Description of problem: Advanced installation specify LDAP CA certificate: openshift_master_identity_providers=[{'name': 'htpasswd_auth', 'login': 'true', 'challenge': 'true', 'kind': 'HTPasswdPasswordIdentityProvider'}, {'name': 'rht_ldap_provider', 'challenge': 'true', 'login': 'true', 'kind': 'LDAPPasswordIdentityProvider', 'attributes': {'id': ['dn'], 'email': ['mail'], 'name': ['cn'], 'preferredUsername': ['uid']}, 'bindDN': '', 'bindPassword': '', 'ca': '/etc/pki-osoos/ldap_ca.crt', 'insecure': 'false', 'url': 'ldap://ldap.corp.redhat.com/ou=users,dc=redhat,dc=com?uid'}] openshift_master_ldap_ca_file=/etc/pki-osoos/ldap_ca.crt The CA certificate uploaded to main master with permissions 664. Running /usr/share/ansible/openshift-ansible/playbooks/deploy_cluster.yml failed on: TASK [openshift_control_plane : Wait for control plane pods to appear] ********* FAILED - RETRYING: Wait for control plane pods to appear (60 retries left). FAILED - RETRYING: Wait for control plane pods to appear (60 retries left). Looking in log on master I see following: Aug 15 08:12:01 mmaster journal: Invalid MasterConfig /etc/origin/master/master-config.yaml Aug 15 08:12:01 mmaster journal: oauthConfig.identityProvider[1].provider.ca: Invalid value: "/etc/pki-osoos/ldap_ca.crt": could not read file: stat /etc/pki-osoos/ldap_ca.crt: no such file or directory But the file is there, only with wrong permissions: [root@mmaster ~]# ls -l /etc/pki-osoos/ldap_ca.crt -rw-------. 1 root root 1516 Aug 15 12:10 /etc/pki-osoos/ldap_ca.crt Version-Release number of selected component (if applicable): 3.10.14 How reproducible: Install cluster with LDAP auth. Steps to Reproduce: 1. 2. 3. Actual results: Unable complete master installation. Expected results: Working cluster Additional info:
OpenShift is working as expected here IMO.
Problem is in the same vicinity of Bug 1614414 We need to also make sure all files we need to read are in /etc/origin/master so independent of where the file is located on the control host we need to land it in /etc/origin/master/, ensure it's readable, and make sure the config references it there.
>But the file is there, only with wrong permissions: >[root@mmaster ~]# ls -l /etc/pki-osoos/ldap_ca.crt >-rw-------. 1 root root 1516 Aug 15 12:10 /etc/pki-osoos/ldap_ca.crt This is a file on the host, but it won't get mounted on API server pod - as we mount only /etc/origin/master/. This file should have been copied to /etc/origin/master/ldap_ca.crt instead, is there a file there? Sounds like master_check_paths_in_config.py has missed this path - or openshift_control_plane role copied it to a wrong location - do have the logs from this playbook? Does changing the path to /etc/pki-osoos/ldap_ca.crt in 'ca:' section of openshift_master_identity_providers fixes it?
Placing the certificate in /etc/origin/master solved the issue. You may close this as per me, unless you consider this still need be fixed for path outside of /etc/origin/master. Thanks!
PR to ignore `ca:` field and copy file to an expected location instead - https://github.com/openshift/openshift-ansible/pull/9803
Fix is available in openshift-ansible-3.10.43-1
Verify this bug with openshift-ansible-3.10.44-1.git.0.8c64e8d.el7.noarch Specify LDAP CA certificate in openshift_master_ldap_ca_file, start installation. openshift_master_identity_providers=[{'name': 'testldap', 'login': 'true', 'challenge': 'true', 'kind': 'LDAPPasswordIdentityProvider', 'attributes': {'id': ['dn'], 'email': ['mail'], 'name': ['cn'], 'preferredUsername': ['uid']}, 'bindDN': '', 'bindPassword': '', 'insecure': 'false', 'url': 'ldaps://x.x.x.com/ou=users,dc=redhat,dc=com?uid'}] openshift_master_ldap_ca_file=/root/ldap.ca.crt After installation, LDAP CA certificate was copied to master as /etc/origin/master/testldap_ldap_ca.crt , master service run well.