Description of problem: When deploy pod on a native HA master env, the deployer pod failed to get running with error "the server has asked for the client to provide credentials". Version-Release number of selected component (if applicable): https://github.com/openshift/openshift-ansible master AtomicOpenShift/3.2/2016-02-22.3 How reproducible: Always Steps to Reproduce: 1.Set up a native HA master env of ose-3.2 with ansible plabook 2.After installation, check the router pod Actual results: [root@openshift-126 ~]# oc get pod NAME READY STATUS RESTARTS AGE router-1-deploy 0/1 Error 0 1h [root@openshift-126 ~]# oc logs router-1-deploy F0223 01:54:43.693355 1 deployer.go:69] couldn't get deployment default/router-1: the server has asked for the client to provide credentials (get replicationControllers router-1) Tried re-deploy router, still got the same error. Expected results: Should deploy router successfully. Additional info: It works well on single master env.
Seems only the first master works well in an HA master env, which is similar to https://bugzilla.redhat.com/show_bug.cgi?id=1245176, caused by incorrect master certificates on the other master. Noticed that the masters' certificates were generated differently after commit dc8938e01202db0464e54becf4812c3191ce2d51 was merged. So when stop atomic-openshift-master-controllers service on the first master, then try to deploy docker-registry pod, would get the error in Comment 1
Proposed fix: https://github.com/openshift/openshift-ansible/pull/1506
Verify this bug with openshift-ansible-3.0.47-1.git.59.b3c4104.el7.noarch After installing a native HA master env using the openshift-ansible, docker-registry and router pod both could be deployed. The following test scenarios all passed. Stop the atomic-openshift-master-controllers service on first master, re-deploy the pods Change the controllers lease back to the first master, re-deploy the pods
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2016:1065