-
Bug
-
Resolution: Unresolved
-
Normal
-
None
-
4.16.z
-
None
Description of problem:
As admin, I can configure a defaultCertificate for the cluster domain (e.g. name.example.com) with SAN's for a custom domain (e.g. name.example.org). Cluster users can create application routes exposed on the custom domain (myapp.apps.example.org) without including a certificate in the rout e definition. As an admin, I cannot expose the console over the custom domain and rely on the defaultCertificate without specifying a `ingress.spec.componentRoutes.servingCertKeyPairSecret`.
Version-Release number of selected component (if applicable):
How reproducible:
100%
Steps to Reproduce:
1. configure defaultCertificate with SAN's for both .net and .org domains
$ openssl x509 -in *.apps.name.example.net.crt -ext subjectAltName
X509v3 Subject Alternative Name:
DNS:*.apps.name.example.net, DNS:*.apps.name.example.org
$ oc create configmap custom-ca --from-file=ca-bundle.crt=rootCA.crt -n openshift-config
$ oc patch proxy/cluster --type=merge --patch='{"spec":{"trustedCA":{"name":"custom-ca"}}}'
$ oc create secret tls custom-ingress-cert --cert=*.apps.name.example.net.crt --key=*.apps.name.example.net.key -n openshift-ingress
$ oc patch ingresscontroller.operator default --type=merge -p '{"spec":{"defaultCertificate": {"name": "custom-ingress-cert"}}}' -n openshift-ingress-operator
2. create and expose user routes on default and custom domain, without specifying server certificate
$ oc new-project san-multidom-wildcard
$ kubectl create deployment hello-node --image=registry.k8s.io/e2e-test-images/agnhost:2.43 -- /agnhost serve-hostname
$ oc expose deployment/hello-node --port 9376
$ oc create route edge --service=hello-node hello-node-default
$ oc create route edge --service=hello-node hello-node-custom --hostname=hello-node-custom-san-multidom-wildcard.apps.name.example.org
$ curl --cacert rootCA.crt https://$(oc get route hello-node-default -ojsonpath='{.spec.host}')
hello-node-8dd54cb99-27j5h
$ curl --cacert rootCA.crt https://$(oc get route hello-node-custom -ojsonpath='{.spec.host}')
hello-node-8dd54cb99-27j5h
3. Expose the console on a custom route but default domain, test and undo again:
$ oc patch ingress.config.openshift.io/cluster --type=merge -p '{"spec":{"componentRoutes": [{"name": "console", "namespace": "openshift-console", "hostname": "console.apps.name.example.net"}]}}' -n openshift-ingress-operator
ingress.config.openshift.io/cluster patched
$ curl --cacert rootCA.crt -Lv console.apps.name.example.net >/dev/null
<...>
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
* ALPN: server did not agree on a protocol. Uses default.
* Server certificate:
* subject: CN=*.apps.name.example.net
* start date: Feb 24 10:34:18 2025 GMT
* expire date: Feb 24 10:34:18 2026 GMT
* subjectAltName: host "console.apps.name.example.net" matched cert's "*.apps.name.example.net"
* issuer: CN=MyRootCa
* SSL certificate verify ok.
* using HTTP/1.x
} [5 bytes data]
> GET / HTTP/1.1
> Host: console.apps.name.example.net
<...>
$ oc patch ingress.config.openshift.io/cluster --type=merge -p '{"spec":{"componentRoutes": []}}' -n openshift-ingress-operator
$ oc get route -n openshift-console
NAME HOST/PORT PATH SERVICES PORT TERMINATION WILDCARD
console console-openshift-console.apps.name.example.net console https reencrypt/Redirect None
downloads downloads-openshift-console.apps.name.example.net downloads http edge/Redirect None
4. Expose the console on the custom domain without specifying servingCertKeyPairSecret
$ oc patch ingress.config.openshift.io/cluster --type=merge -p '{"spec":{"componentRoutes": [{"name": "console", "namespace": "openshift-console", "hostname": "console.apps.name.example.org"}]}}' -n openshift-ingress-operator
ingress.config.openshift.io/cluster patched
$ oc get route -n openshift-console
NAME HOST/PORT PATH SERVICES PORT TERMINATION WILDCARD
console console-openshift-console.apps.name.example.net console https reencrypt/Redirect None
downloads downloads-openshift-console.apps.name.example.net downloads http edge/Redirect None
$ oc logs -n openshift-console-operator deployment/console-operator
<...>
E0224 15:45:30.836226 1 base_controller.go:268] ConsoleRouteController reconciliation failed: secret reference for custom route TLS secret is not defined
Actual results:
console-operator rejects the route: ConsoleRouteController reconciliation failed: secret reference for custom route TLS secret is not defined
Expected results:
As an admin I expect the defaultCertificate with valid SAN's to be used for a custom console route. Currently I need to maintain the certificate in 2 different secret's (namespaces openshift-config & openshift-ingress).
Additional info:
- blocks
-
-
- New
-
- is cloned by
-
-
- New
-
- links to
