Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1729393

Summary: OpenShift CA is not copied to system CA trust when a new node is deployed
Product: OpenShift Container Platform Reporter: Victor Hernando <vhernand>
Component: InstallerAssignee: Russell Teague <rteague>
Installer sub component: openshift-ansible QA Contact: Johnny Liu <jialiu>
Status: CLOSED DUPLICATE Docs Contact:
Severity: medium    
Priority: unspecified CC: jcallen
Version: 3.11.0   
Target Milestone: ---   
Target Release: 3.11.z   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-08-14 20:22:01 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Victor Hernando 2019-07-12 07:46:47 UTC 
Description of problem:

Every time a new node is deployed in OCP 3.11 the OpenShift CA is not copied to the system CA.
This process is included in the redeploy-openshift-ca playbook, but missing from the scaleup playbook.
The piece of code I'm referring to:

https://github.com/openshift/openshift-ansible/blob/release-3.11/playbooks/openshift-master/private/redeploy-openshift-ca.yml#L238-L257

Version-Release number of the following components:
# grep ansible installed-rpms |awk '{print $1}'
ansible-2.6.14-1.el7ae.noarch
openshift-ansible-3.11.82-3.git.0.9718d0a.el7.noarch
openshift-ansible-docs-3.11.82-3.git.0.9718d0a.el7.noarch
openshift-ansible-playbooks-3.11.82-3.git.0.9718d0a.el7.noarch
openshift-ansible-roles-3.11.82-3.git.0.9718d0a.el7.noarch


How reproducible:
Deploy a new node using scaleup.yml playbook.
Check the content of the following directory, openshift-client-ca.crt is missing:

$ ls -l /etc/pki/ca-trust/source/anchors/


Actual results:
/etc/pki/ca-trust/source/anchors/openshift-client-ca.crt is missing after adding a new node in the cluster, to have the file in place the customer needs to execute the openshift-redeploy-ca.yml playbook.

Expected results:
To have the following file "/etc/pki/ca-trust/source/anchors/openshift-client-ca.crt" in place after deploying a new node into the cluster.

Additional info:
As far as I see the steps required to accomplish this are the following:
https://github.com/openshift/openshift-ansible/blob/release-3.11/playbooks/openshift-master/private/redeploy-openshift-ca.yml#L238-L257

If this was not included in the scaleup process because some reason and is not planned to be included, please let me know to provide further explanations to my customer.