Bug 1835997

Summary: oc help create reencrypt implies that --dest-ca-cert is required and does not document the default
Product: OpenShift Container Platform Reporter: Miciah Dashiel Butler Masters <mmasters>
Component: ocAssignee: Maciej Szulik <maszulik>
Status: CLOSED ERRATA QA Contact: zhou ying <yinzhou>
Severity: low Docs Contact:
Priority: unspecified    
Version: 4.5CC: aos-bugs, jokerman, mfojtik
Target Milestone: ---   
Target Release: 4.5.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-07-13 17:39:12 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Miciah Dashiel Butler Masters 2020-05-14 21:11:25 UTC 
Description of problem:

`oc help create route reencrypt` prints the following output, which implies that --dest-ca-cert is required (it is not) and does not indicate what the default behavior is when --dest-ca-cert is omitted (the router will use the service CA):

    Create a route that uses reencrypt TLS termination
    
     Specify the service (either just its name or using type/name syntax) that the generated route should expose via the
    --service flag. A destination CA certificate is needed for reencrypt routes, specify one with the --dest-ca-cert flag.
    
    Usage:
      oc create route reencrypt [NAME] --dest-ca-cert=FILENAME --service=SERVICE [flags]
    
    Examples:
      # Create a route named "my-route" that exposes the frontend service.
      oc create route reencrypt my-route --service=frontend --dest-ca-cert cert.cert
    
      # Create a reencrypt route that exposes the frontend service and re-use
      # the service name as the route name.
      oc create route reencrypt --service=frontend --dest-ca-cert cert.cert
    
    Options:
          [...]
          --dest-ca-cert='': Path to a CA certificate file, used for securing the connection from the router to the
    destination.


Version-Release number of selected component (if applicable):

Client Version: 4.5.0-0.ci-2020-04-23-151503


How reproducible:

100%.


Steps to Reproduce:

1. Run the command: oc help create route reencrypt


Actual results:

The output is as described above.


Expected results:

In the synopsis, "--dest-ca-cert" should be enclosed in brackets to indicate that it is optional, or omitted because it is already described in the description and flags.

The description or flags sections should describe the default behavior, namely that the destination CA certificate will be assumed to be the service CA, meaning the service should use a serving certificate from the serving cert signer.
Comment 3 zhou ying 2020-05-18 02:04:05 UTC 
[root@dhcp-140-138 ~]# oc help create route reencrypt
Create a route that uses reencrypt TLS termination

 Specify the service (either just its name or using type/name syntax) that the generated route should expose using the
--service flag. You may also specify a destination CA certificate using the --dest-ca-cert flag. If --dest-ca-cert is
omitted, the route will use the service CA, meaning the service must use a serving certificate from the serving cert
signer.


[root@dhcp-140-138 ~]# oc version -o yaml
clientVersion:
  buildDate: "2020-05-17T20:23:22Z"
  compiler: gc
  gitCommit: 28fff2f1e599ef9df657c1e6c0c6815b40425da0
  gitTreeState: clean
  gitVersion: 4.5.0-202005172017-28fff2f
  goVersion: go1.13.4
  major: ""
  minor: ""
  platform: linux/amd64
Comment 4 errata-xmlrpc 2020-07-13 17:39:12 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:2409