Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1553102

Summary: Ansible redeploy cert playbook won't update masters with provided named certs
Product: OpenShift Container Platform Reporter: Gaoyun Pei <gpei>
Component: InstallerAssignee: Scott Dodson <sdodson>
Status: CLOSED WONTFIX QA Contact: Gaoyun Pei <gpei>
Severity: high Docs Contact:
Priority: medium    
Version: 3.9.0CC: aos-bugs, erich, itewksbu, jokerman, jrosenta, klaas, mgugino, mmccomas, mmckinst, nbhatt, oarribas, rsandu, smulholland, snalawad, wsun
Target Milestone: ---Keywords: Triaged
Target Release: 3.11.z   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-01-29 13:28:21 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Ansible output of redeploy-certificates.yml none

Description Gaoyun Pei 2018-03-08 10:07:19 UTC 
Description of problem:
Add named certificates to ansible inventory file, and ran certificate redeploy playbook, but provided certs were not added to master-config.yaml.


Version-Release number of the following components:
openshift-ansible-3.9.3-1.git.0.e166207.el7.noarch
ansible-2.4.4-0.1.beta1.el7ae.noarch

How reproducible:
Always

Steps to Reproduce:
1.Add the following two options to ansible inventory file
openshift_master_overwrite_named_certificates=true
openshift_master_named_certificates=[{"certfile": "/root/x/12817_named.crt", "keyfile": "/root/x/12817_named.key","cafile": "/root/x/12817_named_ca.pem"}]


2.Run cert redeploy playbook against the 3.9 cluster
ansible-playbook -i host/host -vvv /usr/share/ansible/openshift-ansible/playbooks/redeploy-certificates.yml


Actual results:
After playbook finished, the provided named certs file were uploaded to master.
[root@ip-172-18-1-172 ~]# ls /etc/origin/master/named_certificates/
12817_named_ca.pem  12817_named.crt  12817_named.key

But no namedCertificates configured in master-config.yaml


Expected results:

Additional info:
Full log attached
Comment 1 Gaoyun Pei 2018-03-08 10:11:05 UTC 
Created attachment 1405798 [details]
Ansible output of redeploy-certificates.yml
Comment 2 Scott Dodson 2018-03-08 13:17:43 UTC 
This does not appear to be a regression. At least when reviewing 3.7 codebase I don't see anything that would configure masters to use named_certificates if they had not previously been configured to use them. If a host was configured for named_certificates at install time it would update the certificates as expected but not modify the master config to add any additional named_certificates.

So moving this to 3.9.z
Comment 3 Scott Dodson 2018-05-21 12:38:07 UTC 
*** Bug 1564494 has been marked as a duplicate of this bug. ***
Comment 13 Scott Dodson 2019-01-29 13:28:21 UTC 
At this time we do not plan to fix this in 3.x and this implementation in openshift-ansible is no longer relevant in 4.0. Our suggestion is to amend the master-config.yaml after adding namedCertificates according to the options documented here 

https://docs.openshift.com/container-platform/3.11/install_config/certificate_customization.html#configuring-custom-certificates

Once the master configuration is updated those changes should persist for all future upgrades.