Bug 1454478

Summary: Ansible redeploy certs playbook won't update masters with provided named certs
Product: OpenShift Container Platform Reporter: Steven Walter <stwalter>
Component: Cluster Version OperatorAssignee: Andrew Butcher <abutcher>
Status: CLOSED ERRATA QA Contact: Gaoyun Pei <gpei>
Severity: medium Docs Contact:
Priority: medium    
Version: 3.5.0CC: abutcher, aos-bugs, farandac, jokerman, misalunk, mmccomas
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Previously, the certificate redeployment playbook would not update master configuration when named certificates were provided. Named certificates will now be replaced and master configuration will be updated during certificate redeployment.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2017-08-10 05:25:32 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Steven Walter 2017-05-22 20:45:58 UTC 
Description of problem:
Customer added named certificates to ansible hosts file, and ran certificate redeploy playbook, however certs were not added to master-config.yaml

Version-Release number of selected component (if applicable):
3.5.0

How reproducible:
Unconfirmed

Steps to Reproduce:
1. Add certs to hosts file
2. run cert redeploy playbook


Actual results:
Still serving openshift signed certs

Expected results:
Serve custom named ca

Additional info:
If this is intended behavior then we can consider this an RFE instead
Comment 6 Andrew Butcher 2017-06-28 19:04:21 UTC 
https://github.com/openshift/openshift-ansible/pull/4602
Comment 8 Gaoyun Pei 2017-07-06 08:00:54 UTC 
Verify this bug with openshift-ansible-3.6.135-1.git.0.5533fe3.el7.noarch

For an existing ocp-3.6 env, add named certificates to ansible hosts file

openshift_master_overwrite_named_certificates=true
openshift_master_named_certificates=[{"certfile": "/root/master-custom-cert-com.crt", "keyfile": "/root/master-custom-cert-com.key", "cafile": "/root/master-custom-cert-com-ca.crt"}]

Run certificate redeploy playbook
ansible-playbook -i bug /usr/share/ansible/openshift-ansible/playbooks/byo/openshift-cluster/redeploy-certificates.yml

After playbook finished, check the master config file
[root@qe-gpei-etcd-sc-master-1 master]# grep -A 4 namedCertificates master-config.yaml
  namedCertificates:
  - certFile: /etc/origin/master/named_certificates/master-custom-cert-com.crt
    keyFile: /etc/origin/master/named_certificates/master-custom-cert-com.key
    names:
    - master.custom-cert.com
[root@qe-gpei-etcd-sc-master-1 master]# ls named_certificates/
master-custom-cert-com-ca.crt  master-custom-cert-com.crt  master-custom-cert-com.key
Comment 10 errata-xmlrpc 2017-08-10 05:25:32 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2017:1716
Comment 11 Scott Dodson 2018-08-15 13:29:02 UTC 
*** Bug 1615025 has been marked as a duplicate of this bug. ***
Comment 12 Scott Dodson 2018-08-15 13:29:53 UTC 
*** Bug 1615026 has been marked as a duplicate of this bug. ***