Details
-
Epic
-
Resolution: Unresolved
-
Undefined
-
None
-
None
-
None
-
[Maint] Canary: Add router's certificate to canary client trust bundle.
-
False
-
False
-
To Do
-
OCPPLAN-7878 - NetEdge - Maintainability and Debugability & Tech Backlog
-
-
0
-
0%
-
Undefined
-
0
-
0
Description
https://github.com/openshift/cluster-ingress-operator/pull/556 changed the ingress canary route from a cleartext route to an edge encrypted route. To satisfy this need quickly, the router's certificate is not verified.
We should add the router's in-use certificate to the canary HTTP client's trust bundle so that the canary client can re-enable TLS verification (https://github.com/openshift/cluster-ingress-operator/blob/master/pkg/operator/controller/canary/http.go#L63).
See also
https://bugzilla.redhat.com/show_bug.cgi?id=1932401
https://github.com/openshift/cluster-ingress-operator/pull/565
With this change in place, the canary client would not be able to perform checks if the router's in-use certificate is expired or otherwise not working. This failure state would then bubble up to the cluster administrator via the ingress cluster operator.
Attachments
Issue Links
- account is impacted by
-
OCPPLAN-7878 NetEdge - Maintainability and Debugability & Tech Backlog
-
- New
-