Bug 2041999

Summary: [PROXY] external dns pod cannot recognize custom proxy CA
Product: OpenShift Container Platform Reporter: OpenShift BugZilla Robot <openshift-bugzilla-robot>
Component: NetworkingAssignee: Andrey Lebedev <alebedev>
Networking sub component: DNS QA Contact: Hongan Li <hongli>
Status: CLOSED ERRATA Docs Contact:
Severity: high    
Priority: high CC: aos-bugs, luzuccar, mmasters
Version: 4.10   
Target Milestone: ---   
Target Release: 4.10.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-03-08 16:03:07 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2032179    
Bug Blocks:    

Comment 1 Miciah Dashiel Butler Masters 2022-01-18 17:04:56 UTC 
Setting blocker- because this is not a blocker for release, but it is something we want to get in 4.10.0 if possible.
Comment 3 Hongan Li 2022-01-24 08:48:35 UTC 
verified with 4.10.0-0.nightly-2022-01-22-102609 and external-dns-operator.v0.1.2, the custom CA can be injected into operand(ExternalDNS) pod.

1. create configmap of custom CA and add it to proxy/cluster
$ oc -n openshift-config create configmap user-ca-bundle --from-file=ca-bundle.crt=ca-bundle.qe
$ oc edit proxy cluster
spec:
  trustedCA:
    name: user-ca-bundle

2. follow the doc https://github.com/openshift/external-dns-operator/blob/main/docs/proxy.md#openshift-instructions to create/label a configmap in ns external-dns-operator, then add "spec.config.env" to the subscription.

3. check the operator log
$ oc -n external-dns-operator logs external-dns-operator-86d7b5fd7d-t7gq6 -c operator | grep "trusted CA"
2022-01-24T06:40:32.944Z	INFO	ca_configmap_controller	reconciling trusted CA configmap	{"configmap": "external-dns-operator/trusted-ca"}
2022-01-24T06:40:32.990Z	INFO	ca_configmap_controller	created trusted CA configmap	{"namespace": "external-dns", "name": "external-dns-trusted-ca"}
2022-01-24T06:40:33.009Z	INFO	ca_configmap_controller	trusted CA configmap is reconciled	{"configmap": "external-dns-operator/trusted-ca"}

4. check the operand configmap/deployment
$ oc -n external-dns get cm
NAME                       DATA   AGE
external-dns-trusted-ca    1      122m

$ oc -n external-dns get deployment -oyaml
<---snip--->
          volumeMounts:
          - mountPath: /etc/pki/ca-trust/extracted/pem
            name: trusted-ca
            readOnly: true

        volumes:
        - configMap:
            defaultMode: 420
            items:
            - key: ca-bundle.crt
              path: tls-ca-bundle.pem
            name: external-dns-trusted-ca
          name: trusted-ca
Comment 7 errata-xmlrpc 2022-03-08 16:03:07 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Release of ExternalDNS Operator on OperatorHub), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2022:0781