[OKD 5.0.0-okd-scos.ec.2] How to configure console to use the default ingress certficate as in 4.x?

[titou10titou10]

In OKD 4.x, the console"route" was using the certificate set at the cluster level on ingresses as default certificate
Now with v5.x, therouteassociated to the console uses its own certificate and not the one set as default on ingresses
Q:

• how to tell the console to use the default cluster wide ingress certificate? or at least tell therouteto use a specific private one?

I'm quite sure this can be configure in eitherconsoles.operator.openshift.io/clusterorconsole.openshift.io/clusterbut I can't find any information on how to do it

Also I noticed that the"openshift-console-operator/console-operator-config" ConfigMap has an extraconfig.openshift.io/inject-tls: 'true'annotation. Possible relation to the problem described here?

routefor console in 4.x:

kind: Route
apiVersion: route.openshift.io/v1
metadata:
  name: console
  namespace: openshift-console
  labels:
    app: console
  {...}
spec:
  host: console-openshift-console.{...}
  to:
    kind: Service
    name: console
    weight: 100
  port:
    targetPort: https
  tls:
    termination: reencrypt
    insecureEdgeTerminationPolicy: Redirect
  wildcardPolicy: None

routefor console in 5.x:

kind: Route
apiVersion: route.openshift.io/v1
metadata:
  name: console
  namespace: openshift-console
  labels:
    app: console
  {...}
spec:
  host: console-openshift-console.{...}
  to:
    kind: Service
    name: console
    weight: 100
  port:
    targetPort: https
  tls:
    termination: reencrypt
    certificate: |          <--- addition
      -----BEGIN CERTIFICATE-----
      MIIDlTCCAn2gAwIBAgIIARcwYaI1ykAwDQYJKoZIhvcNAQELBQAwJjEkMCIGA1UE
      {...}
    key: |                  <--- addition
      -----BEGIN RSA PRIVATE KEY-----
      {...}
    insecureEdgeTerminationPolicy: Redirect
  wildcardPolicy: None

openshift-console-operator/console-operator-configfor 4.x:

kind: ConfigMap
apiVersion: v1
metadata:
  name: console-operator-config
  namespace: openshift-console-operator
  annotations:
    capability.openshift.io/name: Console
    include.release.openshift.io/hypershift: 'true'
    include.release.openshift.io/ibm-cloud-managed: 'true'
    include.release.openshift.io/self-managed-high-availability: 'true'
    include.release.openshift.io/single-node-developer: 'true'
{...}

openshift-console-operator/console-operator-configfor 5.x:

kind: ConfigMap
apiVersion: v1
metadata:
  name: console-operator-config
  namespace: openshift-console-operator
  annotations:
    capability.openshift.io/name: Console
    config.openshift.io/inject-tls: 'true'   <--- addition
    include.release.openshift.io/hypershift: 'true'
    include.release.openshift.io/ibm-cloud-managed: 'true'
    include.release.openshift.io/self-managed-high-availability: 'true'
    include.release.openshift.io/single-node-developer: 'true'

[titou10titou10]

By following the doc for 4.x on here : customizing console route, it is possible to have another route with the correct certificate

This seems like a workaround for now to address the changes on the console route that now uses its own self-generated certificate and not the default ingress one.

Maybe the change is to have the console uses http/2 that is/was not possible with the default ingress certificates has in OKD v4.x ?

Changing the"ingress.config.openshift.io cluster"config triggers the creation of a new route named "route-custom" for the console that uses the default ingress certificate:

kind: Ingress
metadata:
  annotations:
    ingress.operator.openshift.io/default-enable-http2: "true"
  name: cluster
spec:
  componentRoutes:
  - hostname: blabla-console-openshift-console.{domain} <--- console additional/new url
    name: console
    namespace: openshift-console
  domain: {domain}

Doing this, the "default" console route is changed fromtls.termination.reencrypttotls.termination.edge and it redirects to the newhostname defined in ingress...

Before:

oc get routes -n openshift-console
NAME        HOST/PORT                                    PATH        SERVICES    PORT    TERMINATION          WILDCARD
console     console-openshift-console.{domain}           console     https   reencrypt/Redirect   None
downloads   downloads-openshift-console.{domain}         downloads   http    edge/Redirect        None

After:

oc get routes -n openshift-console
NAME             HOST/PORT                                   PATH             SERVICES           PORT                    TERMINATION          WILDCARD
console          console-openshift-console.{domain}          console-redirect   custom-route-redirect   edge/Redirect        None
console-custom   xxxconsole-openshift-console.{domain}       console            https                   reencrypt/Redirect   None
downloads        downloads-openshift-console.{domain}        downloads          http                    edge/Redirect        None