1772775 – ingress operator don't re-create router-ca when custom certificate is used

Bug 1772775 - ingress operator don't re-create router-ca when custom certificate is used [NEEDINFO]

Summary: ingress operator don't re-create router-ca when custom certificate is used

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Routing
Sub Component:
Version:	4.3.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	---
Target Release:	4.3.0
Assignee:	Dan Mace
QA Contact:	Hongan Li
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2019-11-15 06:59 UTC by Yadan Pei
Modified:	2019-11-19 15:14 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2019-11-18 18:08:40 UTC
Target Upstream Version:
Flags:	spadgett: needinfo? (dmace)

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Yadan Pei 2019-11-15 06:59:09 UTC

Description of problem:
After custom certificate is used, cm/router-ca in openshift-config-managed is not re-created

Version-Release number of selected component (if applicable):
4.3.0-0.nightly-2019-11-13-233341

How reproducible:
Always

Steps to Reproduce:
1. Configure ingress router to use custom certificate
Generate a CA and certificate (for testing, if you do not already have a CA and certificate):

    BASE_DOMAIN="$(oc get dns.config/cluster -o 'jsonpath={.spec.baseDomain}')"
    INGRESS_DOMAIN="$(oc get ingress.config/cluster -o 'jsonpath={.spec.domain}')"
    openssl genrsa -out example-ca.key 2048
    openssl req -x509 -new -key example-ca.key -out example-ca.crt -days 1 -subj "/C=US/ST=NC/L=Chocowinity/O=OS3/OU=Eng/CN=$BASE_DOMAIN"
    openssl genrsa -out example.key 2048
    openssl req -new -key example.key -out example.csr -subj "/C=US/ST=NC/L=Chocowinity/O=OS3/OU=Eng/CN=*.$INGRESS_DOMAIN"
    openssl x509 -req -in example.csr -CA example-ca.crt -CAkey example-ca.key -CAcreateserial -out example.crt -days 1


Configure the certificate as the ingresscontroller's default certificate:

    oc -n openshift-ingress create secret tls custom-default-cert --cert=example.crt --key=example.key
    oc -n openshift-ingress-operator patch ingresscontrollers/default --type=merge --patch='{"spec":{"defaultCertificate":{"name":"custom-default-cert"}}}'
2. Confirm router-ca exists before patch ingress router
$ oc get cm router-ca -n openshift-config-managed
NAME        DATA   AGE
router-ca   1      50s
$ oc -n openshift-ingress-operator patch ingresscontrollers/default --type=merge --patch='{"spec":{"defaultCertificate":{"name":"custom-default-cert"}}}'
ingresscontroller.operator.openshift.io/default patched
$ oc get cm router-ca -n openshift-config-managed
Error from server (NotFound): configmaps "router-ca" not found

Actual results:
2. router-ca is not re-created

Expected results:
2. router-ca should be re-created

Additional info:

Comment 1 Dan Mace 2019-11-18 18:08:40 UTC

I think this is an architectural documentation issue at best for now.

The router-ca ConfigMap is only published when any ingresscontroller references the system-generated default certificate. Since you changed the ingresscontroller to reference a custom certificate, leaving no ingress controllers referencing the default generated certificate, the router-ca ConfigMap should not be published, and your `oc get` call confirms the correct behavior. Did you notice anything broken, or was the absence of the resource itself your concern? If authentication continues to function after installing the new certificate, there should be no cause for concern.

Generally I'm not sure end users should even be aware of the router-ca ConfigMap. Its purpose is to facilitate OpenShift component integrations.

Sorry for the confusion!

Comment 2 Yadan Pei 2019-11-19 06:22:59 UTC

> Did you notice anything broken, or was the absence of the resource itself your concern? If authentication continues to function after installing the new certificate, there should be no cause for concern.

Except console is not accessible(tracked in bug 1764704), it looks like authentication still works well although ConfigMap router-ca do not exist. Thanks for your reply.

Comment 3 Samuel Padgett 2019-11-19 14:30:21 UTC

(In reply to Dan Mace from comment #1)
> I think this is an architectural documentation issue at best for now.
> 
> The router-ca ConfigMap is only published when any ingresscontroller
> references the system-generated default certificate. Since you changed the
> ingresscontroller to reference a custom certificate, leaving no ingress
> controllers referencing the default generated certificate, the router-ca
> ConfigMap should not be published, and your `oc get` call confirms the
> correct behavior. Did you notice anything broken, or was the absence of the
> resource itself your concern? If authentication continues to function after
> installing the new certificate, there should be no cause for concern.
> 
> Generally I'm not sure end users should even be aware of the router-ca
> ConfigMap. Its purpose is to facilitate OpenShift component integrations.
> 
> Sorry for the confusion!

I wasn't aware of this. It invalidates the change we made to try to handle bug 1764704 and bug 1712525 and will break console if the certificate is not trusted. Is there a CA we can use for these scenarios?

https://github.com/openshift/console-operator/pull/328

Note You need to log in before you can comment on or make changes to this bug.