Bug 1719965
| Summary: | TLS Keys Not Added to Registry Routes | |||
|---|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | Adam Kaplan <adam.kaplan> | |
| Component: | Image Registry | Assignee: | Oleg Bulatov <obulatov> | |
| Status: | CLOSED ERRATA | QA Contact: | Wenjing Zheng <wzheng> | |
| Severity: | medium | Docs Contact: | ||
| Priority: | unspecified | |||
| Version: | 4.1.0 | CC: | aos-bugs | |
| Target Milestone: | --- | |||
| Target Release: | 4.2.0 | |||
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | ||||
| Fixed In Version: | Doc Type: | Bug Fix | ||
| Doc Text: |
Cause: the operator uses Secret.StringData that are write-only field to get data
Consequence: the operator doesn't see the real data in the secret
Fix: use Secret.Data instead
Result: the operator sees the values
|
Story Points: | --- | |
| Clone Of: | ||||
| : | 1720270 (view as bug list) | Environment: | ||
| Last Closed: | 2019-10-16 06:31:56 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 1720270, 1730407 | |||
Verified on 4.2.0-0.nightly-2019-06-25-222454 with below steps:
1. $openssl req -nodes -newkey rsa:2048 -keyout myregistry.key -out myregistry.crt -x509
2. $ oc create secret tls my-tls -n openshift-image-registry --cert myregistry.crt --key myregistry.key
3. $ oc edit config.imageregistry.operator.openshift.io/cluster
spec:
routes:
- name: myregistry
hostname: wzheng-route-openshift-image-registry.apps.qe-wewang-42.qe.devcluster.openshift.com
secretName: my-tls
4. TLS can be seen as below:
spec:
host: wzheng-route-openshift-image-registry.apps.qe-wewang-42.qe.devcluster.openshift.com
subdomain: ""
tls:
certificate: |
-----BEGIN CERTIFICATE-----
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-----END CERTIFICATE-----
key: |
-----BEGIN PRIVATE KEY-----
-----END PRIVATE KEY-----
termination: reencrypt
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2019:2922 |
Description of problem: TLS keys and certificates not added to image registry routes. Version-Release number of selected component (if applicable): v4.1.0 How reproducible: Always Steps to Reproduce: 1. Create a TLS keypair via openssl 2. Using the keypair, create a TLS secret in the image-registry namespace: ``` $ oc create secret tls my-tls -n image-registry --cert my-tls.crt --key my-tls.key1 ``` 3. Instruct the registry operator to create a route with the provided tls secret ``` $ oc edit config.imageregistry.operator.openshift/io/cluster ... spec: routes: - name: registry-url hostname: registry.apps.mycluster.myorg.net secretName: my-tls ``` Actual results: Route `registry-url` is created without TLS certificates added. Expected results: Route `registry-url` should have the TLS key and certificate defined. Additional info: