From 705361916cbe223df931a9b2568c5db2fc6fd617 Mon Sep 17 00:00:00 2001 From: Andrey Lebedev Date: Thu, 20 Jun 2024 15:11:51 +0200 Subject: [PATCH] OCPBUGS-33787: Add cluster wide trusted CA bundle to operator The alternative ingress can be provided via the console config API. This commit ensures that health checks to the alternative ingress pass TLS certificate validation even when the TLS certificate has an unknown CA. --- docs/alb-ingress-rosa-hcp.md | 31 +++++++++++++++----- manifests/06-trusted-ca-configmap.yaml | 16 ++++++++++ manifests/07-operator-ibm-cloud-managed.yaml | 8 +++++ manifests/07-operator.yaml | 8 +++++ 4 files changed, 56 insertions(+), 7 deletions(-) create mode 100644 manifests/06-trusted-ca-configmap.yaml diff --git a/docs/alb-ingress-rosa-hcp.md b/docs/alb-ingress-rosa-hcp.md index ce8b19307..5560ffd5f 100644 --- a/docs/alb-ingress-rosa-hcp.md +++ b/docs/alb-ingress-rosa-hcp.md @@ -15,7 +15,7 @@ The use case in mind is [HyperShift hosted clusters where the Ingress capability In order to configure an HTTPS listener on AWS ALB you need to have a certificate created in AWS Certificate Manager. You can import an existing certificate or request a new one. Make sure the certificate is created in the same region as your cluster. -Note the certificate ARN, you will need it later. +Note the certificate ARN and the DNS name used in the certificate, you will need it later. ### Create Ingress resources for the NodePort services @@ -73,12 +73,32 @@ EOF ### Update console config Once the console ALBs are ready you need to let the console operator know which urls to use. + +#### Add custom trusted CA (optional) + +To add the CA of the certificates used in the ingress objects to [the trusted bundle of the OpenShift cluster](https://docs.openshift.com/container-platform/latest/networking/configuring-a-custom-pki.html#nw-proxy-configure-object_configuring-a-custom-pki), follow these steps: +```bash +$ oc -n openshift-config create configmap console-ca-bundle --from-file=ca-bundle.crt=/path/to/pemencoded/cacert +$ oc patch proxy cluster --type=merge -p '{"spec":{"trustedCA":{"name":"console-ca-bundle"}}}' +``` + +#### Setup DNS (optional) + +The console ALBs have public DNS names that might not match the Subject Alternative Name (SAN) from the certificates. Ensure public DNS records matching the certificates' SANs are created and target the following hostnames: +```bash +$ oc -n openshift-console get ing console -o yaml | yq .status.loadBalancer.ingress[0].hostname +k8s-openshif-console-xxxxxxxxxx-xxxxxxxx.us-east-2.elb.amazonaws.comdd +$ oc -n openshift-console get ing downloads -o yaml | yq .status.loadBalancer.ingress[0].hostname +k8s-openshif-download-xxxxxxxxxx-xxxxxxxxxx.us-east-2.elb.amazonaws.com +``` + +#### Update console operator config + Update the console operator config providing the custom urls: ```bash -$ CONSOLE_ALB_HOST=$(oc -n openshift-console get ing console -o yaml | yq .status.loadBalancer.ingress[0].hostname) -$ DOWNLOADS_ALB_HOST=$(oc -n openshift-console get ing downloads -o yaml | yq .status.loadBalancer.ingress[0].hostname) -$ oc patch console.operator.openshift.io cluster --type=merge -p "{\"spec\":{\"ingress\":{\"consoleURL\":\"https://${CONSOLE_ALB_HOST}\",\"clientDownloadsURL\":\"https://${DOWNLOADS_ALB_HOST}\"}}}" +$ oc patch console.operator.openshift.io cluster --type=merge -p "{\"spec\":{\"ingress\":{\"consoleURL\":\"https://${CONSOLE_HOST}\",\"clientDownloadsURL\":\"https://${DOWNLOADS_HOST}\"}}}" ``` +**Note**: ensure that the hosts used in the urls match the SAN from the corresponding certificates. ## Notes @@ -110,6 +130,3 @@ $ oc -n openshift-console rsh deploy/console curl -k https://openshift.default.s ```bash $ oc -n openshift-ingress-operator patch ingresscontroller default --type='json' -p='[{"op": "replace", "path": "/spec/replicas", "value":0}]' ``` - -## Links -- [Demo of ALB ingress for the console on ROSA HCP](https://drive.google.com/file/d/1uWZgFbSeZTlDzlFyPW7QcH-625JsbSbw/view) diff --git a/manifests/06-trusted-ca-configmap.yaml b/manifests/06-trusted-ca-configmap.yaml new file mode 100644 index 000000000..ea17b2fc4 --- /dev/null +++ b/manifests/06-trusted-ca-configmap.yaml @@ -0,0 +1,16 @@ +# The network operator is responsible for injecting +# the trusted ca bundle into this configmap. +apiVersion: v1 +kind: ConfigMap +metadata: + annotations: + capability.openshift.io/name: Console + include.release.openshift.io/hypershift: "true" + include.release.openshift.io/ibm-cloud-managed: "true" + include.release.openshift.io/self-managed-high-availability: "true" + include.release.openshift.io/single-node-developer: "true" + release.openshift.io/create-only: "true" + labels: + config.openshift.io/inject-trusted-cabundle: "true" + name: trusted-ca + namespace: openshift-console-operator diff --git a/manifests/07-operator-ibm-cloud-managed.yaml b/manifests/07-operator-ibm-cloud-managed.yaml index 1e013deb2..a0dfdab4c 100644 --- a/manifests/07-operator-ibm-cloud-managed.yaml +++ b/manifests/07-operator-ibm-cloud-managed.yaml @@ -72,6 +72,8 @@ spec: name: config - mountPath: /var/run/secrets/serving-cert name: serving-cert + - mountPath: /etc/pki/ca-trust/extracted/pem + name: trusted-ca priorityClassName: system-cluster-critical securityContext: runAsNonRoot: true @@ -98,3 +100,9 @@ spec: secret: optional: true secretName: serving-cert + - configMap: + items: + - key: ca-bundle.crt + path: tls-ca-bundle.pem + name: trusted-ca + name: trusted-ca diff --git a/manifests/07-operator.yaml b/manifests/07-operator.yaml index 8b70ee08a..82d03645c 100644 --- a/manifests/07-operator.yaml +++ b/manifests/07-operator.yaml @@ -64,6 +64,8 @@ spec: name: config - mountPath: /var/run/secrets/serving-cert name: serving-cert + - mountPath: /etc/pki/ca-trust/extracted/pem + name: trusted-ca env: - name: CONSOLE_IMAGE value: registry.svc.ci.openshift.org/openshift:console @@ -99,3 +101,9 @@ spec: secret: secretName: serving-cert optional: true + - name: trusted-ca + configMap: + name: trusted-ca + items: + - key: ca-bundle.crt + path: tls-ca-bundle.pem