How to define trusted TLS certs for the componentRoutes on the management cluster

[callum-stakater]

there doesnt seem to be any documentation about how to setup hostedclusters with valid certificates for all the endpoints

we have been able to get valid certs for the hostedclusters API and the routes served inside the hostedcluster (such as console) but for the componentRoutes on the parent cluster we are struggling

in the hostedcluster CRD it mentions that specifying spec.configuration.ingress.componentRoutes.servingCertKeyPairSecret.name pointing to a certificate in the openshift-config namespace is the way to do it but doing so like:

apiVersion: hypershift.openshift.io/v1beta1
kind: HostedCluster
metadata:
  creationTimestamp: null
  name: c-shift
  namespace: c-shift
spec:
  autoscaling: {}
  controllerAvailabilityPolicy: HighlyAvailable
  configuration:
    ingress:
      componentRoutes:
      - hostname: ignition-server-c-shift.hypershift.us.kubeapp.cloud
        name: ignition-server
        namespace: c-shift-c-shift
        servingCertKeyPairSecret:
          name: cluster-certificate
      - hostname: konnectivity-server-c-shift-c-shift.apps.hypershift.us.kubeapp.cloud
        name: konnectivity-server
        namespace: c-shift-c-shift
        servingCertKeyPairSecret:
          name: cluster-certificate
      - hostname: oauth-c-shift-c-shift.apps.hypershift.us.kubeapp.cloud
        name: oauth
        namespace: c-shift-c-shift
        servingCertKeyPairSecret:
          name: cluster-certificate

results in the hosted cluster failing to deploy with error:

failed to get referenced secret c-shift/cluster-certificate: Secret "cluster-certificate" not found

if we copy the secret to the c-shift namespace the hostedcluster does come up successfully but when users of the hostedcluster are redirected to the oauth route (which is hosted on the management cluster and runs in passthrough mode the cert is always the auto generated selfsigned cert and is untrusted

[callum-stakater]

here is an extract from the CRD i mention for reference:

componentRoutes:
  description: "componentRoutes is an optional list of routes
    that are managed by OpenShift components that a cluster-admin
    is able to configure the hostname and serving certificate
    for. The namespace and name of each route in this list should
    match an existing entry in the status.componentRoutes list.
    \n To determine the set of configurable Routes, look at
    namespace and name of entries in the .status.componentRoutes
    list, where participating operators write the status of
    configurable routes."
  items:
    description: ComponentRouteSpec allows for configuration
      of a route's hostname and serving certificate.
    properties:
      hostname:
        description: hostname is the hostname that should be
          used by the route.
        pattern: ^([a-zA-Z0-9\p{S}\p{L}]((-?[a-zA-Z0-9\p{S}\p{L}]{0,62})?)|([a-zA-Z0-9\p{S}\p{L}](([a-zA-Z0-9-\p{S}\p{L}]{0,61}[a-zA-Z0-9\p{S}\p{L}])?)(\.)){1,}([a-zA-Z\p{L}]){2,63})$|^(([a-z0-9][-a-z0-9]{0,61}[a-z0-9]|[a-z0-9]{1,63})[\.]){0,}([a-z0-9][-a-z0-9]{0,61}[a-z0-9]|[a-z0-9]{1,63})$
        type: string
      name:
        description: "name is the logical name of the route
          to customize. \n The namespace and name of this componentRoute
          must match a corresponding entry in the list of status.componentRoutes
          if the route is to be customized."
        maxLength: 256
        minLength: 1
        type: string
      namespace:
        description: "namespace is the namespace of the route
          to customize. \n The namespace and name of this componentRoute
          must match a corresponding entry in the list of status.componentRoutes
          if the route is to be customized."
        maxLength: 63
        minLength: 1
        pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
        type: string
      servingCertKeyPairSecret:
        description: servingCertKeyPairSecret is a reference
          to a secret of type `kubernetes.io/tls` in the openshift-config
          namespace. The serving cert/key pair must match and
          will be used by the operator to fulfill the intent
          of serving with this name. If the custom hostname
          uses the default routing suffix of the cluster, the
          Secret specification for a serving certificate will
          not be needed.
        properties:
          name:
            description: name is the metadata.name of the referenced
              secret
            type: string
        required:
        - name
        type: object
    required:
    - hostname
    - name
    - namespace

[openshift-bot]

Issues go stale after 90d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle stale

[openshift-bot]

Stale issues rot after 30d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.
Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle rotten
/remove-lifecycle stale