Bug 1658841
Summary: | Options openshift_node_min_tls_version and openshift_node_cipher_suites removed in OpenShift 3.10 and later | ||
---|---|---|---|
Product: | OpenShift Container Platform | Reporter: | Brian J. Beaudoin <bbeaudoi> |
Component: | Installer | Assignee: | Scott Dodson <sdodson> |
Installer sub component: | openshift-ansible | QA Contact: | Johnny Liu <jialiu> |
Status: | CLOSED NOTABUG | Docs Contact: | |
Severity: | medium | ||
Priority: | unspecified | CC: | bbeaudoi, grodrigu, knewcomer |
Version: | 3.11.0 | ||
Target Milestone: | --- | ||
Target Release: | 3.11.z | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2018-12-14 21:56:16 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Brian J. Beaudoin
2018-12-13 00:51:53 UTC
I think our advice at this point in time is to apply the desired edits to the node groups. That's the long term solution for providing config for 3.10 and 3.11 nodes. We could add the same tls options to the node group generation template but we'd prefer having one method for defining node config edits. Would that work for you? They can do this at install time today. They just need to define their own openshift_node_groups structure which is defaulted here. https://github.com/openshift/openshift-ansible/blob/master/roles/openshift_facts/defaults/main.yml#L144-L195 for instance, put a file like the following at inventory/group_vars/all.yaml assuming your inventory is at inventory/hosts openshift_node_groups: - name: node-config-master labels: - 'node-role.kubernetes.io/master=true' edits: - key: servingInfo.minTLSVersion value: "VersionTLS12" - key: servingInfo.cipherSuites value: - "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" - "TLS_RSA_WITH_AES_256_CBC_SHA" - "TLS_RSA_WITH_AES_128_CBC_SHA" This is an all or nothing thing, you either get the default node groups or you need to define the entire structure, so probably best to start by copying the default and editing from there. Docs for this here https://docs.openshift.com/container-platform/3.11/install/configuring_inventory_file.html#configuring-inventory-node-group-definitions Scott, thank you, this method of overriding the node configurations work. Thanks for confirming that the custom definition of openshift_node_groups worked. I'm going to close this. |