Bug 1564494 - The Named certificate context in master-config.yaml is not updated by ansible-playbook redeploy-master-certificates
Summary: The Named certificate context in master-config.yaml is not updated by ansible...
Keywords:
Status: CLOSED DUPLICATE of bug 1553102
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Installer
Version: 3.7.0
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
: 3.11.0
Assignee: Scott Dodson
QA Contact: Gaoyun Pei
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-04-06 12:51 UTC by Sanket N
Modified: 2018-05-21 12:38 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-05-21 12:38:07 UTC
Target Upstream Version:


Attachments (Terms of Use)

Description Sanket N 2018-04-06 12:51:39 UTC
Description of problem:

We can add the custom certificates in the existing cluster manually or by using ansible-playbook, refer doc[1].
It is observed when creating the custom certificate by redeploying-master-certificate.yml ansible playbook ,it will only copy the certificates in all the master nodes but will not updated the namedCertificates context in master-config.yaml.

For the custom certificates to come into effect the named certificate context is required in the master config file.
 

[1] https://docs.openshift.com/container-platform/3.7/install_config/certificate_customization.html#configuring-custom-certificates


################################################################
Version-Release number of the following components:
oc v3.7.23

$rpm -q openshift-ansible
openshift-ansible-3.7.14-1.git.0.4b35b2d.el7.noarch

$rpm -q ansible
ansible-2.4.1.0-1.el7.noarch

$ansible --version
ansible 2.4.1.0
  config file = /etc/ansible/ansible.cfg
  configured module search path = [u'/root/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python2.7/site-packages/ansible
  executable location = /usr/bin/ansible
  python version = 2.7.5 (default, May  3 2017, 07:55:04) [GCC 4.8.5 20150623 (Red Hat 4.8.5-14)]
###############################################################

How reproducible:

Steps to Reproduce:

1. Create custom certificate

# ls /root/san/
config  gss.lab.crt  gss.lab.key


2. Add the variable for Configuring Custom Certificates with Ansible

Snip -->/etc/ansible/hosts 
# If you would like openshift_master_named_certificates to be overwritten with
# the provided value, specify openshift_master_overwrite_named_certificates.
openshift_master_named_certificates=[{"certfile": "/root/san/gss.lab.crt", "keyfile": "/root/san/gss.lab.key", "names": ["gsslab.example.com"]}]
# Detected names may be overridden by specifying the "names" key
openshift_master_overwrite_named_certificates=true



3.Run ansible playbook to redeploy master certificates only.
#ansible-playbook /usr/share/ansible/openshift-ansible/playbooks/byo/openshift-cluster/redeploy-master-certificates.yml 


#########################################################################################################################

Actual results:


PLAY RECAP ********************************************************************************************************************************************************************************************************
localhost         : ok=14   changed=0    unreachable=0    failed=0   
node2.redhat.com : ok=40   changed=2    unreachable=0    failed=0   
nfs.example.com : ok=26   changed=2    unreachable=0    failed=0   
node1.example.com : ok=40   changed=2    unreachable=0    failed=0   
master.example.com : ok=119  changed=17   unreachable=0    failed=0   



# No change in master-config file under asset

---------snip /etc/origin/master/master-config.yaml------>
apiVersion: v1
assetConfig:
  extensionScripts:
#  - /etc/origin/master/openshift-ansible-catalog-console.js
  loggingPublicURL: https://kibana.san.example.com
  logoutURL: ""
  masterPublicURL: https://master.example.com:8443
  metricsPublicURL: https://nfs.example.com/hawkular/metrics
  publicURL: https://master.example.com:8443/console/
  servingInfo:
    bindAddress: 0.0.0.0:8443
    bindNetwork: tcp4
    certFile: master.server.crt
    clientCA: ""
    keyFile: master.server.key
    maxRequestsInFlight: 0
    requestTimeoutSeconds: 0
authConfig:
  requestHeader:

......omitted......

servingInfo:
  bindAddress: 0.0.0.0:8443
  bindNetwork: tcp4
  certFile: master.server.crt
  clientCA: ca.crt
  keyFile: master.server.key
  maxRequestsInFlight: 500
  requestTimeoutSeconds: 3600
volumeConfig:
  dynamicProvisioningEnabled: true

------------------------------------------->


########################################################################################
Expected results:
The master-config file should get updated with  namedCertificates context under assetConfig

---------snip /etc/origin/master/master-config.yaml------>
apiVersion: v1
assetConfig:
  extensionScripts:
#  - /etc/origin/master/openshift-ansible-catalog-console.js
  loggingPublicURL: https://kibana.san.example.com
  logoutURL: ""
  masterPublicURL: https://master.example.com:8443
  metricsPublicURL: https://nfs.example.com/hawkular/metrics
  publicURL: https://master.example.com:8443/console/
  servingInfo:
    bindAddress: 0.0.0.0:8443
    bindNetwork: tcp4
    certFile: master.server.crt
    clientCA: ""
    keyFile: master.server.key
    maxRequestsInFlight: 0
    requestTimeoutSeconds: 0
    namedCertificates:
    - certFile: gss.lab.crt
      keyFile: gss.lab.crt
      names:
      - "gsslab.example.com"
authConfig:
  requestHeader:

......omitted......

servingInfo:
  bindAddress: 0.0.0.0:8443
  bindNetwork: tcp4
  certFile: master.server.crt
  clientCA: ca.crt
  keyFile: master.server.key
  maxRequestsInFlight: 500
  requestTimeoutSeconds: 3600
  namedCertificates:
  - certFile: gss.lab.crt
    keyFile: gss.lab.key
    names:
    - "gsslab.example.com"
volumeConfig:
  dynamicProvisioningEnabled: true

Comment 1 Scott Dodson 2018-05-21 12:38:07 UTC

*** This bug has been marked as a duplicate of bug 1553102 ***


Note You need to log in before you can comment on or make changes to this bug.