Uploaded image for project: 'Network Edge'
  1. Network Edge
  2. NE-570

[Tech Debt] [Maint] Canary: Add router's certificate to canary client trust bundle.

XMLWordPrintable

    • Icon: Epic Epic
    • Resolution: Unresolved
    • Icon: Undefined Undefined
    • None
    • None
    • None
    • [Maint] Canary: Add router's certificate to canary client trust bundle.
    • Proactive Architecture
    • False
    • False
    • To Do
    • OCPPLAN-7878 - NetEdge - Maintainability and Debugability & Tech Backlog
    • OCPPLAN-7878NetEdge - Maintainability and Debugability & Tech Backlog
    • Undefined
    • 0
    • 0

      https://github.com/openshift/cluster-ingress-operator/pull/556 changed the ingress canary route from a cleartext route to an edge encrypted route. To satisfy this need quickly, the router's certificate is not verified.

      We should add the router's in-use certificate to the canary HTTP client's trust bundle so that the canary client can re-enable TLS verification (https://github.com/openshift/cluster-ingress-operator/blob/master/pkg/operator/controller/canary/http.go#L63).

      See also
      https://bugzilla.redhat.com/show_bug.cgi?id=1932401
      https://github.com/openshift/cluster-ingress-operator/pull/565
      With this change in place, the canary client would not be able to perform checks if the router's in-use certificate is expired or otherwise not working. This failure state would then bubble up to the cluster administrator via the ingress cluster operator.

              Unassigned Unassigned
              sgreene@redhat.com Stephen Greene (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated: