Bug 1360754
| Summary: | [RFE] Allow users to add the CA for their named certificates to the generated CA by ansible installer | ||
|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | Kenjiro Nakayama <knakayam> |
| Component: | Installer | Assignee: | Andrew Butcher <abutcher> |
| Status: | CLOSED ERRATA | QA Contact: | Gaoyun Pei <gpei> |
| Severity: | high | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 3.2.1 | CC: | adellape, aos-bugs, gpei, jokerman, mmccomas |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: |
Administrators can now add the CA for named certificates to the generated CA using the `cafile` option with the openshift_master_named_certificates Ansible variable. For example:
openshift_master_named_certificates=[{"certfile": "/path/to/custom1.crt", "keyfile": "/path/to/custom1.key","cafile": "/path/to/ca.crt"}]
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2016-08-18 19:29:58 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Kenjiro Nakayama
2016-07-27 12:07:30 UTC
> - And they have already testedthe patch mentioned here https://github.com/openshift/openshift-ansible/issues/1535#issuecomment-224187922 (and worked)
Sorry, they means customer and consultant who requested this RFE.
This feature was recently added to the master branch of openshift-ansible. https://github.com/openshift/openshift-ansible/pull/2049 https://trello.com/c/0nKBEzbi Verify this bug with openshift-ansible-3.2.22-1.git.0.7961a61.el7.noarch.rpm
Specify openshift_master_named_certificates=[{"certfile": "/path/to/custom1.crt", "keyfile": "/path/to/custom1.key","cafile": "/path/to/ca.crt"}] in ansible inventory, after installation, check the named certs setting on master.
[root@openshift-219 ~]# ls /etc/origin/master/named_certificates/
ca.crt custom1.crt custom1.key
In /etc/origin/master/master-config.yaml, the named certs info was added correctly, "names" was detected correctly from custom1.crt.
namedCertificates:
- certFile: /etc/origin/master/named_certificates/custom1.crt
keyFile: /etc/origin/master/named_certificates/custom1.key
names:
- "master.custom-cert.com"
The ca-bundle.crt works well for the custom name.
[root@openshift-219 ~]# curl --cacert /etc/origin/master/ca-bundle.crt https://master.custom-cert.com:8443/
{
"paths": [
"/api",
"/api/v1",
"/apis",
"/controllers",
"/healthz",
"/healthz/ping",
"/healthz/ready",
"/metrics",
"/oapi",
"/oapi/v1",
"/swaggerapi/"
]
The ca.crt on node also works well
[root@openshift-211 ~]# curl --cacert /etc/origin/node/ca.crt https://master.custom-cert.com:8443/
{
"paths": [
"/api",
"/api/v1",
"/apis",
"/controllers",
"/healthz",
"/healthz/ping",
"/healthz/ready",
"/metrics",
"/oapi",
"/oapi/v1",
"/swaggerapi/"
]
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2016:1639 |