Bug 1772775
Summary: | ingress operator don't re-create router-ca when custom certificate is used | ||
---|---|---|---|
Product: | OpenShift Container Platform | Reporter: | Yadan Pei <yapei> |
Component: | Networking | Assignee: | Dan Mace <dmace> |
Networking sub component: | router | QA Contact: | Hongan Li <hongli> |
Status: | CLOSED NOTABUG | Docs Contact: | |
Severity: | medium | ||
Priority: | medium | CC: | aos-bugs, bpeterse, dmace, spadgett, yapei |
Version: | 4.3.0 | ||
Target Milestone: | --- | ||
Target Release: | 4.3.0 | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2019-11-18 18:08:40 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Yadan Pei
2019-11-15 06:59:09 UTC
I think this is an architectural documentation issue at best for now. The router-ca ConfigMap is only published when any ingresscontroller references the system-generated default certificate. Since you changed the ingresscontroller to reference a custom certificate, leaving no ingress controllers referencing the default generated certificate, the router-ca ConfigMap should not be published, and your `oc get` call confirms the correct behavior. Did you notice anything broken, or was the absence of the resource itself your concern? If authentication continues to function after installing the new certificate, there should be no cause for concern. Generally I'm not sure end users should even be aware of the router-ca ConfigMap. Its purpose is to facilitate OpenShift component integrations. Sorry for the confusion! > Did you notice anything broken, or was the absence of the resource itself your concern? If authentication continues to function after installing the new certificate, there should be no cause for concern. Except console is not accessible(tracked in bug 1764704), it looks like authentication still works well although ConfigMap router-ca do not exist. Thanks for your reply. (In reply to Dan Mace from comment #1) > I think this is an architectural documentation issue at best for now. > > The router-ca ConfigMap is only published when any ingresscontroller > references the system-generated default certificate. Since you changed the > ingresscontroller to reference a custom certificate, leaving no ingress > controllers referencing the default generated certificate, the router-ca > ConfigMap should not be published, and your `oc get` call confirms the > correct behavior. Did you notice anything broken, or was the absence of the > resource itself your concern? If authentication continues to function after > installing the new certificate, there should be no cause for concern. > > Generally I'm not sure end users should even be aware of the router-ca > ConfigMap. Its purpose is to facilitate OpenShift component integrations. > > Sorry for the confusion! I wasn't aware of this. It invalidates the change we made to try to handle bug 1764704 and bug 1712525 and will break console if the certificate is not trusted. Is there a CA we can use for these scenarios? https://github.com/openshift/console-operator/pull/328 The needinfo request[s] on this closed bug have been removed as they have been unresolved for 365 days |