Bug 1835997 - oc help create reencrypt implies that --dest-ca-cert is required and does not document the default
Summary: oc help create reencrypt implies that --dest-ca-cert is required and does not...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: oc
Version: 4.5
Hardware: Unspecified
OS: Unspecified
unspecified
low
Target Milestone: ---
: 4.5.0
Assignee: Maciej Szulik
QA Contact: zhou ying
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-05-14 21:11 UTC by Miciah Dashiel Butler Masters
Modified: 2020-07-13 17:39 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-07-13 17:39:12 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift oc pull 421 0 None closed Bug 1835997: create route reencrypt: Improve --dest-ca-cert help 2020-06-22 14:39:00 UTC
Red Hat Product Errata RHBA-2020:2409 0 None None None 2020-07-13 17:39:24 UTC

Description Miciah Dashiel Butler Masters 2020-05-14 21:11:25 UTC
Description of problem:

`oc help create route reencrypt` prints the following output, which implies that --dest-ca-cert is required (it is not) and does not indicate what the default behavior is when --dest-ca-cert is omitted (the router will use the service CA):

    Create a route that uses reencrypt TLS termination
    
     Specify the service (either just its name or using type/name syntax) that the generated route should expose via the
    --service flag. A destination CA certificate is needed for reencrypt routes, specify one with the --dest-ca-cert flag.
    
    Usage:
      oc create route reencrypt [NAME] --dest-ca-cert=FILENAME --service=SERVICE [flags]
    
    Examples:
      # Create a route named "my-route" that exposes the frontend service.
      oc create route reencrypt my-route --service=frontend --dest-ca-cert cert.cert
    
      # Create a reencrypt route that exposes the frontend service and re-use
      # the service name as the route name.
      oc create route reencrypt --service=frontend --dest-ca-cert cert.cert
    
    Options:
          [...]
          --dest-ca-cert='': Path to a CA certificate file, used for securing the connection from the router to the
    destination.


Version-Release number of selected component (if applicable):

Client Version: 4.5.0-0.ci-2020-04-23-151503


How reproducible:

100%.


Steps to Reproduce:

1. Run the command: oc help create route reencrypt


Actual results:

The output is as described above.


Expected results:

In the synopsis, "--dest-ca-cert" should be enclosed in brackets to indicate that it is optional, or omitted because it is already described in the description and flags.

The description or flags sections should describe the default behavior, namely that the destination CA certificate will be assumed to be the service CA, meaning the service should use a serving certificate from the serving cert signer.

Comment 3 zhou ying 2020-05-18 02:04:05 UTC
[root@dhcp-140-138 ~]# oc help create route reencrypt
Create a route that uses reencrypt TLS termination

 Specify the service (either just its name or using type/name syntax) that the generated route should expose using the
--service flag. You may also specify a destination CA certificate using the --dest-ca-cert flag. If --dest-ca-cert is
omitted, the route will use the service CA, meaning the service must use a serving certificate from the serving cert
signer.


[root@dhcp-140-138 ~]# oc version -o yaml
clientVersion:
  buildDate: "2020-05-17T20:23:22Z"
  compiler: gc
  gitCommit: 28fff2f1e599ef9df657c1e6c0c6815b40425da0
  gitTreeState: clean
  gitVersion: 4.5.0-202005172017-28fff2f
  goVersion: go1.13.4
  major: ""
  minor: ""
  platform: linux/amd64

Comment 4 errata-xmlrpc 2020-07-13 17:39:12 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:2409


Note You need to log in before you can comment on or make changes to this bug.