Bug 1203435

Summary: The '--ssl-client-key-file' option does not write to servers.yml
Product: OpenShift Container Platform Reporter: Brenton Leanhardt <bleanhar>
Component: ocAssignee: Miciah Dashiel Butler Masters <mmasters>
Status: CLOSED ERRATA QA Contact: libra bugs <libra-bugs>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 2.2.0CC: adellape, ffranz, gpei, jokerman, libra-bugs, libra-onpremise-devel, mmccomas, pruan, tiwillia, xiuwang
Target Milestone: ---Keywords: Upstream
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: rhc-1.35.1.1-1 Doc Type: Bug Fix
Doc Text:
Previously when running the "rhc setup" command with the "--ssl-client-key-file" option, the configuration for the SSL client key file was not written to the ~/.openshift/servers.yml file. Additionally, while using the "rhc server add" command with the "--ssl-client-key-file" option successfully wrote the key file to the servers.yml file, the output for the "rhc server list" command did not list the key file information. This bug fix updates the client tools to ensure the key file configuration is written and listed in these scenarios, and as a result adding key files with the client tools now works as expected.
 Story Points: ---
Clone Of: 1187812 Environment:
Last Closed: 2015-04-06 17:06:53 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1187812    
Bug Blocks:    

Description Brenton Leanhardt 2015-03-18 19:59:53 UTC 
+++ This bug was initially created as a clone of Bug #1187812 +++

Description of problem:
When running rhc setup with the '--ssl-client-key-file' option, the configuration for the ssl client key file is not written to the servers.yml file.

Version-Release number of selected component (if applicable):
rhc 1.34.2

How reproducible:
Always


Steps to Reproduce:
1. Provide the `rhc setup` command with a client key file:
    $ rhc setup --ssl-client-cert-file example.crt --ssl-client-key-file example.key
2. 
3.

Actual results:
Certificate file (among other options) are written to servers.yml, but the ssl client key file is not:
- server:
    hostname: broker.example.com
    nickname: example
    login: tiwillia
    use_authorization_tokens: true
    insecure: true
    ssl_client_cert_file: /home/tiwillia/example.crt


Expected results:
Both certificate and key file are written to servers.yml:
- server:
    hostname: broker.example.com
    nickname: example
    login: tiwillia
    use_authorization_tokens: true
    insecure: true
    ssl_client_cert_file: /home/tiwillia/example.crt
    ssl_client_key_file: /home/tiwillia/example.key

--- Additional comment from XiuJuan Wang on 2015-02-01 23:53:16 EST ---

Could reproduce this issue with rhc-1.34.2

And if use ‘server add’ a server with '--ssl-client-key-file' option
, the key could be written into server.yml, but can't list this parameter using 'server list'

issue:

$cat server.yml
 - server:
     hostname: broker.example.com
     nickname: example
     login: xiuwang
     use_authorization_tokens: true
     insecure: true
     ssl_client_key_file: /home/.openshift/example.key

$rhc server list 
Server 'example' (in use)
----------------------
  Hostname:        broker.example.com
  Login:           xiuwang
  Use Auth Tokens: true
  Insecure:        true

--- Additional comment from Fabiano Franz on 2015-02-02 14:40:09 EST ---

Fixed in https://github.com/openshift/rhc/pull/671

--- Additional comment from XiuJuan Wang on 2015-02-03 04:36:51 EST ---

Test with rhc-1.35.0_build from lastest code

When 'rhc setup' could writte '--ssl-client-key-file' value into server.yml, but still can't 'server list' this parameter.


$cat server.yml
 - server:
     hostname: broker.example.com
     nickname: example
     login: xiuwang
     use_authorization_tokens: true
     insecure: true
     ssl_client_key_file: /home/.openshift/example.key

$rhc server list 
Server 'example' (in use)
----------------------
  Hostname:        broker.example.com
  Login:           xiuwang
  Use Auth Tokens: true
  Insecure:        true

--- Additional comment from Fabiano Franz on 2015-02-03 17:17:51 EST ---

Fixed in https://github.com/openshift/rhc/pull/671

--- Additional comment from XiuJuan Wang on 2015-02-03 22:29:39 EST ---

Verified with rhc-1.35.0 build with code in https://github.com/openshift/rhc/pull/671
Could also 'server list' '--ssl-client-key-file' value.

Server 'server1' (in use)
-------------------------
  Hostname:                 ec2-54-166-108-190.compute-1.amazonaws.com
  Login:                    xiuwang
  Use Auth Tokens:          true
  Insecure:                 true
  SSL x509 Client Key File: /root/.openshift/cert/server.key

Thanks!

--- Additional comment from openshift-github-bot on 2015-02-07 00:28:30 EST ---

Commit pushed to master at https://github.com/openshift/rhc

https://github.com/openshift/rhc/commit/3a2a5a9dd8c37b940580742aef8132e16858f755
Bug 1187812 - must handle ssl_client_key_file in config files
Comment 3 Gaoyun Pei 2015-03-20 06:54:26 UTC 
Verify this bug with rhc 1.35.1.1

1. When using 'rhc setup' with the ssl client key options, related configuration would be saving to /root/.openshift/express.conf, list clearly when running 'rhc server list'

[root@broker ~]# rhc setup -l gpei --ssl-client-cert-file /root/gpei.crt --ssl-client-key-file /root/gpei.key --ssl_ca_file /root/ca.crt
...
Saving configuration to /root/.openshift/express.conf ... done

[root@broker ~]# cat /root/.openshift/express.conf |grep -v '^#'|sort

default_rhlogin=gpei
insecure=false
libra_server=broker.ose22-manual.com.cn
ssl_ca_file=/root/ca.crt
ssl_client_cert_file=/root/gpei.crt
ssl_client_key_file=/root/gpei.key
use_authorization_tokens=true

[root@broker ~]# rhc server list
Server 'server1' (in use)
-------------------------
  Hostname:                  broker.ose22-manual.com.cn
  Login:                     gpei
  Use Auth Tokens:           true
  Insecure:                  false
  SSL x509 Client Cert File: /root/gpei.crt
  SSL x509 Client Key File:  /root/gpei.key
  SSL Cert CA File:          /root/ca.crt


2. When using ‘server add’ to setup the configuration of a server with '--ssl-client-key-file' option, the key configuration could be written into server.yml, and could be list using 'server list'.
[root@broker ~]# rhc server add broker.ose22-manual.com.cn ose --ssl-client-cert-file /root/gpei.crt  --ssl-client-key-file /root/gpei.key  --ssl-ca-file /root/ca.crt 
...
Saving server configuration to /root/.openshift/servers.yml ... done

[root@broker .openshift]# cat servers.yml 
--- 
- server: 
    login: gpei
    ssl_ca_file: /root/ca.crt
    hostname: broker.ose22-manual.com.cn
    nickname: ose
    ssl_client_key_file: /root/gpei.key
    ssl_client_cert_file: /root/gpei.crt
    use_authorization_tokens: true
    insecure: false

[root@broker .openshift]# rhc server list
Server 'ose' (in use)
---------------------
  Hostname:                  broker.ose22-manual.com.cn
  Login:                     gpei
  Use Auth Tokens:           true
  Insecure:                  false
  SSL x509 Client Cert File: /root/gpei.crt
  SSL x509 Client Key File:  /root/gpei.key
  SSL Cert CA File:          /root/ca.crt
Comment 5 errata-xmlrpc 2015-04-06 17:06:53 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-0779.html