Bug 1955270
| Summary: | ACM Operator should support using the default route TLS | ||
|---|---|---|---|
| Product: | Red Hat Advanced Cluster Management for Kubernetes | Reporter: | Paul Czarkowski <pczarkow> |
| Component: | GRC & Policy | Assignee: | Gus Parvin <gparvin> |
| Status: | CLOSED ERRATA | QA Contact: | Derek Ho <dho> |
| Severity: | medium | Docs Contact: | Mikela Dockery <mdockery> |
| Priority: | unspecified | ||
| Version: | rhacm-2.2.z | CC: | gghezzo, nweather |
| Target Milestone: | --- | Flags: | ming:
rhacm-2.2.z+
|
| Target Release: | rhacm-2.2.4 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-06-16 19:28:23 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Gus has info related to this-- reassigning Hello Paul, Thanks for bringing this up. This is being addressed in a future release so the behavior you are describing will be what you see. The route will use the OCP default ingress cert and be configured as reencrypt by default. The patch you are describing does not work from what I can tell because the tls property does not exist for the multiclusterhubs resource. Can you double check what you are doing since it looks like that procedure is not valid? Thanks! Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: Red Hat Advanced Cluster Management 2.2.4 security and bug fix update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2021:2461 |
When I deploy ACM in a OSD cluster I expect the Multi Cluster Hub to use the wildcard dns/certificate in the cluster instead of having a self signed certificate. I can get this working by patching the mch resource after the install by running the following to change the route to use reencrypt termination and providing the CA that is created for MCH. MCH should do this out of the box to support our enterprise customers who insist on genuine certificates. ``` CA=$(oc -n open-cluster-management get secret multicloud-ca-cert \ -o jsonpath='{.data.ca\.crt}' | base64 --decode | awk 'NF {sub(/\r/, ""); printf "%s\\n",$0;}') oc patch multiclusterhubs multiclusterhub -n open-cluster-management --type=merge \ -p=echo "{\"spec\":{\"tls\":{\"insecureEdgeTerminationPolicy\":\"Redirect\",\"termination\":\"reencrypt\",\"destinationCACertificate\":\"${CA}\"}}}" ```