Bug 1880784
Summary: | [3.11] - If cafile is not defined in named certificates - components like web console, prometheus will not trust the masterPublicURL | ||
---|---|---|---|
Product: | OpenShift Container Platform | Reporter: | Vladislav Walek <vwalek> |
Component: | Installer | Assignee: | Russell Teague <rteague> |
Installer sub component: | openshift-ansible | QA Contact: | Gaoyun Pei <gpei> |
Status: | CLOSED ERRATA | Docs Contact: | |
Severity: | high | ||
Priority: | medium | CC: | rteague |
Version: | 3.11.0 | ||
Target Milestone: | --- | ||
Target Release: | 3.11.z | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2020-12-16 12:35:06 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Vladislav Walek
2020-09-20 00:04:59 UTC
to correct the description, the CA is added to the bundle with: https://github.com/openshift/openshift-ansible/blob/release-3.11/roles/openshift_master_certificates/tasks/main.yml#L75-L97 There is no customer case attached to this bug. Therefore for 3.11 which is in maintain phase high priority is not accurate. lowering. If this is going to fail an install, it may be prudent to do this validation much sooner in the process to prevent late failures. Also, this needs to be clearly documented if installs that would normally succeed will now fail. This is not a 3.11 release blocker. Hey Russell,
>> If this is going to fail an install, it may be prudent to do this validation much sooner in the process to prevent late failures.
>> Also, this needs to be clearly documented if installs that would normally succeed will now fail.
Yeah, I agree, that it would prevent the installation. My idea was that this should be just informing the admin that if this is missed, cluster will have problem after installation.
Maybe the approach of the debug message only without fail would be better option, however, then it shows the message only as 'ok' and not the warning.
Thinking about it, failing is not a good option and I will rework the PR.
Maybe it needs also better documentation.
Hey Russell, I will rework that and create a draft in different branch of my fork. I got better idea to do that. I will let you know then. Verify this bug with openshift-ansible-3.11.322-1.git.0.ef8d7eb.el7.noarch.rpm. 1. When no "cafile" parameter set in openshift_master_named_certificates. openshift_master_named_certificates=[{"certfile": "/files/to/custom_hostname.pem", "keyfile": "/files/to/custom_hostname.key.pem"}] The fresh install will fail at the pre-checking step. TASK [Fail if the cafile is not configured when using openshift_master_named_certificates] *** Thursday 26 November 2020 11:39:25 +0800 (0:00:00.900) 0:01:13.786 ***** fatal: [ci-vm-10-0-151-6.hosted.upshift.rdu2.redhat.com]: FAILED! => {"changed": false, "msg": "The cafile is not configured in openshift_named_certificates. The cafile must be configured for the cluster's components to trust the named certificate signer. Set 'openshift_named_certificate_omit_cafile=true' to skip this error.\n"} By setting "openshift_named_certificate_omit_cafile=true" in ansible inventory file, the installation could bypass this check. 2. With "cafile" parameter set in openshift_master_named_certificates openshift_master_named_certificates=[{"certfile": "/files/to/custom_hostname.pem", "keyfile": "/files/to/custom_hostname.key.pem", "cafile": "/files/to/custom_hostname_ca.pem"}] After installation, check the /etc/origin/master/ca-bundle.crt file, the "custom_hostname_ca.pem" was added into the file. Select one prometheus pod # oc -n openshift-monitoring rsh prometheus-k8s-0 sh-4.2$ cat /var/run/secrets/kubernetes.io/serviceaccount/ca.crt .... The full content of ca-bundle.crt file were in the serfviceaccount.ca.crt Move this bug to verified. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Container Platform 3.11.343 security and bug fix update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2020:5363 |