Bug 1824935

Summary: Console operator inverts logic for picking up the default-ingress-cert
Product: OpenShift Container Platform Reporter: bpeterse
Component: Management ConsoleAssignee: Miciah Dashiel Butler Masters <mmasters>
Status: CLOSED ERRATA QA Contact: Yadan Pei <yapei>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 4.4CC: aos-bugs, jokerman, mmasters, scuppett, spadgett, yanpzhan, yapei
Target Milestone: ---   
Target Release: 4.4.z   
Hardware: Unspecified   
OS: Unspecified   
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1824934 Environment:
Last Closed: 2020-06-17 22:26:03 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1824934    
Bug Blocks:    

Description bpeterse 2020-04-16 17:09:53 UTC
+++ This bug was initially created as a clone of Bug #1824934 +++

Description of problem:

See this PR: https://github.com/openshift/console-operator/pull/403

Comment 3 bpeterse 2020-04-17 16:13:42 UTC
Setting this to 4.4.z, it doesn't need to block 4.4.
The logic is new as of 4.4, no backport to 4.3 will be needed.

Comment 4 Samuel Padgett 2020-04-20 14:17:14 UTC
Miciah, what is the consequence of not fixing this in 4.4?

Comment 5 Miciah Dashiel Butler Masters 2020-04-29 00:37:35 UTC
This is all right to miss in 4.4.0, but we should get it in 4.4.z.  The ingress operator started publishing the "default-ingress-cert" configmap in 4.3.3 (see bug 1788711) and will stop publishing the "router-ca" configmap in 4.5 (see https://github.com/openshift/cluster-ingress-operator/pull/377).  The consequence of not fixing this in 4.4.0 is that the console operator will continue using the old "router-ca" configmap instead of the new "default-ingress-cert" configmap, but this is fine because the old configmap is still be present in 4.4.  The consequence of not fixing this in 4.4.z is a possible disruption to OpenShift Console's availability if it is still using the old configmap when a cluster is upgraded from 4.4 to 4.5 and the ingress operator stops publishing the new configmap before the console operator updates to the new configmap.

Comment 6 Miciah Dashiel Butler Masters 2020-04-29 00:45:55 UTC
One other note: The ingress operator only publishes the "router-ca" configmap if the ingress controller uses the operator-generated default certificate.  In contrast, the ingress operator always publishes the "default-ingress-cert" configmap.  In particular, if the cluster administrator configures a custom default certificate, then the ingress operator publishes that certificate to "default-ingress-cert".  This means that if operators use "default-ingress-cert", then cluster administrators can configure a default certificate with a custom PKI without needing also to configure the custom PKI through the proxy trusted CA.  However this only means that using "default-ingress-cert" makes things more convenient to the cluster administrator; continuing to use "router-ca" does *not* constitute a regression, only the absence of a potential improvement to convenience.

Comment 7 Miciah Dashiel Butler Masters 2020-05-08 19:54:47 UTC
The 4.4 backport (this bug) is blocked on the fix getting merged in 4.5 (bug 1824934).

Comment 11 Yanping Zhang 2020-06-08 09:04:14 UTC
Checked on ocp 4.4 cluster with payload: 4.4.0-0.nightly-2020-06-07-075345
Checked the console container, the default-ingress-cert is mounted by default:
            - name: console-serving-cert
              readOnly: true
              mountPath: /var/serving-cert
            - name: console-oauth-config
              readOnly: true
              mountPath: /var/oauth-config
            - name: console-config
              readOnly: true
              mountPath: /var/console-config
            - name: service-ca
              readOnly: true
              mountPath: /var/service-ca
            - name: default-ingress-cert
              readOnly: true
              mountPath: /var/default-ingress-cert
            - name: trusted-ca-bundle
              readOnly: true
              mountPath: /etc/pki/ca-trust/extracted/pem

Comment 13 errata-xmlrpc 2020-06-17 22:26:03 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.