Bug 1874533

Summary: Configuring custom certificate for default console route
Product: OpenShift Container Platform Reporter: Jakub Hadvig <jhadvig>
Component: Management ConsoleAssignee: Jakub Hadvig <jhadvig>
Status: CLOSED DUPLICATE QA Contact: Yadan Pei <yapei>
Severity: high Docs Contact:
Priority: high    
Version: 4.5CC: aos-bugs, jokerman
Target Milestone: ---   
Target Release: 4.5.z   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-09-03 07:42:17 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1870514    
Bug Blocks:    

Description Jakub Hadvig 2020-09-01 14:47:54 UTC 
This bug was initially created as a copy of Bug #1870514

I am copying this bug because: 



Description of problem:

Unable to configure custom certificate for the default console route.


Version-Release number of selected component (if applicable):
OCP 4.5 Console, console operator

How reproducible:

Since 4.5 onwards customization of console route and configurination of custom certificate is possible, but the certificate should be configured for the custom route created not the default route.


Steps to Reproduce:

Working(configuring a custom route for the console and followed by configuring custom certificate for the custom console route is working)
=======
1) Patch the CR with new host route URL:

$ oc patch consoles.operator.openshift.io cluster --patch '{"spec":{"route":{"hostname":"console.apps.test.example.com"}}}' --type=merge

2) Create cert and key and inject those to secret:

$  oc create secret tls console-serving-cert --cert=console.crt --key=console.key -n openshift-config

3) Patch the CR with secret :

$ oc patch consoles.operator.openshift.io cluster --patch '{"spec":{"route":{"secret":{"name":"console-serving-cert"}}}}' --type=merge


Not working(Configuring the custom certificates for the default console route)
============

1) Patch the CR with default host route URL:

$ oc patch consoles.operator.openshift.io cluster --patch '{"spec":{"route":{"hostname":"console-openshift-console.apps.test.example.com"}}}' --type=merge

2) Create cert and key and inject those to secret:

$  oc create secret tls console-serving-cert --cert=console.crt --key=console.key -n openshift-config

3) Patch the CR with secret :

$ oc patch consoles.operator.openshift.io cluster --patch '{"spec":{"route":{"secret":{"name":"console-serving-cert"}}}}' --type=merge



Actual results:

Console operator goes to degraded state and pod logs shows:

# oc logs console-operator-xxxx -n openshift-console-operator

E0813 13:48:49.665637       1 controller.go:129] {Console Console} failed with: routes.route.openshift.io "console-custom" not found
E0813 13:50:08.822338       1 status.go:78] CustomRouteSyncDegraded InvalidCustomRouteConfig custom route hostname is duplicate of the default route hostname
E0813 13:50:08.822504       1 controller.go:367] console-route-sync--work-queue-key failed with : custom route hostname is duplicate of the default route hostname
E0813 13:50:11.628714       1 status.go:78] SyncLoopRefreshDegraded InProgress routes.route.openshift.io "console-custom" not found
E0813 13:50:11.628950       1 controller.go:129] {Console Console} failed with: routes.route.openshift.io "console-custom" not found

Expected results:

Custom certificate should be able to configured for the default cionsole route as well

Ideally this process of patching console CR with hostname should work for any route we provide.

Additional info:

https://access.redhat.com/solutions/4539491

https://access.redhat.com/solutions/5237301

May be can  allow configuring custom cert for default console route URL, either by removing the current check at https://github.com/openshift/console-operator/blob/3382640b37d3dd19f13d79e2a84f186d8c0b43b4/pkg/console/controllers/route/controller.go#L234 or even by adding another attribute.
Comment 1 Jakub Hadvig 2020-09-03 07:42:17 UTC 

*** This bug has been marked as a duplicate of bug 1874529 ***