Bug 1616262
| Summary: | LDAP CA certificate wrong permissions prevent successful installation | ||
|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | Sasha Segal <ssegal> |
| Component: | Installer | Assignee: | Vadim Rutkovsky <vrutkovs> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Gaoyun Pei <gpei> |
| Severity: | high | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 3.10.0 | CC: | aos-bugs, jokerman, mkhan, mmccomas, ssegal, vlaad |
| Target Milestone: | --- | ||
| Target Release: | 3.10.z | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2018-10-08 11:58:24 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
OpenShift is working as expected here IMO. Problem is in the same vicinity of Bug 1614414 We need to also make sure all files we need to read are in /etc/origin/master so independent of where the file is located on the control host we need to land it in /etc/origin/master/, ensure it's readable, and make sure the config references it there. >But the file is there, only with wrong permissions:
>[root@mmaster ~]# ls -l /etc/pki-osoos/ldap_ca.crt
>-rw-------. 1 root root 1516 Aug 15 12:10 /etc/pki-osoos/ldap_ca.crt
This is a file on the host, but it won't get mounted on API server pod - as we mount only /etc/origin/master/.
This file should have been copied to /etc/origin/master/ldap_ca.crt instead, is there a file there?
Sounds like master_check_paths_in_config.py has missed this path - or openshift_control_plane role copied it to a wrong location - do have the logs from this playbook?
Does changing the path to /etc/pki-osoos/ldap_ca.crt in 'ca:' section of openshift_master_identity_providers fixes it?
Placing the certificate in /etc/origin/master solved the issue. You may close this as per me, unless you consider this still need be fixed for path outside of /etc/origin/master. Thanks! PR to ignore `ca:` field and copy file to an expected location instead - https://github.com/openshift/openshift-ansible/pull/9803 Fix is available in openshift-ansible-3.10.43-1 Verify this bug with openshift-ansible-3.10.44-1.git.0.8c64e8d.el7.noarch
Specify LDAP CA certificate in openshift_master_ldap_ca_file, start installation.
openshift_master_identity_providers=[{'name': 'testldap', 'login': 'true', 'challenge': 'true', 'kind': 'LDAPPasswordIdentityProvider', 'attributes': {'id': ['dn'], 'email': ['mail'], 'name': ['cn'], 'preferredUsername': ['uid']}, 'bindDN': '', 'bindPassword': '', 'insecure': 'false', 'url': 'ldaps://x.x.x.com/ou=users,dc=redhat,dc=com?uid'}]
openshift_master_ldap_ca_file=/root/ldap.ca.crt
After installation, LDAP CA certificate was copied to master as /etc/origin/master/testldap_ldap_ca.crt , master service run well.
|
Description of problem: Advanced installation specify LDAP CA certificate: openshift_master_identity_providers=[{'name': 'htpasswd_auth', 'login': 'true', 'challenge': 'true', 'kind': 'HTPasswdPasswordIdentityProvider'}, {'name': 'rht_ldap_provider', 'challenge': 'true', 'login': 'true', 'kind': 'LDAPPasswordIdentityProvider', 'attributes': {'id': ['dn'], 'email': ['mail'], 'name': ['cn'], 'preferredUsername': ['uid']}, 'bindDN': '', 'bindPassword': '', 'ca': '/etc/pki-osoos/ldap_ca.crt', 'insecure': 'false', 'url': 'ldap://ldap.corp.redhat.com/ou=users,dc=redhat,dc=com?uid'}] openshift_master_ldap_ca_file=/etc/pki-osoos/ldap_ca.crt The CA certificate uploaded to main master with permissions 664. Running /usr/share/ansible/openshift-ansible/playbooks/deploy_cluster.yml failed on: TASK [openshift_control_plane : Wait for control plane pods to appear] ********* FAILED - RETRYING: Wait for control plane pods to appear (60 retries left). FAILED - RETRYING: Wait for control plane pods to appear (60 retries left). Looking in log on master I see following: Aug 15 08:12:01 mmaster journal: Invalid MasterConfig /etc/origin/master/master-config.yaml Aug 15 08:12:01 mmaster journal: oauthConfig.identityProvider[1].provider.ca: Invalid value: "/etc/pki-osoos/ldap_ca.crt": could not read file: stat /etc/pki-osoos/ldap_ca.crt: no such file or directory But the file is there, only with wrong permissions: [root@mmaster ~]# ls -l /etc/pki-osoos/ldap_ca.crt -rw-------. 1 root root 1516 Aug 15 12:10 /etc/pki-osoos/ldap_ca.crt Version-Release number of selected component (if applicable): 3.10.14 How reproducible: Install cluster with LDAP auth. Steps to Reproduce: 1. 2. 3. Actual results: Unable complete master installation. Expected results: Working cluster Additional info: