1. Proposed title of this feature request [RFE] Allow users to add the CA for their named certificates to the generated CA by ansible installer 3. What is the nature and description of the request? Same request with https://github.com/openshift/openshift-ansible/issues/1535, but I reported here as Red Hat customer's request. 7. Is there already an existing RFE upstream or in Red Hat Bugzilla? - Upstream has same request - https://github.com/openshift/openshift-ansible/issues/1535 - And they have already testedthe patch mentioned here https://github.com/openshift/openshift-ansible/issues/1535#issuecomment-224187922 (and worked) 10. List any affected packages or components. - Ansible installer 11. Would the customer be able to assist in testing this functionality if implemented? - They have already tested above partial patch.
> - And they have already testedthe patch mentioned here https://github.com/openshift/openshift-ansible/issues/1535#issuecomment-224187922 (and worked) Sorry, they means customer and consultant who requested this RFE.
This feature was recently added to the master branch of openshift-ansible. https://github.com/openshift/openshift-ansible/pull/2049 https://trello.com/c/0nKBEzbi
Verify this bug with openshift-ansible-3.2.22-1.git.0.7961a61.el7.noarch.rpm Specify openshift_master_named_certificates=[{"certfile": "/path/to/custom1.crt", "keyfile": "/path/to/custom1.key","cafile": "/path/to/ca.crt"}] in ansible inventory, after installation, check the named certs setting on master. [root@openshift-219 ~]# ls /etc/origin/master/named_certificates/ ca.crt custom1.crt custom1.key In /etc/origin/master/master-config.yaml, the named certs info was added correctly, "names" was detected correctly from custom1.crt. namedCertificates: - certFile: /etc/origin/master/named_certificates/custom1.crt keyFile: /etc/origin/master/named_certificates/custom1.key names: - "master.custom-cert.com" The ca-bundle.crt works well for the custom name. [root@openshift-219 ~]# curl --cacert /etc/origin/master/ca-bundle.crt https://master.custom-cert.com:8443/ { "paths": [ "/api", "/api/v1", "/apis", "/controllers", "/healthz", "/healthz/ping", "/healthz/ready", "/metrics", "/oapi", "/oapi/v1", "/swaggerapi/" ] The ca.crt on node also works well [root@openshift-211 ~]# curl --cacert /etc/origin/node/ca.crt https://master.custom-cert.com:8443/ { "paths": [ "/api", "/api/v1", "/apis", "/controllers", "/healthz", "/healthz/ping", "/healthz/ready", "/metrics", "/oapi", "/oapi/v1", "/swaggerapi/" ]
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2016:1639