprint prefix)
goldmane-ca-bundletigera-operator-signer03:AE:C3:19:…tigera-voltron-linseed-certs-public(2nd PEM intls.crt)tigera-operator-signer5B:58:B7:69:…Same CN, different keys. A combined bundle (local + Cloud operator-signer) verifies both Felix→Goldmane gRPC (local mTLS) and the emitter upload path.
Reproduction
Goldmane+ManagementClusterConnectionapplied.kubectl logs -n calico-system deployment/goldmane— TLS errors above.kubectl get configmap goldmane-ca-bundle -n calico-system -o jsonpath='{.data.tigera-ca-bundle\.crt}' | awk '/BEGIN CERTIFICATE/{n++} END{print n}'— 1 cert (local only).Approaches tested
ManagementClusterConnectionSERVER_NAME=guardian.calico-system.svc.cluster.localonlyEOF; operator reverts Deployment patches on reconcileCLIENT_CERT_PATH/CLIENT_KEY_PATHfromtigera-managed-cluster-connectiongoldmane-ca-bundle→tigera-ca-bundle.crtSuccessfully emitted flows after retriesin Goldmane logsExpected behavior
When
ManagementClusterConnectionis configured, operator should populate Goldmane trusted CA material with a combined bundle: localtigera-operator-signerplus the Cloudtigera-operator-signerfromtigera-voltron-linseed-certs-public.Workaround (until operator fix)
goldmane-ca-bundleto append the Cloudtigera-operator-signer(2nd certificate intigera-voltron-linseed-certs-public/tls.crt).calico-systemtier egress to the Kubernetes API.Verification:
Full write-up with verification steps and policy context: https://gist.github.com/denislemire/72591aa927c1e1dcee544a4d26953ef6
Environment
Related
calico-systemtier egress (OSS path)