Fix ClusterIssuer priority to prevent selfsigned being tried first#145
Merged
Merged
Conversation
treddy08
requested review from
agonzalezrh,
fridim,
rut31337,
stencell and
wkulhanek
as code owners
The previous implementation used complex logic to prioritize non-fallback
issuers first, which had the unintended consequence of trying 'selfsigned'
before ACME issuers when Google Trust Services was filtered out.
Issue:
- When reencrypt route is enabled, Google CA is filtered out
- Remaining issuers: ['acme-bifrost-production-ddns-fallback', 'selfsigned']
- Old logic: reject('fallback') + select('fallback')
- Result: ['selfsigned', 'acme-bifrost-production-ddns-fallback']
- Problem: Tries selfsigned FIRST, creates untrusted certificate
- Impact: Browser cert warnings, broken standard central route
Solution:
- Use simple alphabetical sorting
- ACME issuers (starting with 'a', 'l', 'z') naturally come before 'selfsigned'
- Result: ['acme-bifrost-production-ddns-fallback', 'selfsigned']
- Benefit: Tries trusted ACME CA first, selfsigned as last resort
Test scenarios:
1. reencrypt=false: ['acme-bifrost-production-ddns',
'acme-bifrost-production-ddns-fallback', 'selfsigned']
→ Tries Google → ZeroSSL → selfsigned ✓
2. reencrypt=true: ['acme-bifrost-production-ddns-fallback', 'selfsigned']
→ Tries ZeroSSL → selfsigned ✓
3. Multiple ACME: ['letsencrypt-prod', 'letsencrypt-staging', 'selfsigned']
→ All ACME tried before selfsigned ✓
treddy08
force-pushed
the
rhacs-fix-issuer-priority-alphabetical-treddy
branch
from
a4f8239 to
01259bf
Compare
prakhar1985
approved these changes
May 3, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
When
ocp4_workload_rhacs_enable_reencrypt_route: trueis set, the role filters out Google Trust Services ClusterIssuers but the priority logic incorrectly triesselfsignedbefore ACME issuers.Current Behavior (Broken):
Impact:
selfsignedClusterIssuer FIRSTRoot Cause:
The old priority logic used:
reject('search', 'fallback') + select('search', 'fallback')This prioritized ALL non-fallback issuers (including
selfsigned) before fallback ACME issuers.Solution
Replace complex fallback-based prioritization with simple alphabetical sorting.
New Behavior (Fixed):
Result:
Why Alphabetical Works
ACME ClusterIssuer naming conventions naturally prioritize them:
acme-*(starts with 'a')letsencrypt-*(starts with 'l')zerossl(starts with 'z')All come alphabetically before
selfsigned(starts with 's').Test Scenarios
✅ Scenario 1:
reencrypt=false(all issuers kept)✅ Scenario 2:
reencrypt=true(Google filtered out)✅ Scenario 3: Multiple ACME providers
Changes
File:
roles/ocp4_workload_rhacs/tasks/certificate.ymlBefore:
After:
Benefits
Testing
Tested on cluster
cluster-mhn4gwith:acme-bifrost-production-ddns(Google Trust Services)acme-bifrost-production-ddns-fallback(ZeroSSL)selfsignedVerified alphabetical sorting produces correct priority in all scenarios.