Bug 1429891 - [RFE] Support SSL with Validation (CA) for OpenShift Provider
Summary: [RFE] Support SSL with Validation (CA) for OpenShift Provider
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat CloudForms Management Engine
Classification: Red Hat
Component: Providers
Version: 5.8.0
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: GA
: 5.8.0
Assignee: Federico Simoncelli
QA Contact: Pavel Zagalsky
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-03-07 12:00 UTC by Loic Avenel
Modified: 2017-05-31 14:40 UTC (History)
7 users (show)

Fixed In Version: 5.8.0.4
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-05-31 14:40:48 UTC
Category: ---
Cloudforms Team: Container Management
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2017:1367 0 normal SHIPPED_LIVE Moderate: CFME 5.8.0 security, bug, and enhancement update 2017-05-31 18:16:03 UTC

Description Loic Avenel 2017-03-07 12:00:49 UTC
Description of problem: [RFE] Support SSL with Validation (CA) for OpenShift Provider

Comment 2 Federico Simoncelli 2017-03-07 15:22:38 UTC
When adding an OpenShift Provider it should be possible to:

1. Verify the OpenShift endpoint and Hawkular Metrics endpoint against a CA present in the bundle

2. Verify the OpenShift endpoint and Hawkular Metrics endpoint against a provided custom CA

3. Do not Verify OpenShift endpoint and Hawkular Metrics endpoint

(You can think of any of the mix above as well, verify OpenShift and do not Verify Hawkular, etc..)


All three scenarios should be tested as:

1. Using UI

2. Using Rest-API


Other additional tests:

1. Editing existing Providers to change the SSL CA verification type

2. Upgrade flow from 4.2

Comment 6 Beni Paskin-Cherniavsky 2017-03-14 13:42:14 UTC
These UI changes created problems adding/editing providers without SSL — bug 1430405, fix pending review in https://github.com/ManageIQ/manageiq-ui-classic/pull/670.

It's probably fair to consider this RFE as POST, but QE will have trouble testing until the fix lands.

Comment 7 Beni Paskin-Cherniavsky 2017-03-14 13:42:43 UTC
sorry, meant problems adding/editing providers without *hawkular*.

Comment 8 Beni Paskin-Cherniavsky 2017-03-21 17:53:41 UTC
All above UI problems should be fixed.  Testing tips:

---

For "custom CA" you need the CA cert to trust, get it same place you got the token:

$ SECRET_NAME=$(oc get -n management-infra sa/management-admin --template='{{range .secrets}}{{printf "%s\n" .name}}{{end}}' | grep management-admin-token | head -n 1)
$ oc get -n management-infra secrets $SECRET_NAME --template='{{.data.token}}' | base64 --decode; echo
$ oc get -n management-infra secrets $SECRET_NAME --template='{{index .data "ca.crt"}}' | base64 --decode

---

Testing "custom CA" mode with Hawkular is tricky, because out of the box openshift-ansible doesn't generate a good cert for Hawkular :-(
Here is how to fix it (run as root on master):
You should edit the 2 vars.  CA dir is different downstream, under /etc/openshift (?)

# CA=/etc/origin/master
# HAWKULAR='hawkular-metrics.10.35.48.130.xip.io'
# cd $CA
# oadm ca create-server-cert --signer-cert=$CA/ca.crt --signer-key=$CA/ca.key --signer-serial=$CA/ca.serial.txt --hostnames="$HAWKULAR" --cert=metrics.crt --key=metrics.key

Then cat $CA/metrics.crt and $CA/metrics.key.

# oc edit route -n openshift-infra hawkular-metrics

Under spec: tls:, add key: and certificate: with the content of the generated metrics.key, metrics.crt
[https://docs.openshift.com/enterprise/3.2/dev_guide/routes.html, note there "|-" YAML trick for multiline strings]

Inspecting the served cert (from another machine):

$ openssl s_client -showcerts -servername $HAWKULAR -connect $HAWKULAR:443 < /dev/null | openssl x509 -text

Look for "Subject", if it's "router.default.svc" it's bad, if it's the hawkular hostname it should be possible to make CFME trust it — with using CA cert you used for Default endpoint.

---

Testing "SSL" mode is harder, sending you email with some tips.

Comment 10 errata-xmlrpc 2017-05-31 14:40:48 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2017:1367


Note You need to log in before you can comment on or make changes to this bug.