Description of problem: After custom certificate is used, cm/router-ca in openshift-config-managed is not re-created Version-Release number of selected component (if applicable): 4.3.0-0.nightly-2019-11-13-233341 How reproducible: Always Steps to Reproduce: 1. Configure ingress router to use custom certificate Generate a CA and certificate (for testing, if you do not already have a CA and certificate): BASE_DOMAIN="$(oc get dns.config/cluster -o 'jsonpath={.spec.baseDomain}')" INGRESS_DOMAIN="$(oc get ingress.config/cluster -o 'jsonpath={.spec.domain}')" openssl genrsa -out example-ca.key 2048 openssl req -x509 -new -key example-ca.key -out example-ca.crt -days 1 -subj "/C=US/ST=NC/L=Chocowinity/O=OS3/OU=Eng/CN=$BASE_DOMAIN" openssl genrsa -out example.key 2048 openssl req -new -key example.key -out example.csr -subj "/C=US/ST=NC/L=Chocowinity/O=OS3/OU=Eng/CN=*.$INGRESS_DOMAIN" openssl x509 -req -in example.csr -CA example-ca.crt -CAkey example-ca.key -CAcreateserial -out example.crt -days 1 Configure the certificate as the ingresscontroller's default certificate: oc -n openshift-ingress create secret tls custom-default-cert --cert=example.crt --key=example.key oc -n openshift-ingress-operator patch ingresscontrollers/default --type=merge --patch='{"spec":{"defaultCertificate":{"name":"custom-default-cert"}}}' 2. Confirm router-ca exists before patch ingress router $ oc get cm router-ca -n openshift-config-managed NAME DATA AGE router-ca 1 50s $ oc -n openshift-ingress-operator patch ingresscontrollers/default --type=merge --patch='{"spec":{"defaultCertificate":{"name":"custom-default-cert"}}}' ingresscontroller.operator.openshift.io/default patched $ oc get cm router-ca -n openshift-config-managed Error from server (NotFound): configmaps "router-ca" not found Actual results: 2. router-ca is not re-created Expected results: 2. router-ca should be re-created Additional info:
I think this is an architectural documentation issue at best for now. The router-ca ConfigMap is only published when any ingresscontroller references the system-generated default certificate. Since you changed the ingresscontroller to reference a custom certificate, leaving no ingress controllers referencing the default generated certificate, the router-ca ConfigMap should not be published, and your `oc get` call confirms the correct behavior. Did you notice anything broken, or was the absence of the resource itself your concern? If authentication continues to function after installing the new certificate, there should be no cause for concern. Generally I'm not sure end users should even be aware of the router-ca ConfigMap. Its purpose is to facilitate OpenShift component integrations. Sorry for the confusion!
> Did you notice anything broken, or was the absence of the resource itself your concern? If authentication continues to function after installing the new certificate, there should be no cause for concern. Except console is not accessible(tracked in bug 1764704), it looks like authentication still works well although ConfigMap router-ca do not exist. Thanks for your reply.
(In reply to Dan Mace from comment #1) > I think this is an architectural documentation issue at best for now. > > The router-ca ConfigMap is only published when any ingresscontroller > references the system-generated default certificate. Since you changed the > ingresscontroller to reference a custom certificate, leaving no ingress > controllers referencing the default generated certificate, the router-ca > ConfigMap should not be published, and your `oc get` call confirms the > correct behavior. Did you notice anything broken, or was the absence of the > resource itself your concern? If authentication continues to function after > installing the new certificate, there should be no cause for concern. > > Generally I'm not sure end users should even be aware of the router-ca > ConfigMap. Its purpose is to facilitate OpenShift component integrations. > > Sorry for the confusion! I wasn't aware of this. It invalidates the change we made to try to handle bug 1764704 and bug 1712525 and will break console if the certificate is not trusted. Is there a CA we can use for these scenarios? https://github.com/openshift/console-operator/pull/328
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 365 days