Description of problem: Customer added named certificates to ansible hosts file, and ran certificate redeploy playbook, however certs were not added to master-config.yaml Version-Release number of selected component (if applicable): 3.5.0 How reproducible: Unconfirmed Steps to Reproduce: 1. Add certs to hosts file 2. run cert redeploy playbook Actual results: Still serving openshift signed certs Expected results: Serve custom named ca Additional info: If this is intended behavior then we can consider this an RFE instead
https://github.com/openshift/openshift-ansible/pull/4602
Verify this bug with openshift-ansible-3.6.135-1.git.0.5533fe3.el7.noarch For an existing ocp-3.6 env, add named certificates to ansible hosts file openshift_master_overwrite_named_certificates=true openshift_master_named_certificates=[{"certfile": "/root/master-custom-cert-com.crt", "keyfile": "/root/master-custom-cert-com.key", "cafile": "/root/master-custom-cert-com-ca.crt"}] Run certificate redeploy playbook ansible-playbook -i bug /usr/share/ansible/openshift-ansible/playbooks/byo/openshift-cluster/redeploy-certificates.yml After playbook finished, check the master config file [root@qe-gpei-etcd-sc-master-1 master]# grep -A 4 namedCertificates master-config.yaml namedCertificates: - certFile: /etc/origin/master/named_certificates/master-custom-cert-com.crt keyFile: /etc/origin/master/named_certificates/master-custom-cert-com.key names: - master.custom-cert.com [root@qe-gpei-etcd-sc-master-1 master]# ls named_certificates/ master-custom-cert-com-ca.crt master-custom-cert-com.crt master-custom-cert-com.key
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2017:1716
*** Bug 1615025 has been marked as a duplicate of this bug. ***
*** Bug 1615026 has been marked as a duplicate of this bug. ***