Uploaded image for project: 'OpenShift Request For Enhancement'
  1. OpenShift Request For Enhancement
  2. RFE-3725

Configuring mTLS on default Ingress breaks ingress canary check & console health checks

XMLWordPrintable

    • Icon: Feature Request Feature Request
    • Resolution: Done
    • Icon: Undefined Undefined
    • None
    • openshift-4.9, openshift-4.10
    • Network Edge
    • False
    • None
    • False
    • Not Selected

      Description of problem:
      Configuring mTLS on default IngressController breaks ingress canary check & console health checks which in turn makes the ingress and console cluster operators into a degraded state.

      OpenShift release version:
      OCP-4.9.5

      Cluster Platform:
      UPI on Baremetal (Disconnected cluster)

      How reproducible:
      Configure mutual TLS/mTLS using default IngressController as described in the doc(
      https://docs.openshift.com/container-platform/4.9/networking/ingress-operator.html#nw-mutual-tls-auth_configuring-ingress
      )

      Steps to Reproduce (in detail):
      1. Create a config map that is in the openshift-config namespace.
      2. Edit the IngressController resource in the openshift-ingress-operator project
      3.Add the spec.clientTLS field and subfields to configure mutual TLS:
      ~~~
      apiVersion: operator.openshift.io/v1
      kind: IngressController
      metadata:
      name: default
      namespace: openshift-ingress-operator
      spec:
      clientTLS:
      clientCertificatePolicy: Required
      clientCA:
      name: router-ca-certs-default
      allowedSubjectPatterns:

      • "^/CN=example.com/ST=NC/C=US/O=Security/OU=OpenShift$"
        ~~~
        Actual results:
        setting up mTLS using documented steps breaks canary and console health checks as clientCertificatePolicy is set as Required these health checks are looking for the client Certs and hence failing and in turn Ingress and Console operators are in a degraded state.

      Expected results:
      mTLS setup should work properly without degrading the Ingress and Console operators.

      Impact of the problem:
      Instable cluster with Ingress and Console operators into Degraded state.

      Additional info:
      The following is the Error message for your reference:
      The "default" ingress controller reports Degraded=True: DegradedConditions: One or more other status conditions indicate a degraded state: CanaryChecksSucceeding=False (CanaryChecksRepetitiveFailures: Canary route checks for the default ingress controller are failing)

      // Canary checks looking for required tls certificate.
      2021-11-19T17:17:58.237Z ERROR operator.canary_controller wait/wait.go:155 error performing canary route check

      {"error": "error sending canary HTTP request to \"canary-openshift-ingress-canary.apps.bruce.openshift.local\": Get \" [https://canary-openshift-ingress-canary.apps.bruce.openshift.local|https://canary-openshift-ingress-canary.apps.bruce.openshift.local/] \": remote error: tls: certificate required"}

      // Console operator:
      RouteHealthDegraded: failed to GET route (
      https://console-openshift-console.apps.bruce.openshift.local
      ): Get "
      https://console-openshift-console.apps.bruce.openshift.local
      ": remote error: tls: certificate required

      Please find below the links for must-gather from this cluster:

      https://attachments.access.redhat.com/hydra/rest/cases/03079132/attachments/c66b7f35-4041-46d9-aab7-04fefd17fc38?usePresignedUrl=true

      RFE cloned from Bug :
      https://bugzilla.redhat.com/show_bug.cgi?id=2028061

              ddharwar@redhat.com Deepthi Dharwar
              sasakshi@redhat.com Sakshi sakshi
              Votes:
              1 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated:
                Resolved: