1647793 – No CA copied for github or github enterprise IdentityProvider

Bug 1647793 - No CA copied for github or github enterprise IdentityProvider

Summary: No CA copied for github or github enterprise IdentityProvider

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Installer
Sub Component:
Version:	3.11.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	high
Target Milestone:	---
Target Release:	3.11.z
Assignee:	Vadim Rutkovsky
QA Contact:	Weihua Meng
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2018-11-08 11:31 UTC by Fatima
Modified:	2019-01-10 11:08 UTC (History)
CC List:	6 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:	Cause: CA is not copied to master config dir when Github Enterprise is used as a identity provider Consequence: API server failed to start without a CA Fix: a new vars - openshift_master_github_ca and openshift_master_github_ca_file - were introduced to set github enterprise CA Result: installation succeeds
Clone Of:
Environment:
Last Closed:	2019-01-10 09:04:10 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2019:0024	0	None	None	None	2019-01-10 09:05:50 UTC

Description Fatima 2018-11-08 11:31:52 UTC

Description of problem:

On a cluster install, when providing identity providers, we cannot provide a CA certificate fro the Github certificate necessary to allow the masters to communicate with Github enterprise.

Here are the upstream links:

Issue: https://github.com/openshift/openshift-ansible/issues/10565
PR: https://github.com/openshift/openshift-ansible/pull/10566

The changes are yet to be reflected in the v3.11.41 playbooks.

Steps to Reproduce:
1. Adding a CA in the Identity provider for Github makes the masters non-operable if it's not in the /etc/origin/master
2.
3.

Actual results:
Please include the entire output from the last TASK line through the end of output if an error is generated

Expected results:

The customer expects https://github.com/openshift/openshift-ansible/blob/master/roles/openshift_control_plane/tasks/main.yml#L63 to have a Github one for custom certificates

Additional info:
rhel 7

Comment 1 Vadim Rutkovsky 2018-11-09 07:28:28 UTC

master PR https://github.com/openshift/openshift-ansible/pull/10566

3.11 cherrypick - https://github.com/openshift/openshift-ansible/pull/10647

Comment 2 Vadim Rutkovsky 2018-11-12 11:39:53 UTC

Fix is available in openshift-ansible-3.11.43-1

Comment 3 Weihua Meng 2018-11-23 07:28:59 UTC

Fixed.

openshift-ansible-3.11.44-1.git.0.11d174e.el7.noarch

CA certificate copied to /etc/origin/master

$ oc get user
NAME      UID                                    FULL NAME   IDENTITIES
chuyu     b2dc5f0b-eeee-11e8-aaa2-fa163eeee67b               github_enterprise:3

Kernel Version: 3.10.0-957.el7.x86_64
Operating System: Red Hat Enterprise Linux Server 7.6 (Maipo)

Comment 6 errata-xmlrpc 2019-01-10 09:04:10 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:0024

Note You need to log in before you can comment on or make changes to this bug.