Description of problem: OSP services may require SSL for API communication. The SSL connection will require a valid CA certificate to validate the OSP SSL certificate. The CA certificate must be present on all OCP instances that can interact with the hosting OSP service. This includes all nodes which may request resources like cinder volumes on behalf of container creators. The openshift-heat-templates do not provide a way for the OCP deployer to submit the CA certificate or a way to hand off that certificate to the openshift-ansible playbooks so that they in turn can set the CA certificate as needed. Version-Release number of selected component (if applicable): How reproducible: attempt to run openshift-heat-templates installation of OCP3 on OSP that have SSL communications enabled. Steps to Reproduce: 1. 2. 3. Actual results: os-collect-config on the bastion host will fail to connect and communicate with the OSP service citing insecure communications. kubelet services on the OCP nodes will fail to connect and communicate with the OSP service citing insecure communications. Expected results: os-collect-config and kubelet communications with OSP over SSL succeed. Additional info:
I injected a custom CA cert to allow it to work on an SSL-enabled OSP as follows: https://github.com/redhat-openstack/openshift-on-openstack/pull/327
Merged https://github.com/redhat-openstack/openshift-on-openstack/pull/327 Worth closing?