When I deploy ACM in a OSD cluster I expect the Multi Cluster Hub to use the wildcard dns/certificate in the cluster instead of having a self signed certificate. I can get this working by patching the mch resource after the install by running the following to change the route to use reencrypt termination and providing the CA that is created for MCH. MCH should do this out of the box to support our enterprise customers who insist on genuine certificates. ``` CA=$(oc -n open-cluster-management get secret multicloud-ca-cert \ -o jsonpath='{.data.ca\.crt}' | base64 --decode | awk 'NF {sub(/\r/, ""); printf "%s\\n",$0;}') oc patch multiclusterhubs multiclusterhub -n open-cluster-management --type=merge \ -p=echo "{\"spec\":{\"tls\":{\"insecureEdgeTerminationPolicy\":\"Redirect\",\"termination\":\"reencrypt\",\"destinationCACertificate\":\"${CA}\"}}}" ```
Gus has info related to this-- reassigning
Hello Paul, Thanks for bringing this up. This is being addressed in a future release so the behavior you are describing will be what you see. The route will use the OCP default ingress cert and be configured as reencrypt by default. The patch you are describing does not work from what I can tell because the tls property does not exist for the multiclusterhubs resource. Can you double check what you are doing since it looks like that procedure is not valid? Thanks!
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: Red Hat Advanced Cluster Management 2.2.4 security and bug fix update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2021:2461