-
Bug
-
Resolution: Unresolved
-
Undefined
-
None
-
4.16.0
-
Important
-
No
-
Sprint 252, Sprint 253
-
2
-
Rejected
-
False
-
Description of problem:
"oc explain ingress.spec.domain --api-version=config.openshift.io/v1" shows "Once set, changing domain is not currently supported.", but user still can update the domain, and that causes auth/console operator become degraded.
Version-Release number of selected component (if applicable):
4.16 and before
How reproducible:
100%
Steps to Reproduce:
1. oc edit ingress.config/cluster spec: domain: test.example.com <----- change the domain 2. check all routes, find that the auth/console/download routes hostname already changed. $ oc get route -A NAMESPACE NAME HOST/PORT PATH SERVICES PORT TERMINATION WILDCARD openshift-authentication oauth-openshift oauth-openshift.test.example.com oauth-openshift 6443 passthrough/Redirect None openshift-console console console-openshift-console.test.example.com console https reencrypt/Redirect None openshift-console downloads downloads-openshift-console.test.example.com downloads http edge/Redirect None openshift-ingress-canary canary canary-openshift-ingress-canary.apps.hongli-aw.qe.devcluster.openshift.com ingress-canary 8080 edge/Redirect None openshift-monitoring alertmanager-main alertmanager-main-openshift-monitoring.apps.hongli-aw.qe.devcluster.openshift.com /api alertmanager-main web reencrypt/Redirect None openshift-monitoring prometheus-k8s prometheus-k8s-openshift-monitoring.apps.hongli-aw.qe.devcluster.openshift.com /api prometheus-k8s web reencrypt/Redirect None openshift-monitoring prometheus-k8s-federate prometheus-k8s-federate-openshift-monitoring.apps.hongli-aw.qe.devcluster.openshift.com /federate prometheus-k8s web reencrypt/Redirect None openshift-monitoring thanos-querier thanos-querier-openshift-monitoring.apps.hongli-aw.qe.devcluster.openshift.com /api thanos-querier web reencrypt/Redirect None 3.check co status, auth and console are degraded authentication 4.16.0-0.nightly-2024-04-15-184947 False True True 14m OAuthServerRouteEndpointAccessibleControllerAvailable: Get "https://oauth-openshift.apps.hongli-aw.qe.devcluster.openshift.com/healthz": tls: failed to verify certificate: x509: certificate signed by unknown authority console 4.16.0-0.nightly-2024-04-15-184947 False False True 14m RouteHealthAvailable: failed to GET route (https://console-openshift-console.test.example.com): Get "https://console-openshift-console.test.example.com": dial tcp: lookup console-openshift-console.test.example.com on 172.30.0.10:53: no such host
Actual results:
1. auth/console/downloads route hostname changed 2. co auth/console degraded
Expected results:
should add validation to make spec.domain is immutable
Additional info:
$ oc explain ingress.spec.domain --api-version=config.openshift.io/v1 GROUP: config.openshift.io KIND: Ingress VERSION: v1FIELD: domain <string>DESCRIPTION: domain is used to generate a default host name for a route when the route's host name is empty. The generated host name will follow this pattern: "<route-name>.<route-namespace>.<domain>". It is also used as the default wildcard domain suffix for ingress. The default ingresscontroller domain will follow this pattern: "*.<domain>". Once set, changing domain is not currently supported.