Bug 1535585
| Summary: | Prometheus playbook needs to utilize -openshift-ca flag | |||
|---|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | Robert Bost <rbost> | |
| Component: | Monitoring | Assignee: | Paul Gier <pgier> | |
| Status: | CLOSED ERRATA | QA Contact: | Junqi Zhao <juzhao> | |
| Severity: | low | Docs Contact: | ||
| Priority: | medium | |||
| Version: | 3.7.0 | CC: | aivaras.laimikis, andre.rozendaal, aos-bugs, ccoleman, erjones, farandac, fgrosjea, jcantril, mjahangi, per.carlson, pgier, rbost, spasquie | |
| Target Milestone: | --- | |||
| Target Release: | 3.10.0 | |||
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | ||||
| Fixed In Version: | Doc Type: | Enhancement | ||
| Doc Text: |
Feature: New option in the openshift ansible installer to set additional CA certificate to be distributed to pods in a cluster.
Reason: If the cluster is using a load balancer which requires a difference CA than the one generated by the installer for the the master node, then the user will need to add this additional CA cert to the file /etc/origin/master/ca-bundle.crt. This will make it available to pods in the cluster.
Result: Added new option to installer called "openshift_additional_ca" which points to a file containing the loadbalancer CA certificate.
|
Story Points: | --- | |
| Clone Of: | ||||
| : | 1685188 (view as bug list) | Environment: | ||
| Last Closed: | 2018-07-30 19:09:00 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 1685188 | |||
|
Description
Robert Bost
2018-01-17 16:35:27 UTC
Customer has followed steps mentioned in initial comment on this bz and successfully setup Prometheus with an upstream F5 server. The only additional step they took was adding the same F5 CA Certificate to -openshift-ca oauth-proxy arg. I believe if we introduce a custom variable, it should populate both -upstream-ca and -openshift-ca args. Correction, customer did *not* use the -upstream-ca arg; they only used -openshift-ca. PR for adding the -openshift-ca arg: https://github.com/openshift/openshift-ansible/pull/6795 They are required to make the CA trusted at the cluster level, not per prometheus level. We should not add this specifically to prometheus. *** Bug 1543308 has been marked as a duplicate of this bug. *** Had some discussion last week and this week about what's the right solution to this issue and whether it's possible with the current installer or if we installer enhancements. TL;DR we need an enhancement to the installer. I think the right solution to this is to modify the ca-bundle.crt file, normally located in /etc/origin/master/ca-bundle.crt. This file is usually the same as ca.crt, but I think it isn't required to be the same. ca-bundle.crt is used for the service-account-token and is automatically mounted to containers at /var/run/secrets/kubernetes.io/serviceaccount/ca.crt. The oauth proxy container picks up this location by default (https://github.com/openshift/oauth-proxy#--openshift-ca), however in the prometheus container it's set manually along with the default container CA file (https://github.com/openshift/openshift-ansible/blob/d0b9fd11d52841571edb15402140884473f360f6/roles/openshift_prometheus/templates/prometheus.j2#L65-L66). So to resolve this issue, the customer would need to add the F5 CA cert to ca-bundle.crt (then restart the master-controllers service) and then it would update the ca.crt file mounted to the oauth proxy container. This should have the same effect as adding a new --openshift-ca flag, with the additional benefit that it would cover similar use cases in other containers throughout the cluster. The installer currently supports adding certificates, keys, (and CA) for specific hostnames (https://docs.openshift.org/3.9/install_config/certificate_customization.html), but this could have the undesirable side effect of serving the load balancer cert from the API server. So we need a new installer option to add the load balancer CA just to ca-bundle.crt without needing to specify the key and related cert. PR against master: https://github.com/openshift/openshift-ansible/pull/8142 set "openshift_additional_ca" which points to a file containing the loadbalancer CA certificate, and run playbooks/openshift-master/redeploy-certificates.yml playbook, it add additional ca file to /etc/origin/master/ca-bundle.crt, and after deploying prometheus, prometheus openshift-ca file /var/run/secrets/kubernetes.io/serviceaccount/ca.crt is the same with /etc/origin/master/ca-bundle.crt. # rpm -qa | grep openshift-ansible openshift-ansible-docs-3.10.0-0.50.0.git.0.bd68ade.el7.noarch openshift-ansible-playbooks-3.10.0-0.50.0.git.0.bd68ade.el7.noarch openshift-ansible-3.10.0-0.50.0.git.0.bd68ade.el7.noarch openshift-ansible-roles-3.10.0-0.50.0.git.0.bd68ade.el7.noarch PR to backport this fix to the 3.9 branch https://github.com/openshift/openshift-ansible/pull/9338 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:1816 |