Bug 1788712 - Ingress operator should publish the default IngressController's default certificate in a ConfigMap for other operators
Summary: Ingress operator should publish the default IngressController's default certi...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Routing
Version: 4.4
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
: 4.4.0
Assignee: Miciah Dashiel Butler Masters
QA Contact: Hongan Li
URL:
Whiteboard:
Depends On:
Blocks: 1788711
TreeView+ depends on / blocked
 
Reported: 2020-01-07 21:40 UTC by Miciah Dashiel Butler Masters
Modified: 2020-05-04 11:23 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Enhancement
Doc Text:
Feature: The ingress operator now publishes the default certificate of the default IngressController to a ConfigMap for other operators to read. Reason: Other operators can read the certificate from the new ConfigMap and incorporate it into their trust bundles so that they can connect to Routes that use a custom default certificate. Result: The administrator of a cluster with a custom PKI no longer needs to configure the certificate that was used to sign the default IngressController's default certificate as a trusted CA in order for cluster components such as the Console and OAuth to function.
Clone Of: 1788711
Environment:
Last Closed: 2020-05-04 11:23:07 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift cluster-ingress-operator pull 331 0 None closed Bug 1788712: publish a router-ca that can be used to verify routes in golang clients 2020-08-21 19:31:49 UTC
Red Hat Product Errata RHBA-2020:0581 0 None None None 2020-05-04 11:23:40 UTC

Description Miciah Dashiel Butler Masters 2020-01-07 21:40:39 UTC
+++ This bug was initially created as a clone of Bug #1788711 +++

Description of problem:

The ingress operator should publish the default certificate of the default IngressController to a ConfigMap for other operators to read.

Once the ingress operator publishes the ConfigMap, other operators will read it and incorporate the default certificate into their trust bundles so that they can connect to Route resources.  This will relieve administrator of the need to configure the certificate that was used to sign the default certificate as a trusted CA on a cluster with a custom PKI.


Steps to Reproduce:

1. oc -n openshift-config-managed get configmaps/default-ingress-cert


Actual results:

The requested resource does not exist.


Expected results:

The resource should exist.


Additional info:

The feature is described in the following enhancement proposal: https://github.com/openshift/enhancements/pull/126

It is implemented by the following PR, which will ship in 4.4: https://github.com/openshift/cluster-ingress-operator/pull/331

The following PR backports the feature to 4.3: https://github.com/openshift/cluster-ingress-operator/pull/336

Additional changes are required to the auth and console operators to read the new ConfigMap.  This Bugzilla report covers only the ingress operator.

Comment 2 Hongan Li 2020-02-03 04:02:31 UTC
verified with 4.4.0-0.nightly-2020-02-02-201619 and passed.

$ oc -n openshift-config-managed get cm/default-ingress-cert 
NAME                   DATA   AGE
default-ingress-cert   1      129m

After deleting and recreating the default ingresscontroller, the cm/default-ingress-cert can be updated as well.

Comment 4 errata-xmlrpc 2020-05-04 11:23:07 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:0581


Note You need to log in before you can comment on or make changes to this bug.