Bug 1454478 - Ansible redeploy certs playbook won't update masters with provided named certs
Summary: Ansible redeploy certs playbook won't update masters with provided named certs
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Cluster Version Operator
Version: 3.5.0
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
: ---
Assignee: Andrew Butcher
QA Contact: Gaoyun Pei
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-05-22 20:45 UTC by Steven Walter
Modified: 2020-08-13 09:13 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Previously, the certificate redeployment playbook would not update master configuration when named certificates were provided. Named certificates will now be replaced and master configuration will be updated during certificate redeployment.
Clone Of:
Environment:
Last Closed: 2017-08-10 05:25:32 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHEA-2017:1716 0 normal SHIPPED_LIVE Red Hat OpenShift Container Platform 3.6 RPM Release Advisory 2017-08-10 09:02:50 UTC

Description Steven Walter 2017-05-22 20:45:58 UTC 
Description of problem:
Customer added named certificates to ansible hosts file, and ran certificate redeploy playbook, however certs were not added to master-config.yaml

Version-Release number of selected component (if applicable):
3.5.0

How reproducible:
Unconfirmed

Steps to Reproduce:
1. Add certs to hosts file
2. run cert redeploy playbook


Actual results:
Still serving openshift signed certs

Expected results:
Serve custom named ca

Additional info:
If this is intended behavior then we can consider this an RFE instead
Comment 6 Andrew Butcher 2017-06-28 19:04:21 UTC 
https://github.com/openshift/openshift-ansible/pull/4602
Comment 8 Gaoyun Pei 2017-07-06 08:00:54 UTC 
Verify this bug with openshift-ansible-3.6.135-1.git.0.5533fe3.el7.noarch

For an existing ocp-3.6 env, add named certificates to ansible hosts file

openshift_master_overwrite_named_certificates=true
openshift_master_named_certificates=[{"certfile": "/root/master-custom-cert-com.crt", "keyfile": "/root/master-custom-cert-com.key", "cafile": "/root/master-custom-cert-com-ca.crt"}]

Run certificate redeploy playbook
ansible-playbook -i bug /usr/share/ansible/openshift-ansible/playbooks/byo/openshift-cluster/redeploy-certificates.yml

After playbook finished, check the master config file
[root@qe-gpei-etcd-sc-master-1 master]# grep -A 4 namedCertificates master-config.yaml
  namedCertificates:
  - certFile: /etc/origin/master/named_certificates/master-custom-cert-com.crt
    keyFile: /etc/origin/master/named_certificates/master-custom-cert-com.key
    names:
    - master.custom-cert.com
[root@qe-gpei-etcd-sc-master-1 master]# ls named_certificates/
master-custom-cert-com-ca.crt  master-custom-cert-com.crt  master-custom-cert-com.key
Comment 10 errata-xmlrpc 2017-08-10 05:25:32 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2017:1716
Comment 11 Scott Dodson 2018-08-15 13:29:02 UTC 
*** Bug 1615025 has been marked as a duplicate of this bug. ***
Comment 12 Scott Dodson 2018-08-15 13:29:53 UTC 
*** Bug 1615026 has been marked as a duplicate of this bug. ***
Note You need to log in before you can comment on or make changes to this bug.