|Summary:||Console operator inverts logic for picking up the default-ingress-cert|
|Product:||OpenShift Container Platform||Reporter:||bpeterse|
|Component:||Management Console||Assignee:||Miciah Dashiel Butler Masters <mmasters>|
|Status:||CLOSED ERRATA||QA Contact:||Yadan Pei <yapei>|
|Version:||4.4||CC:||aos-bugs, jokerman, mmasters, scuppett, spadgett, yanpzhan, yapei|
|Fixed In Version:||Doc Type:||If docs needed, set a value|
|Doc Text:||Story Points:||---|
|Last Closed:||2020-06-17 22:26:03 UTC||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Cloudforms Team:||---||Target Upstream Version:|
|Bug Depends On:||1824934|
Description bpeterse 2020-04-16 17:09:53 UTC
+++ This bug was initially created as a clone of Bug #1824934 +++ Description of problem: See this PR: https://github.com/openshift/console-operator/pull/403 Merged.
Comment 1 bpeterse 2020-04-16 17:11:22 UTC
Comment 3 bpeterse 2020-04-17 16:13:42 UTC
Setting this to 4.4.z, it doesn't need to block 4.4. The logic is new as of 4.4, no backport to 4.3 will be needed.
Comment 4 Samuel Padgett 2020-04-20 14:17:14 UTC
Miciah, what is the consequence of not fixing this in 4.4?
Comment 5 Miciah Dashiel Butler Masters 2020-04-29 00:37:35 UTC
This is all right to miss in 4.4.0, but we should get it in 4.4.z. The ingress operator started publishing the "default-ingress-cert" configmap in 4.3.3 (see bug 1788711) and will stop publishing the "router-ca" configmap in 4.5 (see https://github.com/openshift/cluster-ingress-operator/pull/377). The consequence of not fixing this in 4.4.0 is that the console operator will continue using the old "router-ca" configmap instead of the new "default-ingress-cert" configmap, but this is fine because the old configmap is still be present in 4.4. The consequence of not fixing this in 4.4.z is a possible disruption to OpenShift Console's availability if it is still using the old configmap when a cluster is upgraded from 4.4 to 4.5 and the ingress operator stops publishing the new configmap before the console operator updates to the new configmap.
Comment 6 Miciah Dashiel Butler Masters 2020-04-29 00:45:55 UTC
One other note: The ingress operator only publishes the "router-ca" configmap if the ingress controller uses the operator-generated default certificate. In contrast, the ingress operator always publishes the "default-ingress-cert" configmap. In particular, if the cluster administrator configures a custom default certificate, then the ingress operator publishes that certificate to "default-ingress-cert". This means that if operators use "default-ingress-cert", then cluster administrators can configure a default certificate with a custom PKI without needing also to configure the custom PKI through the proxy trusted CA. However this only means that using "default-ingress-cert" makes things more convenient to the cluster administrator; continuing to use "router-ca" does *not* constitute a regression, only the absence of a potential improvement to convenience.
Comment 7 Miciah Dashiel Butler Masters 2020-05-08 19:54:47 UTC
The 4.4 backport (this bug) is blocked on the fix getting merged in 4.5 (bug 1824934).
Comment 11 Yanping Zhang 2020-06-08 09:04:14 UTC
Checked on ocp 4.4 cluster with payload: 4.4.0-0.nightly-2020-06-07-075345 Checked the console container, the default-ingress-cert is mounted by default: volumeMounts: - name: console-serving-cert readOnly: true mountPath: /var/serving-cert - name: console-oauth-config readOnly: true mountPath: /var/oauth-config - name: console-config readOnly: true mountPath: /var/console-config - name: service-ca readOnly: true mountPath: /var/service-ca - name: default-ingress-cert readOnly: true mountPath: /var/default-ingress-cert - name: trusted-ca-bundle readOnly: true mountPath: /etc/pki/ca-trust/extracted/pem
Comment 13 errata-xmlrpc 2020-06-17 22:26:03 UTC
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:2445