Bug 1824935 - Console operator inverts logic for picking up the default-ingress-cert
Summary: Console operator inverts logic for picking up the default-ingress-cert
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Management Console
Version: 4.4
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
: 4.4.z
Assignee: Miciah Dashiel Butler Masters
QA Contact: Yadan Pei
Depends On: 1824934
TreeView+ depends on / blocked
Reported: 2020-04-16 17:09 UTC by bpeterse
Modified: 2020-06-17 22:26 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 1824934
Last Closed: 2020-06-17 22:26:03 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Github openshift console-operator pull 407 0 None closed Bug 1824935: [release-4.4] Fix console oauthEndpointCAFile setting 2020-08-21 18:23:20 UTC
Red Hat Product Errata RHBA-2020:2445 0 None None None 2020-06-17 22:26:25 UTC

Description bpeterse 2020-04-16 17:09:53 UTC
+++ This bug was initially created as a clone of Bug #1824934 +++

Description of problem:

See this PR: https://github.com/openshift/console-operator/pull/403

Comment 3 bpeterse 2020-04-17 16:13:42 UTC
Setting this to 4.4.z, it doesn't need to block 4.4.
The logic is new as of 4.4, no backport to 4.3 will be needed.

Comment 4 Samuel Padgett 2020-04-20 14:17:14 UTC
Miciah, what is the consequence of not fixing this in 4.4?

Comment 5 Miciah Dashiel Butler Masters 2020-04-29 00:37:35 UTC
This is all right to miss in 4.4.0, but we should get it in 4.4.z.  The ingress operator started publishing the "default-ingress-cert" configmap in 4.3.3 (see bug 1788711) and will stop publishing the "router-ca" configmap in 4.5 (see https://github.com/openshift/cluster-ingress-operator/pull/377).  The consequence of not fixing this in 4.4.0 is that the console operator will continue using the old "router-ca" configmap instead of the new "default-ingress-cert" configmap, but this is fine because the old configmap is still be present in 4.4.  The consequence of not fixing this in 4.4.z is a possible disruption to OpenShift Console's availability if it is still using the old configmap when a cluster is upgraded from 4.4 to 4.5 and the ingress operator stops publishing the new configmap before the console operator updates to the new configmap.

Comment 6 Miciah Dashiel Butler Masters 2020-04-29 00:45:55 UTC
One other note: The ingress operator only publishes the "router-ca" configmap if the ingress controller uses the operator-generated default certificate.  In contrast, the ingress operator always publishes the "default-ingress-cert" configmap.  In particular, if the cluster administrator configures a custom default certificate, then the ingress operator publishes that certificate to "default-ingress-cert".  This means that if operators use "default-ingress-cert", then cluster administrators can configure a default certificate with a custom PKI without needing also to configure the custom PKI through the proxy trusted CA.  However this only means that using "default-ingress-cert" makes things more convenient to the cluster administrator; continuing to use "router-ca" does *not* constitute a regression, only the absence of a potential improvement to convenience.

Comment 7 Miciah Dashiel Butler Masters 2020-05-08 19:54:47 UTC
The 4.4 backport (this bug) is blocked on the fix getting merged in 4.5 (bug 1824934).

Comment 11 Yanping Zhang 2020-06-08 09:04:14 UTC
Checked on ocp 4.4 cluster with payload: 4.4.0-0.nightly-2020-06-07-075345
Checked the console container, the default-ingress-cert is mounted by default:
            - name: console-serving-cert
              readOnly: true
              mountPath: /var/serving-cert
            - name: console-oauth-config
              readOnly: true
              mountPath: /var/oauth-config
            - name: console-config
              readOnly: true
              mountPath: /var/console-config
            - name: service-ca
              readOnly: true
              mountPath: /var/service-ca
            - name: default-ingress-cert
              readOnly: true
              mountPath: /var/default-ingress-cert
            - name: trusted-ca-bundle
              readOnly: true
              mountPath: /etc/pki/ca-trust/extracted/pem

Comment 13 errata-xmlrpc 2020-06-17 22:26:03 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.