Bug 1870514 - Configuring custom certificate for default console route
Summary: Configuring custom certificate for default console route
Keywords:
Status: VERIFIED
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Management Console
Version: 4.5
Hardware: Unspecified
OS: Unspecified
urgent
urgent
Target Milestone: ---
: 4.6.0
Assignee: Jakub Hadvig
QA Contact: Yadan Pei
URL:
Whiteboard:
Depends On:
Blocks: 1874529 1874533
TreeView+ depends on / blocked
 
Reported: 2020-08-20 09:27 UTC by Rahul Rajendran
Modified: 2020-09-04 13:42 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Github openshift console-operator pull 459 None closed Bug 1870514: Configuring custom certificate for default console route 2020-09-20 06:32:22 UTC

Description Rahul Rajendran 2020-08-20 09:27:31 UTC
Description of problem:

Unable to configure custom certificate for the default console route.


Version-Release number of selected component (if applicable):
OCP 4.5 Console, console operator

How reproducible:

Since 4.5 onwards customization of console route and configurination of custom certificate is possible, but the certificate should be configured for the custom route created not the default route.


Steps to Reproduce:

Working(configuring a custom route for the console and followed by configuring custom certificate for the custom console route is working)
=======
1) Patch the CR with new host route URL:

$ oc patch consoles.operator.openshift.io cluster --patch '{"spec":{"route":{"hostname":"console.apps.test.example.com"}}}' --type=merge

2) Create cert and key and inject those to secret:

$  oc create secret tls console-serving-cert --cert=console.crt --key=console.key -n openshift-config

3) Patch the CR with secret :

$ oc patch consoles.operator.openshift.io cluster --patch '{"spec":{"route":{"secret":{"name":"console-serving-cert"}}}}' --type=merge


Not working(Configuring the custom certificates for the default console route)
============

1) Patch the CR with default host route URL:

$ oc patch consoles.operator.openshift.io cluster --patch '{"spec":{"route":{"hostname":"console-openshift-console.apps.test.example.com"}}}' --type=merge

2) Create cert and key and inject those to secret:

$  oc create secret tls console-serving-cert --cert=console.crt --key=console.key -n openshift-config

3) Patch the CR with secret :

$ oc patch consoles.operator.openshift.io cluster --patch '{"spec":{"route":{"secret":{"name":"console-serving-cert"}}}}' --type=merge



Actual results:

Console operator goes to degraded state and pod logs shows:

# oc logs console-operator-xxxx -n openshift-console-operator

E0813 13:48:49.665637       1 controller.go:129] {Console Console} failed with: routes.route.openshift.io "console-custom" not found
E0813 13:50:08.822338       1 status.go:78] CustomRouteSyncDegraded InvalidCustomRouteConfig custom route hostname is duplicate of the default route hostname
E0813 13:50:08.822504       1 controller.go:367] console-route-sync--work-queue-key failed with : custom route hostname is duplicate of the default route hostname
E0813 13:50:11.628714       1 status.go:78] SyncLoopRefreshDegraded InProgress routes.route.openshift.io "console-custom" not found
E0813 13:50:11.628950       1 controller.go:129] {Console Console} failed with: routes.route.openshift.io "console-custom" not found

Expected results:

Custom certificate should be able to configured for the default cionsole route as well

Ideally this process of patching console CR with hostname should work for any route we provide.

Additional info:

https://access.redhat.com/solutions/4539491

https://access.redhat.com/solutions/5237301

May be can  allow configuring custom cert for default console route URL, either by removing the current check at https://github.com/openshift/console-operator/blob/3382640b37d3dd19f13d79e2a84f186d8c0b43b4/pkg/console/controllers/route/controller.go#L234 or even by adding another attribute.

Comment 7 Yadan Pei 2020-09-03 05:41:33 UTC
1. Patch console.operator/cluster with the default console route
$ oc patch consoles.operator.openshift.io cluster --patch '{"spec":{"route":{"hostname”:”<console_default_route>“}}}’ --type=merge
In console-operator logs we can see: 
E0903 05:38:53.700428       1 status.go:78] CustomRouteSyncDegraded InvalidCustomRouteConfig custom route hostname is duplicate of the default route hostname
E0903 05:38:53.700831       1 controller.go:395] console-route-sync--work-queue-key failed with : custom route hostname is duplicate of the default route hostname

2. Do not patch console.operator/cluster with the default console route, only add custom secret
$ oc create secret tls console-serving-cert --cert=./apps.crt --key=./apps.key -n openshift-config
$ oc patch consoles.operator.openshift.io cluster --patch '{"spec":{"route":{"secret":{"name":"console-serving-cert"}}}}' --type=merge
I didn’t see new console pods are created, only the serving certificate is changed to the customized one(viewing certificate info via browser) 

I'd like to confirm are these all expected? Per my understanding they look correct, but I'd like to double confirm since it is very important bug

Comment 8 Jakub Hadvig 2020-09-03 07:37:14 UTC
Yes  if the admin wants to set a custom TSL cert for the default route, he only changes `spec.route.secret.name` field. 
Otherwise if he sets a duplicate hostname the operator will get degraded since there cant be two routes pointing to the same hostname.

Comment 9 Yadan Pei 2020-09-03 07:39:06 UTC
Moving to VERIFIED per comment 7 and comment 8

This is tested on 4.6.0-0.nightly-2020-09-02-165033


Note You need to log in before you can comment on or make changes to this bug.