2041999 – [PROXY] external dns pod cannot recognize custom proxy CA

Bug 2041999 - [PROXY] external dns pod cannot recognize custom proxy CA

Summary: [PROXY] external dns pod cannot recognize custom proxy CA

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Networking
Sub Component:
Version:	4.10
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	---
Target Release:	4.10.0
Assignee:	Andrey Lebedev
QA Contact:	Hongan Li
Docs Contact:
URL:
Whiteboard:
Depends On:	2032179
Blocks:
TreeView+	depends on / blocked

Reported:	2022-01-18 16:49 UTC by OpenShift BugZilla Robot
Modified:	2022-08-04 22:39 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed:	2022-03-08 16:03:07 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	openshift external-dns-operator pull 113	0	None	open	Bug 2041999: inject trusted CA to operand deployment	2022-01-18 16:59:00 UTC
Red Hat Product Errata	RHEA-2022:0781	0	None	None	None	2022-03-08 16:03:14 UTC

Comment 1 Miciah Dashiel Butler Masters 2022-01-18 17:04:56 UTC

Setting blocker- because this is not a blocker for release, but it is something we want to get in 4.10.0 if possible.

Comment 3 Hongan Li 2022-01-24 08:48:35 UTC

verified with 4.10.0-0.nightly-2022-01-22-102609 and external-dns-operator.v0.1.2, the custom CA can be injected into operand(ExternalDNS) pod.

1. create configmap of custom CA and add it to proxy/cluster
$ oc -n openshift-config create configmap user-ca-bundle --from-file=ca-bundle.crt=ca-bundle.qe
$ oc edit proxy cluster
spec:
  trustedCA:
    name: user-ca-bundle

2. follow the doc https://github.com/openshift/external-dns-operator/blob/main/docs/proxy.md#openshift-instructions to create/label a configmap in ns external-dns-operator, then add "spec.config.env" to the subscription.

3. check the operator log
$ oc -n external-dns-operator logs external-dns-operator-86d7b5fd7d-t7gq6 -c operator | grep "trusted CA"
2022-01-24T06:40:32.944Z	INFO	ca_configmap_controller	reconciling trusted CA configmap	{"configmap": "external-dns-operator/trusted-ca"}
2022-01-24T06:40:32.990Z	INFO	ca_configmap_controller	created trusted CA configmap	{"namespace": "external-dns", "name": "external-dns-trusted-ca"}
2022-01-24T06:40:33.009Z	INFO	ca_configmap_controller	trusted CA configmap is reconciled	{"configmap": "external-dns-operator/trusted-ca"}

4. check the operand configmap/deployment
$ oc -n external-dns get cm
NAME                       DATA   AGE
external-dns-trusted-ca    1      122m

$ oc -n external-dns get deployment -oyaml
<---snip--->
          volumeMounts:
          - mountPath: /etc/pki/ca-trust/extracted/pem
            name: trusted-ca
            readOnly: true

        volumes:
        - configMap:
            defaultMode: 420
            items:
            - key: ca-bundle.crt
              path: tls-ca-bundle.pem
            name: external-dns-trusted-ca
          name: trusted-ca

Comment 7 errata-xmlrpc 2022-03-08 16:03:07 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Release of ExternalDNS Operator on OperatorHub), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2022:0781

Note You need to log in before you can comment on or make changes to this bug.