Bugzilla (bugzilla.redhat.com) will be under maintenance for infrastructure upgrades and will not be unavailable on July 31st between 12:30 AM - 05:30 AM UTC. We appreciate your understanding and patience. You can follow status.redhat.com for details.
Bug 1419182 - [ocp-on-osp] openshift-heat-templates do not allow OSP communication with SSL - need CA cert
Summary: [ocp-on-osp] openshift-heat-templates do not allow OSP communication with SSL...
Keywords:
Status: CLOSED EOL
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Reference Architecture
Version: 3.4.0
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: ---
: ---
Assignee: Ryan Cook
QA Contact: Johnny Liu
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-02-03 20:14 UTC by Mark Lamourine
Modified: 2018-06-22 15:08 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-06-22 15:08:33 UTC
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Mark Lamourine 2017-02-03 20:14:15 UTC 
Description of problem:

OSP services may require SSL for API communication.  The SSL connection will require a valid CA certificate to validate the OSP SSL certificate.  The CA certificate must be present on all OCP instances that can interact with the hosting OSP service.  This includes all nodes which may request resources like cinder volumes on behalf of container creators.

The openshift-heat-templates do not provide a way for the OCP deployer to submit the CA certificate or a way to hand off that certificate to the openshift-ansible playbooks so that they in turn can set the CA certificate as needed. 


Version-Release number of selected component (if applicable):


How reproducible:

attempt to run openshift-heat-templates installation of OCP3 on OSP that have SSL communications enabled.

Steps to Reproduce:
1.
2.
3.

Actual results:

os-collect-config on the bastion host will fail to connect and communicate with the OSP service citing insecure communications.

kubelet services on the OCP nodes will fail to connect and communicate with the OSP service citing insecure communications.

Expected results:

os-collect-config and kubelet communications with OSP over SSL succeed.

Additional info:
Comment 1 Wolfram Richter 2017-03-23 15:26:41 UTC 
I injected a custom CA cert to allow it to work on an SSL-enabled OSP as follows: https://github.com/redhat-openstack/openshift-on-openstack/pull/327
Comment 2 Roberto Polli 2017-05-24 15:01:18 UTC 
Merged https://github.com/redhat-openstack/openshift-on-openstack/pull/327

Worth closing?
Note You need to log in before you can comment on or make changes to this bug.