Bug 1712525, Ingress Controller requires CA to communicate with web console #18004
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -71,5 +71,24 @@ map[name:custom-certs-default] | |
| + | ||
| The certificate secret name should match the value used to update the CR. | ||
|
|
||
| Your Ingress Controller now uses the custom certificate, but it is not trusted | ||
| by the web console. You must expose your CA certificate so the Ingress | ||
| Controller can communicate with all routes. | ||
|
Contributor
There was a problem hiding this comment. Your Ingress Controller now uses the custom certificate to secure client-side connections using TLS. Some platform components (i.e. web console) use routes for communication and therefore must trust the Ingress Controller's custom certificate. This is accomplished through the @Miciah @bparees a
Contributor
There was a problem hiding this comment. we chose a configmap for trusted CA because CAs are public information that does not need to be protected. |
||
|
|
||
| . Configure the CA certificate as the cluster proxy certificate: | ||
| + | ||
| ---- | ||
| $ oc -n openshift-config create configmap custom-ca --from-file=ca-bundle.crt=example-ca.crt | ||
|
Contributor
There was a problem hiding this comment. This example-ca.crt - did the user need to have created this already? Or should it be tls.crt like earlier in the procedure refers to? Or should it be a replaceable value that we tell the user to replace?
Contributor
Author
There was a problem hiding this comment. Yes; that should've been created already. I skipped the creation process due to the listed prerequisite assuming the user already possessed a cert:
I'm now realizing that was for the TLS cert. I'll add another prerequisite for this one.
Contributor
There was a problem hiding this comment. A note should be added that if proxy is already has a |
||
| $ oc patch proxy/cluster --type=merge --patch='{"spec":{"trustedCA":{"name":"custom-ca"}}}' | ||
| ---- | ||
| + | ||
| . Configure the certificate as the Ingress Controller's default certificate: | ||
| + | ||
| ---- | ||
| $ oc -n openshift-ingress create secret tls custom-default-cert --cert=example.crt --key=example.key | ||
| $ oc -n openshift-ingress-operator patch ingresscontrollers/default --type=merge \ | ||
| --patch='{"spec":{"defaultCertificate":{"name":"custom-default-cert"}}}' | ||
| ---- | ||
|
|
||
| Once the `IngressController` CR has been modified, the Ingress Operator | ||
| updates the Ingress Controller's deployment to use both certificates. | ||
|
Contributor
There was a problem hiding this comment. You may want to make make reference to |
||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
A procedure module shouldn't have two sets of steps like this. You could always put these steps in a note, but if it's always going to be required, then I would add these as steps 4 and 5.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This workaround is required to accomplish several other processes, so I think it makes sense to just append as steps four and five. Thanks for the tip! 😊