Description of problem: Director deployed OCP 3.11: changing openshift_master_identity_providers from allow_all to htpasswd_auth doesn't work: Initial deployment is done with: OpenShiftGlobalVariables: openshift_master_identity_providers: - name: allow_all login: 'true' challenge: true kind: AllowAllPasswordIdentityProvider In a subsequent stack update we set it to htpasswd_auth: OpenShiftGlobalVariables: openshift_master_identity_providers: - name: 'htpasswd_auth' login: 'true' challenge: 'true' kind: 'HTPasswdPasswordIdentityProvider' openshift_master_htpasswd_users: marius: '$apr1$jpBOUqeU$X4jUsMyCHOOp8TFYtPq0v1' But after the stack update succeeds we're still able to log in with any user/pass which points to the new configuration not being applied. Version-Release number of selected component (if applicable): openstack-tripleo-heat-templates-9.0.1-0.20181013060891.el7ost.noarch How reproducible: 100% Steps to Reproduce: 1. Deploy openshift overcloud with allow_all openshift_master_identity_providers 2. Set openshift_master_identity_providers to htpasswd_auth 3. Re-run overcloud deploy Actual results: Log in still works with any user/pass which means the new configuration was not applied. Expected results: Log in only works with u: marius p: password. Additional info:
I've tried re-running the same deploy command after updating the OpenShiftGlobalVariables heat param the same you did, and effectively I could still log in with any user/password. *However* the new configuration was in /etc/origin/master/master-config.yaml After restarting the services with "sudo master-restart api && sudo master-restart controllers" it successfully picked up the new config.
I noticed a openshift-node/restart.yml [1] playbook. Maybe we could call this from tripleo after applying the new settings. [1] https://github.com/openshift/openshift-ansible/blob/master/playbooks/openshift-node/restart.yml
No doc text required.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2019:0045