| Summary: | Reencypt routes should be able to use cluster-signed certificates without providing the CA explicitly | ||
|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | Ben Bennett <bbennett> |
| Component: | RFE | Assignee: | Marc Curry <mcurry> |
| Status: | CLOSED WONTFIX | QA Contact: | Meng Bo <bmeng> |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | 3.5.0 | CC: | aos-bugs, bbennett, bmeng, eparis, jcosta, jforrest, jokerman, mcurry, mmccomas, myllynen, trankin |
| Target Milestone: | --- | Keywords: | NeedsTestCase |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-06-12 11:58:23 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
|
Description
Ben Bennett
2016-12-02 18:28:08 UTC
Note: oc extract $(oc get secret -o name | grep -- "-token-" | head -n1 ) --keys service-ca.crt Gets you the ca cert that you can then put into the route to make it work. But that's ugly. Requirements: 1. User specifies reencrypt with no destinationCACertificate or destination cert 2. Router has to use client-ca.crt (if it exists, back compat with older routers) as well as root CA's 3. Router has to set the backend server to SERVICE.NAMESPACE.SVC.CLUSTER.LOCAL and turn hostname verification on (otherwise bad guys can MITM). With the introduction of OpenShift 4, Red Hat has delivered or roadmapped a substantial number of features based on feedback by our customers. Many of the enhancements encompass specific RFEs which have been requested, or deliver a comparable solution to a customer problem, rendering an RFE redundant. This bz (RFE) has been identified as a feature request not yet planned or scheduled for an OpenShift release and is being closed. If this feature is still an active request that needs to be tracked, Red Hat Support can assist in filing a request in the new JIRA RFE system, as well as provide you with updates as the RFE progress within our planning processes. Please open a new support case: https://access.redhat.com/support/cases/#/case/new Opening a New Support Case: https://access.redhat.com/support/cases/#/case/new As the new Jira RFE system is not yet public, Red Hat Support can help answer your questions about your RFEs via the same support case system. |