Description of problem: Upgrade v3.6 ocp to v3.7, servingInfo.clientCA in master.config should be updated to ca.crt from ca-bundle.crt due to setting servingInfo.clientCA to ca-bundle.crt can cause unwanted client cert popups in browser when hitting console(refer to bug1493276) <--snip--> servingInfo: bindAddress: 0.0.0.0:443 bindNetwork: tcp4 certFile: master.server.crt clientCA: ca-bundle.crt keyFile: master.server.key fresh installation: <--snip--> servingInfo: bindAddress: 0.0.0.0:443 bindNetwork: tcp4 certFile: master.server.crt clientCA: ca.crt keyFile: master.server.key Version-Release number of the following components: openshift-ansible-3.7.0-0.150.0.git.0.15c09f1.el7.noarch How reproducible: always Steps to Reproduce: 1. Install ocp v3.6 2. Upgrade v3.6 to v3.7 3. Actual results: servingInfo.clientCA was not updated to ca.crt. Expected results: servingInfo.clientCA should be updated to the same as fresh installation. Additional info: Please attach logs from ansible-playbook with the -vvv flag
https://github.com/openshift/openshift-ansible/pull/5749
Version: openshift-ansible-3.7.0-0.179.0.git.0.a2641b6.el7.noarch Still hit the issue. # cat /etc/origin/master/master-config.yaml |grep -A 7 "^servingInfo" servingInfo: bindAddress: 0.0.0.0:8443 bindNetwork: tcp4 certFile: master.server.crt clientCA: ca-bundle.crt keyFile: master.server.key maxRequestsInFlight: 500 requestTimeoutSeconds: 3600 # openshift version openshift v3.7.0-0.178.0 kubernetes v1.7.6+a08f5eeb62 etcd 3.2.8 Seems the whole playbook master_config_upgrade.yml was not run.
https://github.com/openshift/openshift-ansible/pull/5875 should address the master_config_upgrade.yml not running during full upgrade.
Verified on atomic-openshift-utils-3.7.0-0.189.0.git.0.d497c5e.el7.noarch. before: servingInfo: bindAddress: 0.0.0.0:8443 bindNetwork: tcp4 certFile: master.server.crt clientCA: ca-bundle.crt after: servingInfo: bindAddress: 0.0.0.0:8443 bindNetwork: tcp4 certFile: master.server.crt clientCA: ca.crt
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2017:3188