Bug 1647793 - No CA copied for github or github enterprise IdentityProvider
Summary: No CA copied for github or github enterprise IdentityProvider
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Installer
Version: 3.11.0
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
: 3.11.z
Assignee: Vadim Rutkovsky
QA Contact: Weihua Meng
Depends On:
TreeView+ depends on / blocked
Reported: 2018-11-08 11:31 UTC by Fatima
Modified: 2019-01-10 11:08 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Cause: CA is not copied to master config dir when Github Enterprise is used as a identity provider Consequence: API server failed to start without a CA Fix: a new vars - openshift_master_github_ca and openshift_master_github_ca_file - were introduced to set github enterprise CA Result: installation succeeds
Clone Of:
Last Closed: 2019-01-10 09:04:10 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2019:0024 0 None None None 2019-01-10 09:05:50 UTC

Description Fatima 2018-11-08 11:31:52 UTC
Description of problem:

On a cluster install, when providing identity providers, we cannot provide a CA certificate fro the Github certificate necessary to allow the masters to communicate with Github enterprise.

Here are the upstream links:

Issue: https://github.com/openshift/openshift-ansible/issues/10565
PR: https://github.com/openshift/openshift-ansible/pull/10566

The changes are yet to be reflected in the v3.11.41 playbooks.

Steps to Reproduce:
1. Adding a CA in the Identity provider for Github makes the masters non-operable if it's not in the /etc/origin/master

Actual results:
Please include the entire output from the last TASK line through the end of output if an error is generated

Expected results:

The customer expects https://github.com/openshift/openshift-ansible/blob/master/roles/openshift_control_plane/tasks/main.yml#L63 to have a Github one for custom certificates

Additional info:
rhel 7

Comment 2 Vadim Rutkovsky 2018-11-12 11:39:53 UTC
Fix is available in openshift-ansible-3.11.43-1

Comment 3 Weihua Meng 2018-11-23 07:28:59 UTC


CA certificate copied to /etc/origin/master

$ oc get user
NAME      UID                                    FULL NAME   IDENTITIES
chuyu     b2dc5f0b-eeee-11e8-aaa2-fa163eeee67b               github_enterprise:3

Kernel Version: 3.10.0-957.el7.x86_64
Operating System: Red Hat Enterprise Linux Server 7.6 (Maipo)

Comment 6 errata-xmlrpc 2019-01-10 09:04:10 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.