[jboss-jira] [JBoss JIRA] (JBCLUSTER-316) remoteingress to patch ClusterIngress with certificate bundle

James Harrington created JBCLUSTER-316: ------------------------------------------ Summary: remoteingress to patch ClusterIngress with certificate bundle Key: JBCLUSTER-316 URL: https://issues.redhat.com/browse/JBCLUSTER-316 Project: JBoss Clustering Issue Type: Feature Request Reporter: James Harrington Assignee: Paul Ferraro Once a cluster is installed Hive should patch a cluster's ingresscontroller with the new certificate bundle from Lets Encrypt to enable the console URL to work as soon as those certificates are available. Hive's remoteingress controller [here|https://github.com/openshift/hive/blob/master/pkg/controller/remotei...] used to do exactly this by creating a new ingresscontroller object in the openshift-ingress-operator namespace but raced with the cloud-ingress-operator to manage it so it was disabled [here|https://gitlab.cee.redhat.com/service/app-interface/-/blob/master/da...]. I’m not sure if we can replace creating the entire ingresscontroller or just patch the new `.spec.defaultCertificate` to be the new certificate bundle. The piece I don’t know about is if the cluster-ingress-operator will load in the new certificates or do we have to completely replace the object? For example cloud-ingress-operator has to replace the entire ingresscontroller CR to have it change the load balancer from external to internal, I suspect the cert patch will work since the cert isn’t terminated on the ELB. The defaultCertificate ref is in the ingresscontroller spec Hive was updating it [here|https://github.com/openshift/hive/blob/master/pkg/controller/remotei...] This controller likely raced with cloud-ingress-operator because they were both watching and reconciling the same object. Maybe we could enable this controller but disable the watch when “ActiveAPIURLOverride” is set in the ClusterDeployment? Though that doesn’t feel right. -- This message was sent by Atlassian Jira (v7.13.8#713008)