Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-4881

[release-4.9] openshift-ingress-operator with mTLS does not download CRL

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Critical Critical
    • None
    • 4.11.z
    • Networking / router
    • None
    • Important
    • None
    • Sprint 229
    • 1
    • Rejected
    • False
    • Hide

      None

      Show
      None

      This is a clone of issue OCPBUGS-4494. The following is the description of the original issue:

      This is a clone of issue OCPBUGS-3049. The following is the description of the original issue:

      This is a copy of Bugzilla bug 2117524 for backport to 4.11.z

      Original Text:

      Description of problem:
      On routers configured with mTLS and CRL defined in the CA with a CDP ; new CRL is downloaded only when restarting the ingress-operator.

      2022-07-20T23:36:26.943Z	INFO	operator.clientca_configmap_controller	controller/controller.go:298	reconciling	{"request": "openshift-ingress-operator/service-bdrc"}
      2022-07-20T23:36:26.943Z	INFO	operator.crl	crl/crl_configmap.go:69	certificate revocation list has expired	{"subject key identifier": "6aa909992e9890457b2a8de5659a44cab8e867a8"}
      2022-07-20T23:36:26.943Z	INFO	operator.crl	crl/crl_configmap.go:69	retrieving certificate revocation list	{"subject key identifier": "6aa909992e9890457b2a8de5659a44cab8e867a8"}
      2022-07-20T23:36:26.943Z	INFO	operator.crl	crl/crl_configmap.go:169	retrieving CRL distribution point	{"distribution point": "http://crl.domain.com/der/CN=XXXX,OU=XXX,O=XXX,C=XXX"}
      

      Version-Release number of selected component (if applicable):
      4.9.33

      How reproducible:
      Enable mTLS with a CRL

      Actual results:
      CRL is not download when expired
      Clients get "SSL client certificate not trusted" errors while accessing resources

      Expected results:
      ingress-operator triggers CRL download when approaching expiration date so that the configmap is updated without manual action

              rfredett@redhat.com Ryan Fredette
              openshift-crt-jira-prow OpenShift Prow Bot
              Hongan Li Hongan Li
              Red Hat Employee
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated:
                Resolved: