Bug 1628834
| Summary: | [3.10] master static pod failed to start when kerberos auth is set | ||||||
|---|---|---|---|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | Johnny Liu <jialiu> | ||||
| Component: | Documentation | Assignee: | Vikram Goyal <vigoyal> | ||||
| Status: | CLOSED DEFERRED | QA Contact: | scheng | ||||
| Severity: | medium | Docs Contact: | Vikram Goyal <vigoyal> | ||||
| Priority: | high | ||||||
| Version: | 3.10.0 | CC: | aos-bugs, jialiu, jokerman, mgugino, mmccomas, vrutkovs, wsun | ||||
| Target Milestone: | --- | Keywords: | Regression | ||||
| Target Release: | 3.10.z | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | |||||||
| : | 1628837 (view as bug list) | Environment: | |||||
| Last Closed: | Type: | Bug | |||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | |||||||
| Bug Blocks: | 1628837 | ||||||
| Attachments: |
|
||||||
|
Description
Johnny Liu
2018-09-14 07:16:04 UTC
Right, `clientCA` is now ignored on 3.10+, as its not clear where this file should be present. `openshift_master_request_header_ca_file` or `openshift_master_request_header_ca` should be set to have this file copied as `/etc/origin/master/<name>_request_header_ca.crt` - does it work when these variables set? (In reply to Vadim Rutkovsky from comment #1) > Right, `clientCA` is now ignored on 3.10+, as its not clear where this file > should be present. > > `openshift_master_request_header_ca_file` or > `openshift_master_request_header_ca` should be set to have this file copied > as `/etc/origin/master/<name>_request_header_ca.crt` - does it work when > these variables set? According to doc: openshift_master_request_header_ca_file=<path to local ca file to use> The ca should be some local ca file in my ansible controller host, but in my test case, I want to use '/etc/origin/master/ca.crt' which is generated by openshift_ca and located in master host. So openshift_master_request_header_ca_file and openshift_master_request_header_ca do not help my testing. (In reply to Johnny Liu from comment #2) > The ca should be some local ca file in my ansible controller host, but in my > test case, I want to use '/etc/origin/master/ca.crt' which is generated by > openshift_ca and located in master host. In this case it needs to be renamed and put in the specified location. This has been introduced in https://github.com/openshift/openshift-ansible/pull/9731 and docs have not been updated yet. (In reply to Vadim Rutkovsky from comment #3) > (In reply to Johnny Liu from comment #2) > > The ca should be some local ca file in my ansible controller host, but in my > > test case, I want to use '/etc/origin/master/ca.crt' which is generated by > > openshift_ca and located in master host. > > > In this case it needs to be renamed and put in the specified location. This > has been introduced in > https://github.com/openshift/openshift-ansible/pull/9731 and docs have not > been updated yet. You mean I have to prepare the client CA file in my local ansible host before install, and set openshift_master_request_header_ca_file to my local path, have no way to utilize /etc/origin/master/ca.crt, right? And other critical issue, even I did not set clientCA in openshift_master_identity_providers, installer would set _idp['clientCA'] automatically, and set it to some non-existing file. (In reply to Johnny Liu from comment #4) > (In reply to Vadim Rutkovsky from comment #3) > > (In reply to Johnny Liu from comment #2) > > > The ca should be some local ca file in my ansible controller host, but in my > > > test case, I want to use '/etc/origin/master/ca.crt' which is generated by > > > openshift_ca and located in master host. > > > > > > In this case it needs to be renamed and put in the specified location. This > > has been introduced in > > https://github.com/openshift/openshift-ansible/pull/9731 and docs have not > > been updated yet. > > You mean I have to prepare the client CA file in my local ansible host > before install, and set openshift_master_request_header_ca_file to my local > path, have no way to utilize /etc/origin/master/ca.crt, right? There are three options here: 1) Set openshift_master_request_header_ca with contents 2) Set openshift_master_request_header_ca_file pointing to a local path 3) Prepare a host with /etc/origin/master/<name>_request_header_ca.crt already being present. There is no way to specify the path and point it to /ca.crt - this caused to errors for customers, especially with static pods - i.e. two CA for different identification providers, paths which were not mounted in the static pods etc. > > And other critical issue, even I did not set clientCA in > openshift_master_identity_providers, installer would set _idp['clientCA'] > automatically, and set it to some non-existing file. Correct, since openshift_master_request_header_ca/openshift_master_request_header_ca_file were not set the installer assumes the user is responsible for this file to be present there. Moving to documentation. OCP 3.6-3.10 is no longer on full support [1]. Marking CLOSED DEFERRED. If you have a customer case with a support exception or have reproduced on 3.11+, please reopen and include those details. When reopening, please set the Target Release to the appropriate version where needed. [1]: https://access.redhat.com/support/policy/updates/openshift OCP 3.6-3.10 is no longer on full support [1]. Marking CLOSED DEFERRED. If you have a customer case with a support exception or have reproduced on 3.11+, please reopen and include those details. When reopening, please set the Target Release to the appropriate version where needed. [1]: https://access.redhat.com/support/policy/updates/openshift |