-
Bug
-
Resolution: Unresolved
-
Normal
-
None
-
4.16.0
-
Quality / Stability / Reliability
-
False
-
-
None
-
Important
-
No
-
None
-
None
-
Rejected
-
Sprint 252, Sprint 253, Sprint 254, NE Sprint 255, NE Sprint 256, NE Sprint 257, NE Sprint 258, NE Sprint 259, NE Sprint 260, NE Sprint 261, NE Sprint 262, NE Sprint 263, NE Sprint 264, NE Sprint 265, NI&D Sprint 266, NI&D Sprint 276
-
16
-
None
-
None
-
None
-
None
-
None
-
None
-
None
Description of problem:
"oc explain ingress.spec.domain --api-version=config.openshift.io/v1" shows "Once set, changing domain is not currently supported.", but user still can update the domain, and that causes auth/console operator become degraded.
Version-Release number of selected component (if applicable):
4.16 and before
How reproducible:
100%
Steps to Reproduce:
1. oc edit ingress.config/cluster
spec:
domain: test.example.com <----- change the domain
2. check all routes, find that the auth/console/download routes hostname already changed.
$ oc get route -A
NAMESPACE NAME HOST/PORT PATH SERVICES PORT TERMINATION WILDCARD
openshift-authentication oauth-openshift oauth-openshift.test.example.com oauth-openshift 6443 passthrough/Redirect None
openshift-console console console-openshift-console.test.example.com console https reencrypt/Redirect None
openshift-console downloads downloads-openshift-console.test.example.com downloads http edge/Redirect None
openshift-ingress-canary canary canary-openshift-ingress-canary.apps.hongli-aw.qe.devcluster.openshift.com ingress-canary 8080 edge/Redirect None
openshift-monitoring alertmanager-main alertmanager-main-openshift-monitoring.apps.hongli-aw.qe.devcluster.openshift.com /api alertmanager-main web reencrypt/Redirect None
openshift-monitoring prometheus-k8s prometheus-k8s-openshift-monitoring.apps.hongli-aw.qe.devcluster.openshift.com /api prometheus-k8s web reencrypt/Redirect None
openshift-monitoring prometheus-k8s-federate prometheus-k8s-federate-openshift-monitoring.apps.hongli-aw.qe.devcluster.openshift.com /federate prometheus-k8s web reencrypt/Redirect None
openshift-monitoring thanos-querier thanos-querier-openshift-monitoring.apps.hongli-aw.qe.devcluster.openshift.com /api thanos-querier web reencrypt/Redirect None
3.check co status, auth and console are degraded
authentication 4.16.0-0.nightly-2024-04-15-184947 False True True 14m OAuthServerRouteEndpointAccessibleControllerAvailable: Get "https://oauth-openshift.apps.hongli-aw.qe.devcluster.openshift.com/healthz": tls: failed to verify certificate: x509: certificate signed by unknown authority
console 4.16.0-0.nightly-2024-04-15-184947 False False True 14m RouteHealthAvailable: failed to GET route (https://console-openshift-console.test.example.com): Get "https://console-openshift-console.test.example.com": dial tcp: lookup console-openshift-console.test.example.com on 172.30.0.10:53: no such host
Actual results:
1. auth/console/downloads route hostname changed
2. co auth/console degraded
Expected results:
should add validation to make spec.domain is immutable
Additional info:
$ oc explain ingress.spec.domain --api-version=config.openshift.io/v1 GROUP: config.openshift.io KIND: Ingress VERSION: v1FIELD: domain <string>DESCRIPTION: domain is used to generate a default host name for a route when the route's host name is empty. The generated host name will follow this pattern: "<route-name>.<route-namespace>.<domain>". It is also used as the default wildcard domain suffix for ingress. The default ingresscontroller domain will follow this pattern: "*.<domain>". Once set, changing domain is not currently supported.
- relates to
-
-
- POST
-