Description of problem: We can add the custom certificates in the existing cluster manually or by using ansible-playbook, refer doc[1]. It is observed when creating the custom certificate by redeploying-master-certificate.yml ansible playbook ,it will only copy the certificates in all the master nodes but will not updated the namedCertificates context in master-config.yaml. For the custom certificates to come into effect the named certificate context is required in the master config file. [1] https://docs.openshift.com/container-platform/3.7/install_config/certificate_customization.html#configuring-custom-certificates ################################################################ Version-Release number of the following components: oc v3.7.23 $rpm -q openshift-ansible openshift-ansible-3.7.14-1.git.0.4b35b2d.el7.noarch $rpm -q ansible ansible-2.4.1.0-1.el7.noarch $ansible --version ansible 2.4.1.0 config file = /etc/ansible/ansible.cfg configured module search path = [u'/root/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules'] ansible python module location = /usr/lib/python2.7/site-packages/ansible executable location = /usr/bin/ansible python version = 2.7.5 (default, May 3 2017, 07:55:04) [GCC 4.8.5 20150623 (Red Hat 4.8.5-14)] ############################################################### How reproducible: Steps to Reproduce: 1. Create custom certificate # ls /root/san/ config gss.lab.crt gss.lab.key 2. Add the variable for Configuring Custom Certificates with Ansible Snip -->/etc/ansible/hosts # If you would like openshift_master_named_certificates to be overwritten with # the provided value, specify openshift_master_overwrite_named_certificates. openshift_master_named_certificates=[{"certfile": "/root/san/gss.lab.crt", "keyfile": "/root/san/gss.lab.key", "names": ["gsslab.example.com"]}] # Detected names may be overridden by specifying the "names" key openshift_master_overwrite_named_certificates=true 3.Run ansible playbook to redeploy master certificates only. #ansible-playbook /usr/share/ansible/openshift-ansible/playbooks/byo/openshift-cluster/redeploy-master-certificates.yml ######################################################################################################################### Actual results: PLAY RECAP ******************************************************************************************************************************************************************************************************** localhost : ok=14 changed=0 unreachable=0 failed=0 node2.redhat.com : ok=40 changed=2 unreachable=0 failed=0 nfs.example.com : ok=26 changed=2 unreachable=0 failed=0 node1.example.com : ok=40 changed=2 unreachable=0 failed=0 master.example.com : ok=119 changed=17 unreachable=0 failed=0 # No change in master-config file under asset ---------snip /etc/origin/master/master-config.yaml------> apiVersion: v1 assetConfig: extensionScripts: # - /etc/origin/master/openshift-ansible-catalog-console.js loggingPublicURL: https://kibana.san.example.com logoutURL: "" masterPublicURL: https://master.example.com:8443 metricsPublicURL: https://nfs.example.com/hawkular/metrics publicURL: https://master.example.com:8443/console/ servingInfo: bindAddress: 0.0.0.0:8443 bindNetwork: tcp4 certFile: master.server.crt clientCA: "" keyFile: master.server.key maxRequestsInFlight: 0 requestTimeoutSeconds: 0 authConfig: requestHeader: ......omitted...... servingInfo: bindAddress: 0.0.0.0:8443 bindNetwork: tcp4 certFile: master.server.crt clientCA: ca.crt keyFile: master.server.key maxRequestsInFlight: 500 requestTimeoutSeconds: 3600 volumeConfig: dynamicProvisioningEnabled: true -------------------------------------------> ######################################################################################## Expected results: The master-config file should get updated with namedCertificates context under assetConfig ---------snip /etc/origin/master/master-config.yaml------> apiVersion: v1 assetConfig: extensionScripts: # - /etc/origin/master/openshift-ansible-catalog-console.js loggingPublicURL: https://kibana.san.example.com logoutURL: "" masterPublicURL: https://master.example.com:8443 metricsPublicURL: https://nfs.example.com/hawkular/metrics publicURL: https://master.example.com:8443/console/ servingInfo: bindAddress: 0.0.0.0:8443 bindNetwork: tcp4 certFile: master.server.crt clientCA: "" keyFile: master.server.key maxRequestsInFlight: 0 requestTimeoutSeconds: 0 namedCertificates: - certFile: gss.lab.crt keyFile: gss.lab.crt names: - "gsslab.example.com" authConfig: requestHeader: ......omitted...... servingInfo: bindAddress: 0.0.0.0:8443 bindNetwork: tcp4 certFile: master.server.crt clientCA: ca.crt keyFile: master.server.key maxRequestsInFlight: 500 requestTimeoutSeconds: 3600 namedCertificates: - certFile: gss.lab.crt keyFile: gss.lab.key names: - "gsslab.example.com" volumeConfig: dynamicProvisioningEnabled: true
*** This bug has been marked as a duplicate of bug 1553102 ***