Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1633137

Summary: [DOCS] LDAP/OpenID/RequestHeader CA changes
Product: OpenShift Container Platform Reporter: Vadim Rutkovsky <vrutkovs>
Component: DocumentationAssignee: Kathryn Alexander <kalexand>
Status: CLOSED CURRENTRELEASE QA Contact: Chuan Yu <chuyu>
Severity: urgent Docs Contact: Vikram Goyal <vigoyal>
Priority: urgent    
Version: 3.10.0CC: aos-bugs, clasohm, clichybi, dmoessne, jokerman, kalexand, mmccomas, smulholland, vrutkovs, wmeng
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-12-10 21:10:59 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Vadim Rutkovsky 2018-09-26 09:15:38 UTC 
Describe the issue: 
Identity provider handling have been updated in master/3.11/3.10 in openshift-ansible.

Previously 'ca'/'clientCA' fields were optional and used host trust store CA instead.
After the move to static pods, API server container trust store is being used, so changes to host trust store are not reflected. This required user to choose the path of CA bundle and ensure it would be mounted in the API server container correctly.

After https://github.com/openshift/openshift-ansible/pull/9803 was merged (since openshift-ansible-3.10.42-1, openshift-ansible-3.11.0-0.25.0 and openshift-ansible-4.0.0-0.1.0) the behaviour has changed:

* if openshift_master_ldap_ca/openshift_master_ldap_ca_file is specified, the contents of the file would be placed to /etc/origin/master/<ldap identity provider name>_ldap_ca.crt on the host and mounted in the API container
* if these vars are unset the host is expected to have this file created
* 'ca' field for this identity provider would be automatically set to /etc/origin/master/<ldap identity provider name>_ldap_ca.crt
* if 'insecure' option is used in LDAP provider 'ca' would not be set
* there is no option to change the path to this file

This applies to LDAP, OpenID and RequestHeader identity providers and allows specifying several identity providers and ensure specified CA is always mounted on API server container correctly.
Comment 5 Kathryn Alexander 2018-11-30 16:42:14 UTC 
PR's here: https://github.com/openshift/openshift-docs/pull/12998

I want Vadim to take a look before I send it to QE.
Comment 6 Kathryn Alexander 2018-11-30 18:49:37 UTC 
I made some updates per Vadim.

Xiaoli Tian, will you please suggest the right reviewer? Based on my discussion with Mo, I don't think that Chuan Yu should review this one.
Comment 7 openshift-github-bot 2018-12-03 14:28:01 UTC 
Commits pushed to master at https://github.com/openshift/openshift-docs

https://github.com/openshift/openshift-docs/commit/77f7d163a86c469b104c227dd5647ed4b20fbd29
bug 1633137 request header changes

https://github.com/openshift/openshift-docs/commit/459b0ad663cd15ed86bd372b51d9c1092d3a64e8
Merge pull request #12998 from kalexand-rh/BZ1633137

bug 1633137 request header changes
Comment 8 Kathryn Alexander 2018-12-03 14:29:05 UTC 
This bug was approved on the PR. I've merged it and am waiting for it to go live.
Comment 9 Kathryn Alexander 2018-12-10 21:10:59 UTC 
This change is live on docs.openshift, eg: https://docs.openshift.com/container-platform/3.11/install_config/configuring_authentication.html#identity-providers-ansible

And on the portal, eg: https://access.redhat.com/documentation/en-us/openshift_container_platform/3.10/html-single/configuring_clusters/index#identity-providers-ansible