Bug 1870514
| Summary: | Configuring custom certificate for default console route | ||
|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | Rahul Rajendran <rpalathi> |
| Component: | Management Console | Assignee: | Jakub Hadvig <jhadvig> |
| Status: | CLOSED ERRATA | QA Contact: | Yadan Pei <yapei> |
| Severity: | urgent | Docs Contact: | |
| Priority: | urgent | ||
| Version: | 4.5 | CC: | aos-bugs, jhadvig, jokerman, kvatteka, rpalathi, spadgett, sttts, yapei |
| Target Milestone: | --- | ||
| Target Release: | 4.6.0 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-10-27 16:29:46 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 1874529, 1874533 | ||
1. Patch console.operator/cluster with the default console route
$ oc patch consoles.operator.openshift.io cluster --patch '{"spec":{"route":{"hostname”:”<console_default_route>“}}}’ --type=merge
In console-operator logs we can see:
E0903 05:38:53.700428 1 status.go:78] CustomRouteSyncDegraded InvalidCustomRouteConfig custom route hostname is duplicate of the default route hostname
E0903 05:38:53.700831 1 controller.go:395] console-route-sync--work-queue-key failed with : custom route hostname is duplicate of the default route hostname
2. Do not patch console.operator/cluster with the default console route, only add custom secret
$ oc create secret tls console-serving-cert --cert=./apps.crt --key=./apps.key -n openshift-config
$ oc patch consoles.operator.openshift.io cluster --patch '{"spec":{"route":{"secret":{"name":"console-serving-cert"}}}}' --type=merge
I didn’t see new console pods are created, only the serving certificate is changed to the customized one(viewing certificate info via browser)
I'd like to confirm are these all expected? Per my understanding they look correct, but I'd like to double confirm since it is very important bug
Yes if the admin wants to set a custom TSL cert for the default route, he only changes `spec.route.secret.name` field. Otherwise if he sets a duplicate hostname the operator will get degraded since there cant be two routes pointing to the same hostname. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (OpenShift Container Platform 4.6 GA Images), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:4196 |
Description of problem: Unable to configure custom certificate for the default console route. Version-Release number of selected component (if applicable): OCP 4.5 Console, console operator How reproducible: Since 4.5 onwards customization of console route and configurination of custom certificate is possible, but the certificate should be configured for the custom route created not the default route. Steps to Reproduce: Working(configuring a custom route for the console and followed by configuring custom certificate for the custom console route is working) ======= 1) Patch the CR with new host route URL: $ oc patch consoles.operator.openshift.io cluster --patch '{"spec":{"route":{"hostname":"console.apps.test.example.com"}}}' --type=merge 2) Create cert and key and inject those to secret: $ oc create secret tls console-serving-cert --cert=console.crt --key=console.key -n openshift-config 3) Patch the CR with secret : $ oc patch consoles.operator.openshift.io cluster --patch '{"spec":{"route":{"secret":{"name":"console-serving-cert"}}}}' --type=merge Not working(Configuring the custom certificates for the default console route) ============ 1) Patch the CR with default host route URL: $ oc patch consoles.operator.openshift.io cluster --patch '{"spec":{"route":{"hostname":"console-openshift-console.apps.test.example.com"}}}' --type=merge 2) Create cert and key and inject those to secret: $ oc create secret tls console-serving-cert --cert=console.crt --key=console.key -n openshift-config 3) Patch the CR with secret : $ oc patch consoles.operator.openshift.io cluster --patch '{"spec":{"route":{"secret":{"name":"console-serving-cert"}}}}' --type=merge Actual results: Console operator goes to degraded state and pod logs shows: # oc logs console-operator-xxxx -n openshift-console-operator E0813 13:48:49.665637 1 controller.go:129] {Console Console} failed with: routes.route.openshift.io "console-custom" not found E0813 13:50:08.822338 1 status.go:78] CustomRouteSyncDegraded InvalidCustomRouteConfig custom route hostname is duplicate of the default route hostname E0813 13:50:08.822504 1 controller.go:367] console-route-sync--work-queue-key failed with : custom route hostname is duplicate of the default route hostname E0813 13:50:11.628714 1 status.go:78] SyncLoopRefreshDegraded InProgress routes.route.openshift.io "console-custom" not found E0813 13:50:11.628950 1 controller.go:129] {Console Console} failed with: routes.route.openshift.io "console-custom" not found Expected results: Custom certificate should be able to configured for the default cionsole route as well Ideally this process of patching console CR with hostname should work for any route we provide. Additional info: https://access.redhat.com/solutions/4539491 https://access.redhat.com/solutions/5237301 May be can allow configuring custom cert for default console route URL, either by removing the current check at https://github.com/openshift/console-operator/blob/3382640b37d3dd19f13d79e2a84f186d8c0b43b4/pkg/console/controllers/route/controller.go#L234 or even by adding another attribute.