Bug 1502838

Summary: [3.9] Invalid entries in namedCertificates when using openshift_master_named_certificates
Product: OpenShift Container Platform Reporter: Renato Puccini <rpuccini>
Component: InstallerAssignee: Russell Teague <rteague>
Status: CLOSED ERRATA QA Contact: Johnny Liu <jialiu>
Severity: high Docs Contact:
Priority: unspecified    
Version: 3.9.0CC: aos-bugs, jokerman, mmccomas
Target Milestone: ---Keywords: NeedsTestCase
Target Release: 3.9.0   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Cause: Alternative names in certificates were not being properly parsed. Consequence: Alternatives with 'email:' were being added as additional hostnames. Fix: Updated the logic to only add alternative names which begin with 'DNS:' Result: Proper parsing and updating of namedCertificates
 Story Points: ---
Clone Of:
: 1538895 1538896 (view as bug list) Environment:
Last Closed: 2018-03-28 14:07:14 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
master-config.yaml after the execution of playbook.
none
/etc/ansible/hosts
none
pem file none

Description Renato Puccini 2017-10-16 20:12:35 UTC 
Created attachment 1339436 [details]
master-config.yaml after the execution of playbook.

Description of problem:
During an OpenShift 3.6 installation, the playbook failed to finish because it could not start OpenShift master API service due to a misconfiguration on yaml file.
By the error message, the misconfiguration looks like is writing the email administration from the certificate on the DNS list. And that parameter it gets from the certificates deployed. So, since there is an email address on the DNS list, OpenShift master API service fails, due to an invalid address on the configuration file (master-config.yaml).

Because of this behavior(a bug?), the installation fails.

Workaround*:
To complete the installation without errors, we have verified what time the ansible playbook modifies the master-config.yaml file. So we edit the file removing the email address and save the file. When the playbook executes the task of starting the OpenShift Master API, it starts with the right parameters, since the file was modified and corrected.


All the parameters needed for the installation were applied on the hosts file (attached).
The .crt, .key, ca certificates are attached.
The master-config.yaml configured by the playbook is attached(with email line on DNS configuration).

Version-Release number of selected component (if applicable): OCP 3.6


How reproducible:
Having certificates with host and email set up.

Steps to Reproduce:
1. Install OCP 3.6 using ansible playbook
2. Must have all certificates signed by company CA
3.

Actual results:
master-config.yaml
Line #117:

namedCertificates:
  - certFile: /etc/origin/master/named_certificates/cloudbeta.rio.gov.br.crt
    keyFile: /etc/origin/master/named_certificates/cloudbeta.rio.gov.br.key
    names:
    - "email:hostmaster.rj.gov.br"
    - "cloudbeta.rio.gov.br"

*Wrong line added: #221
    - "email:hostmaster.rj.gov.br"



Expected results:
Playbook fails to start master-api service due to wrong entry on the master-config.yaml file.

Additional info:
Created By: Ryan Howe  (16/10/2017 17:59)
Looks like a bug with this:

https://github.com/openshift/openshift-ansible/blob/release-3.6/filter_plugins/oo_filters.py#L540-L607


Description of problem:

Version-Release number of the following components:
rpm -q openshift-ansible
rpm -q ansible
ansible --version

How reproducible:

Steps to Reproduce:
1.
2.
3.

Actual results:
Please include the entire output from the last TASK line through the end of output if an error is generated

Expected results:

Additional info:
Please attach logs from ansible-playbook with the -vvv flag
Comment 1 Renato Puccini 2017-10-16 20:24:08 UTC 
Created attachment 1339438 [details]
/etc/ansible/hosts
Comment 2 Renato Puccini 2017-10-16 20:24:47 UTC 
Created attachment 1339449 [details]
pem file
Comment 4 Russell Teague 2018-01-25 19:34:46 UTC 
Proposed: https://github.com/openshift/openshift-ansible/pull/6878
Comment 5 Russell Teague 2018-01-26 03:25:25 UTC 
Merged
Comment 7 Johnny Liu 2018-01-30 08:50:30 UTC 
Verified this bug with openshift-ansible-3.9.0-0.31.0.git.0.e0a0ad8.el7.noarch, and PASS.

# cat /etc/origin/master/master-config.yaml
<--snip-->
  namedCertificates:
  - certFile: /etc/origin/master/named_certificates/cloudbeta.rio.gov.br.crt
    keyFile: /etc/origin/master/named_certificates/cloudbeta.rio.gov.br.key
    names:
    - cloudbeta.rio.gov.br
<--snip-->
Comment 10 errata-xmlrpc 2018-03-28 14:07:14 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0489