Bug 1419182

Summary: [ocp-on-osp] openshift-heat-templates do not allow OSP communication with SSL - need CA cert
Product: OpenShift Container Platform Reporter: Mark Lamourine <mlamouri>
Component: Reference ArchitectureAssignee: Ryan Cook <rcook>
Status: CLOSED EOL QA Contact: Johnny Liu <jialiu>
Severity: high Docs Contact:
Priority: unspecified    
Version: 3.4.0CC: aos-bugs, bleanhar, jokerman, mmccomas, rpolli, wrichter
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-06-22 15:08:33 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Mark Lamourine 2017-02-03 20:14:15 UTC 
Description of problem:

OSP services may require SSL for API communication.  The SSL connection will require a valid CA certificate to validate the OSP SSL certificate.  The CA certificate must be present on all OCP instances that can interact with the hosting OSP service.  This includes all nodes which may request resources like cinder volumes on behalf of container creators.

The openshift-heat-templates do not provide a way for the OCP deployer to submit the CA certificate or a way to hand off that certificate to the openshift-ansible playbooks so that they in turn can set the CA certificate as needed. 


Version-Release number of selected component (if applicable):


How reproducible:

attempt to run openshift-heat-templates installation of OCP3 on OSP that have SSL communications enabled.

Steps to Reproduce:
1.
2.
3.

Actual results:

os-collect-config on the bastion host will fail to connect and communicate with the OSP service citing insecure communications.

kubelet services on the OCP nodes will fail to connect and communicate with the OSP service citing insecure communications.

Expected results:

os-collect-config and kubelet communications with OSP over SSL succeed.

Additional info:
Comment 1 Wolfram Richter 2017-03-23 15:26:41 UTC 
I injected a custom CA cert to allow it to work on an SSL-enabled OSP as follows: https://github.com/redhat-openstack/openshift-on-openstack/pull/327
Comment 2 Roberto Polli 2017-05-24 15:01:18 UTC 
Merged https://github.com/redhat-openstack/openshift-on-openstack/pull/327

Worth closing?