Bug 1412933 - DestinationCACertificate should not be mandatory [NEEDINFO]
Summary: DestinationCACertificate should not be mandatory
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: RFE
Version: 3.2.0
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
: ---
Assignee: Ram Ranganathan
QA Contact: Xiaoli Tian
Depends On:
TreeView+ depends on / blocked
Reported: 2017-01-13 07:19 UTC by Jaspreet Kaur
Modified: 2018-05-28 11:15 UTC (History)
11 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2018-03-12 13:54:36 UTC
Target Upstream Version:
sreber: needinfo? (cstark)

Attachments (Terms of Use)

Description Jaspreet Kaur 2017-01-13 07:19:54 UTC
3. What is the nature and description of the request?
Currently it is required for every route to specify the DestinationCACertificate of the service.  This certificate is the same for all containers based on the same image. We need to switch off the validation of the DestinationCACertificate? Or if we need not to give this certificate to every user while creating routes?

4. Why does the customer need this? (List the business requirements here)
- We want to use the Re-Encrypt method for TLS.
- In our POD we have an Appserver with a certificate from an private CA
- We don’t want to include the private CA certificate in each route

5. How would the customer like to achieve this? (List the functional requirements here)
- We either need to trust this CA in general 
- Or we need to ignore the SSL validation 

6. For each functional requirement listed in question 5, specify how Red Hat and the customer can test to confirm the requirement is successfully implemented.
- Create https service in POD with SSL and certificate issues by a private CA
- Configure Route in Openshift to this service without specifying a destination CA
- Expected result: No error during route creation, Route is working (i.e. service is accessible via route)

7. Is there already an existing RFE upstream or in Red Hat bugzilla?
- No

8. Does the customer have any specific timeline dependencies?
- No 

9. Is the sales team involved in this request and do they have any additional input?
- Yes: Wolfram Richter

10. List any affected packages or components.
- Openshift 3.2

11. Would the customer be able to assist in testing this functionality if implemented?
- Yes

Comment 6 Ben Bennett 2018-01-08 19:27:06 UTC
PR https://github.com/openshift/origin/pull/13752 was merged (for 3.6) to allow the destination CA cert to be omitted.  The use case is to support cluster-signed service certificates.

Does that satisfy the use-case?

Comment 8 Eric Rich 2018-03-12 13:54:36 UTC
This bug has been identified as a dated (created more than 3 months ago) bug. 
This bug has been triaged (has a trello card linked to it), or reviewed by Engineering/PM and has been put into the product backlog, 
however this bug has not been slated for a currently planned release (3.9, 3.10 or 3.11), which cover our releases for the rest of the calendar year. 

As a result of this bugs age, state on the current roadmap and PM Score (being below 70), this bug is being Closed - Differed, 
as it is currently not part of the products immediate priorities.

Please see: https://docs.google.com/document/d/1zdqF4rB3ea8GmVIZ7qWCVYUaQ7-EexUrQEF0MTwdDkw/edit for more details.

Note You need to log in before you can comment on or make changes to this bug.