Bug 1633137 - [DOCS] LDAP/OpenID/RequestHeader CA changes
Summary: [DOCS] LDAP/OpenID/RequestHeader CA changes
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Documentation
Version: 3.10.0
Hardware: Unspecified
OS: Unspecified
urgent
urgent
Target Milestone: ---
: ---
Assignee: Kathryn Alexander
QA Contact: Chuan Yu
Vikram Goyal
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-09-26 09:15 UTC by Vadim Rutkovsky
Modified: 2018-12-10 21:10 UTC (History)
10 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-12-10 21:10:59 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Vadim Rutkovsky 2018-09-26 09:15:38 UTC 
Describe the issue: 
Identity provider handling have been updated in master/3.11/3.10 in openshift-ansible.

Previously 'ca'/'clientCA' fields were optional and used host trust store CA instead.
After the move to static pods, API server container trust store is being used, so changes to host trust store are not reflected. This required user to choose the path of CA bundle and ensure it would be mounted in the API server container correctly.

After https://github.com/openshift/openshift-ansible/pull/9803 was merged (since openshift-ansible-3.10.42-1, openshift-ansible-3.11.0-0.25.0 and openshift-ansible-4.0.0-0.1.0) the behaviour has changed:

* if openshift_master_ldap_ca/openshift_master_ldap_ca_file is specified, the contents of the file would be placed to /etc/origin/master/<ldap identity provider name>_ldap_ca.crt on the host and mounted in the API container
* if these vars are unset the host is expected to have this file created
* 'ca' field for this identity provider would be automatically set to /etc/origin/master/<ldap identity provider name>_ldap_ca.crt
* if 'insecure' option is used in LDAP provider 'ca' would not be set
* there is no option to change the path to this file

This applies to LDAP, OpenID and RequestHeader identity providers and allows specifying several identity providers and ensure specified CA is always mounted on API server container correctly.
Comment 5 Kathryn Alexander 2018-11-30 16:42:14 UTC 
PR's here: https://github.com/openshift/openshift-docs/pull/12998

I want Vadim to take a look before I send it to QE.
Comment 6 Kathryn Alexander 2018-11-30 18:49:37 UTC 
I made some updates per Vadim.

Xiaoli Tian, will you please suggest the right reviewer? Based on my discussion with Mo, I don't think that Chuan Yu should review this one.
Comment 7 openshift-github-bot 2018-12-03 14:28:01 UTC 
Commits pushed to master at https://github.com/openshift/openshift-docs

https://github.com/openshift/openshift-docs/commit/77f7d163a86c469b104c227dd5647ed4b20fbd29
bug 1633137 request header changes

https://github.com/openshift/openshift-docs/commit/459b0ad663cd15ed86bd372b51d9c1092d3a64e8
Merge pull request #12998 from kalexand-rh/BZ1633137

bug 1633137 request header changes
Comment 8 Kathryn Alexander 2018-12-03 14:29:05 UTC 
This bug was approved on the PR. I've merged it and am waiting for it to go live.
Comment 9 Kathryn Alexander 2018-12-10 21:10:59 UTC 
This change is live on docs.openshift, eg: https://docs.openshift.com/container-platform/3.11/install_config/configuring_authentication.html#identity-providers-ansible

And on the portal, eg: https://access.redhat.com/documentation/en-us/openshift_container_platform/3.10/html-single/configuring_clusters/index#identity-providers-ansible
Note You need to log in before you can comment on or make changes to this bug.