+++ This bug was initially created as a clone of Bug #1824934 +++ Description of problem: See this PR: https://github.com/openshift/console-operator/pull/403 Merged.
https://github.com/openshift/console-operator/pull/407
Setting this to 4.4.z, it doesn't need to block 4.4. The logic is new as of 4.4, no backport to 4.3 will be needed.
Miciah, what is the consequence of not fixing this in 4.4?
This is all right to miss in 4.4.0, but we should get it in 4.4.z. The ingress operator started publishing the "default-ingress-cert" configmap in 4.3.3 (see bug 1788711) and will stop publishing the "router-ca" configmap in 4.5 (see https://github.com/openshift/cluster-ingress-operator/pull/377). The consequence of not fixing this in 4.4.0 is that the console operator will continue using the old "router-ca" configmap instead of the new "default-ingress-cert" configmap, but this is fine because the old configmap is still be present in 4.4. The consequence of not fixing this in 4.4.z is a possible disruption to OpenShift Console's availability if it is still using the old configmap when a cluster is upgraded from 4.4 to 4.5 and the ingress operator stops publishing the new configmap before the console operator updates to the new configmap.
One other note: The ingress operator only publishes the "router-ca" configmap if the ingress controller uses the operator-generated default certificate. In contrast, the ingress operator always publishes the "default-ingress-cert" configmap. In particular, if the cluster administrator configures a custom default certificate, then the ingress operator publishes that certificate to "default-ingress-cert". This means that if operators use "default-ingress-cert", then cluster administrators can configure a default certificate with a custom PKI without needing also to configure the custom PKI through the proxy trusted CA. However this only means that using "default-ingress-cert" makes things more convenient to the cluster administrator; continuing to use "router-ca" does *not* constitute a regression, only the absence of a potential improvement to convenience.
The 4.4 backport (this bug) is blocked on the fix getting merged in 4.5 (bug 1824934).
Checked on ocp 4.4 cluster with payload: 4.4.0-0.nightly-2020-06-07-075345 Checked the console container, the default-ingress-cert is mounted by default: volumeMounts: - name: console-serving-cert readOnly: true mountPath: /var/serving-cert - name: console-oauth-config readOnly: true mountPath: /var/oauth-config - name: console-config readOnly: true mountPath: /var/console-config - name: service-ca readOnly: true mountPath: /var/service-ca - name: default-ingress-cert readOnly: true mountPath: /var/default-ingress-cert - name: trusted-ca-bundle readOnly: true mountPath: /etc/pki/ca-trust/extracted/pem
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:2445