Description of problem: `oc help create route reencrypt` prints the following output, which implies that --dest-ca-cert is required (it is not) and does not indicate what the default behavior is when --dest-ca-cert is omitted (the router will use the service CA): Create a route that uses reencrypt TLS termination Specify the service (either just its name or using type/name syntax) that the generated route should expose via the --service flag. A destination CA certificate is needed for reencrypt routes, specify one with the --dest-ca-cert flag. Usage: oc create route reencrypt [NAME] --dest-ca-cert=FILENAME --service=SERVICE [flags] Examples: # Create a route named "my-route" that exposes the frontend service. oc create route reencrypt my-route --service=frontend --dest-ca-cert cert.cert # Create a reencrypt route that exposes the frontend service and re-use # the service name as the route name. oc create route reencrypt --service=frontend --dest-ca-cert cert.cert Options: [...] --dest-ca-cert='': Path to a CA certificate file, used for securing the connection from the router to the destination. Version-Release number of selected component (if applicable): Client Version: 4.5.0-0.ci-2020-04-23-151503 How reproducible: 100%. Steps to Reproduce: 1. Run the command: oc help create route reencrypt Actual results: The output is as described above. Expected results: In the synopsis, "--dest-ca-cert" should be enclosed in brackets to indicate that it is optional, or omitted because it is already described in the description and flags. The description or flags sections should describe the default behavior, namely that the destination CA certificate will be assumed to be the service CA, meaning the service should use a serving certificate from the serving cert signer.
[root@dhcp-140-138 ~]# oc help create route reencrypt Create a route that uses reencrypt TLS termination Specify the service (either just its name or using type/name syntax) that the generated route should expose using the --service flag. You may also specify a destination CA certificate using the --dest-ca-cert flag. If --dest-ca-cert is omitted, the route will use the service CA, meaning the service must use a serving certificate from the serving cert signer. [root@dhcp-140-138 ~]# oc version -o yaml clientVersion: buildDate: "2020-05-17T20:23:22Z" compiler: gc gitCommit: 28fff2f1e599ef9df657c1e6c0c6815b40425da0 gitTreeState: clean gitVersion: 4.5.0-202005172017-28fff2f goVersion: go1.13.4 major: "" minor: "" platform: linux/amd64
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:2409