Bug 1788711

Summary: [4.3] Ingress operator should publish the default IngressController's default certificate in a ConfigMap for other operators
Product: OpenShift Container Platform Reporter: Miciah Dashiel Butler Masters <mmasters>
Component: NetworkingAssignee: Miciah Dashiel Butler Masters <mmasters>
Networking sub component: router QA Contact: Hongan Li <hongli>
Status: CLOSED ERRATA Docs Contact:
Severity: unspecified    
Priority: unspecified CC: aos-bugs
Version: 4.3.z   
Target Milestone: ---   
Target Release: 4.3.z   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1788712 (view as bug list) Environment:
Last Closed: 2020-02-25 06:17:59 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1788712    
Bug Blocks:    

Description Miciah Dashiel Butler Masters 2020-01-07 21:36:39 UTC 
Description of problem:

The ingress operator should publish the default certificate of the default IngressController to a ConfigMap for other operators to read.

Once the ingress operator publishes the ConfigMap, other operators will read it and incorporate the default certificate into their trust bundles so that they can connect to Route resources.  This will relieve administrator of the need to configure the certificate that was used to sign the default certificate as a trusted CA on a cluster with a custom PKI.


Steps to Reproduce:

1. oc -n openshift-config-managed get configmaps/default-ingress-cert


Actual results:

The requested resource does not exist.


Expected results:

The resource should exist.


Additional info:

The feature is described in the following enhancement proposal: https://github.com/openshift/enhancements/pull/126

It is implemented by the following PR, which will ship in 4.4: https://github.com/openshift/cluster-ingress-operator/pull/331

The following PR backports the feature to 4.3: https://github.com/openshift/cluster-ingress-operator/pull/336

Additional changes are required to the auth and console operators to read the new ConfigMap.  This Bugzilla report covers only the ingress operator.
Comment 2 Hongan Li 2020-02-13 06:45:15 UTC 
verified with 4.3.0-0.nightly-2020-02-12-232004 the issue has been fixed.

$ oc -n openshift-config-managed get cm/default-ingress-cert
NAME                   DATA   AGE
default-ingress-cert   1      146m
Comment 4 errata-xmlrpc 2020-02-25 06:17:59 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:0528