Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1687931 - Custom serving certificate configured for default IngressController is not propagated to authentication endpoint when secret is created after changing the config
Summary: Custom serving certificate configured for default IngressController is not pr...
Keywords:
Status: VERIFIED
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Routing
Version: 4.1
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
: 4.1.0
Assignee: Miciah Dashiel Butler Masters
QA Contact: Hongan Li
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-03-12 16:57 UTC by Cesar Wong
Modified: 2019-03-25 09:15 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Target Upstream Version:


Attachments (Terms of Use)
ingress-operator log (deleted)
2019-03-12 17:06 UTC, Cesar Wong
no flags Details


Links
System ID Priority Status Summary Last Updated
Github openshift cluster-ingress-operator pull 168 None None None 2019-03-14 03:40:09 UTC

Description Cesar Wong 2019-03-12 16:57:24 UTC
Description of problem:
A custom serving cert is configured for ingresscontroller/default in the openshift-ingress-operator namespace. The certificate is not getting propagated to the auth endpoint. This results in the openshift console URL initially hitting a valid certificate but the falling back to the self-signed certificate when redirecting to the auth endpoint.

Version-Release number of selected component (if applicable):
Cluster version is 4.0.0-0.alpha-2019-03-12-052340

How reproducible:
Always

Steps to Reproduce:
1. Place serving cert secret (servingcert) in openshift-ingress namespace
2. Edit ingresscontroller/default and add reference to serving cert:
   spec:
     defaultCertificate:
       name: servingcert 
3. Wait for ingress to restart and become available. Navigate to the console
   URL on a browser.

Actual results:
You are still prompted about invalid certificates when the console redirects to the auth endpoint.

Expected results:
Both the console and the auth endpoint use the new, valid serving cert.

Additional info:

Comment 1 Cesar Wong 2019-03-12 17:06:03 UTC
Created attachment 1543296 [details]
ingress-operator log

Comment 2 Cesar Wong 2019-03-12 18:49:39 UTC
Updated Steps to Reproduce:

1. Edit ingresscontroller/default and add reference to serving cert:
   spec:
     defaultCertificate:
       name: servingcert 
2. Place serving cert secret (servingcert) in openshift-ingress namespace
3. Wait for ingress to restart and become available. Navigate to the console
   URL on a browser

Comment 4 Hongan Li 2019-03-22 06:31:07 UTC
will verify with next nightly build which contains the fix.

Comment 5 Hongan Li 2019-03-25 09:15:14 UTC
verified with 4.0.0-0.nightly-2019-03-23-222829 and the issue has been fixed.


Note You need to log in before you can comment on or make changes to this bug.