Bug 1746143

Summary: update-ca-trust required on 3.11 post install with custom CA cert but included in 3.9 install process per openshift_node_certificates playbook
Product: OpenShift Container Platform Reporter: Benjamin Milne <bmilne>
Component: InstallerAssignee: Joseph Callen <jcallen>
Installer sub component: openshift-ansible QA Contact: Gaoyun Pei <gpei>
Status: CLOSED ERRATA Docs Contact:
Severity: medium    
Priority: unspecified CC: jcallen
Version: 3.11.0   
Target Milestone: ---   
Target Release: 3.11.z   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-11-18 14:52:08 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Benjamin Milne 2019-08-27 18:26:09 UTC 
Description of problem:
When installing OCP 3.11 with the CA defined as via the following:

openshift_hosted_registry_routecertificates= "{'certfile': '<path>/org-cert.pem', 'keyfile': '<path>/org-privkey.pem', 'cafile': '<path>/org-chain.pem'}"

The user is required to follow the "day two process" outlined here: https://docs.openshift.com/container-platform/3.11/day_two_guide/docker_tasks.html#day-two-guide-managing-docker-certs to allow nodes to trust when this is just a custom CA cert not an external registry.

This was not a problem on 3.9 installations.

We have determined that the steps from the following (3.9) are not performed the same in the new bootstrap process in 3.11.

https://github.com/openshift/openshift-ansible/blob/release-3.9/roles/openshift_node_certificates/tasks/main.yml

Actual results:
Customer installs on 3.11 and is required to run update-ca-trust to pull using custom CA from a NON-external registry. This works in 3.9.

Expected results:
Customer does not need to perform any additional tasks to have correct CA trusted.
Comment 8 Gaoyun Pei 2019-11-09 15:22:57 UTC 
Verify this bug with openshift-ansible-3.11.154-1.git.0.7a11cbe.el7.noarch.rpm

The required 'Update CA trust' and 'restart docker/node' steps were added during node bootstrap.


TASK [openshift_node : Update CA trust] ****************************************
changed: [ci-vm-10-0-148-101.hosted.upshift.rdu2.redhat.com] => {"changed": true, "cmd": ["update-ca-trust", "extract"], "delta": "0:00:00.521362", "end": "2019-11-09 01:02:43.293125", "rc": 0, "start": "2019-11-09 01:02:42.771763", "stderr": "", "stderr_lines": [], "stdout": "", "stdout_lines": []}

...

TASK [Mark node unschedulable] *************************************************
changed: [ci-vm-10-0-148-101.hosted.upshift.rdu2.redhat.com -> ci-vm-10-0-150-88.hosted.upshift.rdu2.redhat.com] => {"attempts": 1, "changed": true, "module_results": {"cmd": "/usr/bin/oc adm manage-node qe-gpei-4node-1 --schedulable=False", "nodes": [{"name": "qe-gpei-4node-1", "schedulable": false}], "results": "NAME              STATUS                     ROLES     AGE       VERSION\nqe-gpei-4node-1   Ready,SchedulingDisabled   compute   2m        v1.11.0+d4cacc0\n", "returncode": 0}, "state": "present"}

...

TASK [Restart docker] **********************************************************
changed: [ci-vm-10-0-148-101.hosted.upshift.rdu2.redhat.com] => {"attempts": 1, "changed": true, "name": "docker", "state": "started", "status": {"ActiveEnterTimestamp": "Sat 2019-11-09 00:40:42 EST", "ActiveEnterTimestampMonotonic": "313678084...

TASK [restart node] ************************************************************
changed: [ci-vm-10-0-148-101.hosted.upshift.rdu2.redhat.com] => {"changed": true, "name": "atomic-openshift-node", "state": "started", "status": {"ActiveEnterTimestamp": "Sat 2019-11-09 01:02:59 EST", "ActiveEnterTimestampMonotonic": "1650236299"...
Comment 11 errata-xmlrpc 2019-11-18 14:52:08 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:3817