Loading...

XML

Word

Printable

Details

Type: Feature Request
Resolution: Done
Priority: Undefined
Fix Version/s: None
Affects Version/s: openshift-4.9, openshift-4.10
Component/s: Network Edge
Labels:
- sb_tracked

Blocked:
False
Blocked Reason:
None
Ready:
False
Bugzilla Bug:
RHBZ: 2028061
Color Status:
Not Selected
Hierarchy Progress:
0
Hierarchy Progress Bar:

0% 0%

SFDC Cases Counter:
SFDC Cases Links:

Description

Description of problem:
Configuring mTLS on default IngressController breaks ingress canary check & console health checks which in turn makes the ingress and console cluster operators into a degraded state.

OpenShift release version:
OCP-4.9.5

Cluster Platform:
UPI on Baremetal (Disconnected cluster)

How reproducible:
Configure mutual TLS/mTLS using default IngressController as described in the doc(
https://docs.openshift.com/container-platform/4.9/networking/ingress-operator.html#nw-mutual-tls-auth_configuring-ingress
)

Steps to Reproduce (in detail):
1. Create a config map that is in the openshift-config namespace.
2. Edit the IngressController resource in the openshift-ingress-operator project
3.Add the spec.clientTLS field and subfields to configure mutual TLS:
~~~
apiVersion: operator.openshift.io/v1
kind: IngressController
metadata:
name: default
namespace: openshift-ingress-operator
spec:
clientTLS:
clientCertificatePolicy: Required
clientCA:
name: router-ca-certs-default
allowedSubjectPatterns:

"^/CN=example.com/ST=NC/C=US/O=Security/OU=OpenShift$"
~~~
Actual results:
setting up mTLS using documented steps breaks canary and console health checks as clientCertificatePolicy is set as Required these health checks are looking for the client Certs and hence failing and in turn Ingress and Console operators are in a degraded state.

Expected results:
mTLS setup should work properly without degrading the Ingress and Console operators.

Impact of the problem:
Instable cluster with Ingress and Console operators into Degraded state.

Additional info:
The following is the Error message for your reference:
The "default" ingress controller reports Degraded=True: DegradedConditions: One or more other status conditions indicate a degraded state: CanaryChecksSucceeding=False (CanaryChecksRepetitiveFailures: Canary route checks for the default ingress controller are failing)

// Canary checks looking for required tls certificate.
2021-11-19T17:17:58.237Z ERROR operator.canary_controller wait/wait.go:155 error performing canary route check

{"error": "error sending canary HTTP request to \"canary-openshift-ingress-canary.apps.bruce.openshift.local\": Get \" [https://canary-openshift-ingress-canary.apps.bruce.openshift.local|https://canary-openshift-ingress-canary.apps.bruce.openshift.local/] \": remote error: tls: certificate required"}

// Console operator:
RouteHealthDegraded: failed to GET route (
https://console-openshift-console.apps.bruce.openshift.local
): Get "
https://console-openshift-console.apps.bruce.openshift.local
": remote error: tls: certificate required

Please find below the links for must-gather from this cluster:

https://attachments.access.redhat.com/hydra/rest/cases/03079132/attachments/c66b7f35-4041-46d9-aab7-04fefd17fc38?usePresignedUrl=true

RFE cloned from Bug :
https://bugzilla.redhat.com/show_bug.cgi?id=2028061

Attachments

Issue Links

duplicates

OCPBUGS-9037 Configuring mTLS on default Ingress breaks ingress canary check & console health checks

POST

Activity

People

Assignee:: Deepthi Dharwar

Reporter:: Sakshi sakshi

Votes:: 1 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 2023/03/01 12:20 AM

Updated:: 2023/05/22 8:45 AM

Resolved:: 2023/05/22 8:45 AM