Bug 2037637

Summary: configure custom certificate for default console route doesn't take effect for OCP >= 4.8
Product: OpenShift Container Platform Reporter: Yadan Pei <yapei>
Component: Management ConsoleAssignee: Jakub Hadvig <jhadvig>
Status: CLOSED ERRATA QA Contact: Yadan Pei <yapei>
Severity: high Docs Contact:
Priority: unspecified    
Version: 4.10CC: aos-bugs, ttadala, yapei
Target Milestone: ---   
Target Release: 4.10.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-03-10 16:37:12 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Yadan Pei 2022-01-06 08:04:53 UTC 
Description of problem:


Version-Release number of selected component (if applicable):
4.10.0-0.nightly-2022-01-05-181126

How reproducible:
Always

Steps to Reproduce:
1. due to limitation reported in bug https://bugzilla.redhat.com/show_bug.cgi?id=2037635, we can only configure custom certificate for default console route in console.operator
$ oc --namespace openshift-config create secret tls custom-console-component --cert=apps.crt --key=apps.key
$ oc edit console.operator cluster
$ oc get console.operator cluster -o json | jq .spec
{
  "logLevel": "Normal",
  "managementState": "Managed",
  "operatorLogLevel": "Normal",
  "route": {
    "secret": {
      "name": "custom-console-component"
    }
  }
}
2. open default console route URL in browser and check certificates


Actual results:
2. default console route still use default certificates 

Expected results:
2. default console route should use customized certificates

Additional info:
reference bug https://bugzilla.redhat.com/show_bug.cgi?id=1870514
Comment 1 Yadan Pei 2022-01-06 08:07:26 UTC 
when we ONLY configure customized certs for default console route, we don't need specify hostname in console.operator/cluster, also console pods will not be restarted
Comment 2 Yadan Pei 2022-01-06 08:10:12 UTC 
part of console-operator logs

I0106 07:27:10.450430       1 status_controller.go:211] clusteroperator/console diff {"status":{"conditions":[{"lastTransitionTime":"2022-01-06T07:23:37Z","message":"RouteHealthDegraded: console route is not admitted","reason":"RouteHealth_RouteNotAdmitted","status":"True","type":"Degraded"},{"lastTransitionTime":"2022-01-05T23:56:50Z","message":"All is well","reason":"AsExpected","status":"False","type":"Progressing"},{"lastTransitionTime":"2022-01-06T07:21:49Z","message":"RouteHealthAvailable: console route is not admitted","reason":"RouteHealth_RouteNotAdmitted","status":"False","type":"Available"},{"lastTransitionTime":"2022-01-05T23:48:57Z","message":"All is well","reason":"AsExpected","status":"True","type":"Upgradeable"}]}}
I0106 07:27:10.565145       1 event.go:285] Event(v1.ObjectReference{Kind:"Deployment", Namespace:"openshift-console-operator", Name:"console-operator", UID:"dbbe6b36-d958-46c6-b172-a9c73cd5b3cc", APIVersion:"apps/v1", ResourceVersion:"", FieldPath:""}): type: 'Normal' reason: 'OperatorStatusChanged' Status for clusteroperator/console changed: Degraded message changed from "RouteHealthDegraded: console route is not admitted\nSyncLoopRefreshDegraded: routes.route.openshift.io \"console-custom\" not found" to "RouteHealthDegraded: console route is not admitted"
I0106 07:27:11.555545       1 request.go:665] Waited for 1.002835359s due to client-side throttling, not priority and fairness, request: GET:https://172.30.0.1:443/apis/config.openshift.io/v1/ingresses/cluster
W0106 07:27:11.580988       1 controller.go:142] Deprecated: custom domain is being configured on console-operator config for the 'console' route.
Please remove that entry from console-operator config and instead configure ingress config spec with following custom domain entry for 'console' route:
----
spec:
  componentRoutes:
  - name: console
    namespace: openshift-console
    servingCertKeyPairSecret:
      name: console-specificcert
Comment 4 Jakub Hadvig 2022-01-09 16:02:04 UTC 
This bug shall be fixed as part of https://bugzilla.redhat.com/show_bug.cgi?id=2037635
Comment 6 Yadan Pei 2022-01-12 08:37:36 UTC 
1. set customized certs for default console route either in ingress.config(bug 2037635) or console.operator
$ oc get console.operator cluster -o json | jq .spec                       
{
  "logLevel": "Normal",
  "managementState": "Managed",
  "operatorLogLevel": "Normal",
  "route": {
    "hostname": "console-openshift-console.apps.ci-ln-x09q8r2-72292.origin-ci-int-gce.dev.rhcloud.com",
    "secret": {
      "name": "custom-console-component"
    }
  }
}

2. no errors in console-operator logs, and default console route certs is updated accordingly

oc get clusterversion
NAME      VERSION                              AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.10.0-0.nightly-2022-01-12-033357   True        False         21m     Cluster version is 4.10.0-0.nightly-2022-01-12-033357
Comment 9 errata-xmlrpc 2022-03-10 16:37:12 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.10.3 security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:0056