Description of problem: [RFE] Support SSL with Validation (CA) for OpenShift Provider
When adding an OpenShift Provider it should be possible to: 1. Verify the OpenShift endpoint and Hawkular Metrics endpoint against a CA present in the bundle 2. Verify the OpenShift endpoint and Hawkular Metrics endpoint against a provided custom CA 3. Do not Verify OpenShift endpoint and Hawkular Metrics endpoint (You can think of any of the mix above as well, verify OpenShift and do not Verify Hawkular, etc..) All three scenarios should be tested as: 1. Using UI 2. Using Rest-API Other additional tests: 1. Editing existing Providers to change the SSL CA verification type 2. Upgrade flow from 4.2
https://github.com/ManageIQ/manageiq/pull/14019 https://github.com/ManageIQ/manageiq-ui-classic/pull/450
These UI changes created problems adding/editing providers without SSL — bug 1430405, fix pending review in https://github.com/ManageIQ/manageiq-ui-classic/pull/670. It's probably fair to consider this RFE as POST, but QE will have trouble testing until the fix lands.
sorry, meant problems adding/editing providers without *hawkular*.
All above UI problems should be fixed. Testing tips: --- For "custom CA" you need the CA cert to trust, get it same place you got the token: $ SECRET_NAME=$(oc get -n management-infra sa/management-admin --template='{{range .secrets}}{{printf "%s\n" .name}}{{end}}' | grep management-admin-token | head -n 1) $ oc get -n management-infra secrets $SECRET_NAME --template='{{.data.token}}' | base64 --decode; echo $ oc get -n management-infra secrets $SECRET_NAME --template='{{index .data "ca.crt"}}' | base64 --decode --- Testing "custom CA" mode with Hawkular is tricky, because out of the box openshift-ansible doesn't generate a good cert for Hawkular :-( Here is how to fix it (run as root on master): You should edit the 2 vars. CA dir is different downstream, under /etc/openshift (?) # CA=/etc/origin/master # HAWKULAR='hawkular-metrics.10.35.48.130.xip.io' # cd $CA # oadm ca create-server-cert --signer-cert=$CA/ca.crt --signer-key=$CA/ca.key --signer-serial=$CA/ca.serial.txt --hostnames="$HAWKULAR" --cert=metrics.crt --key=metrics.key Then cat $CA/metrics.crt and $CA/metrics.key. # oc edit route -n openshift-infra hawkular-metrics Under spec: tls:, add key: and certificate: with the content of the generated metrics.key, metrics.crt [https://docs.openshift.com/enterprise/3.2/dev_guide/routes.html, note there "|-" YAML trick for multiline strings] Inspecting the served cert (from another machine): $ openssl s_client -showcerts -servername $HAWKULAR -connect $HAWKULAR:443 < /dev/null | openssl x509 -text Look for "Subject", if it's "router.default.svc" it's bad, if it's the hawkular hostname it should be possible to make CFME trust it — with using CA cert you used for Default endpoint. --- Testing "SSL" mode is harder, sending you email with some tips.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2017:1367