Description of problem: When installing OCP 3.11 with the CA defined as via the following: openshift_hosted_registry_routecertificates= "{'certfile': '<path>/org-cert.pem', 'keyfile': '<path>/org-privkey.pem', 'cafile': '<path>/org-chain.pem'}" The user is required to follow the "day two process" outlined here: https://docs.openshift.com/container-platform/3.11/day_two_guide/docker_tasks.html#day-two-guide-managing-docker-certs to allow nodes to trust when this is just a custom CA cert not an external registry. This was not a problem on 3.9 installations. We have determined that the steps from the following (3.9) are not performed the same in the new bootstrap process in 3.11. https://github.com/openshift/openshift-ansible/blob/release-3.9/roles/openshift_node_certificates/tasks/main.yml Actual results: Customer installs on 3.11 and is required to run update-ca-trust to pull using custom CA from a NON-external registry. This works in 3.9. Expected results: Customer does not need to perform any additional tasks to have correct CA trusted.
Verify this bug with openshift-ansible-3.11.154-1.git.0.7a11cbe.el7.noarch.rpm The required 'Update CA trust' and 'restart docker/node' steps were added during node bootstrap. TASK [openshift_node : Update CA trust] **************************************** changed: [ci-vm-10-0-148-101.hosted.upshift.rdu2.redhat.com] => {"changed": true, "cmd": ["update-ca-trust", "extract"], "delta": "0:00:00.521362", "end": "2019-11-09 01:02:43.293125", "rc": 0, "start": "2019-11-09 01:02:42.771763", "stderr": "", "stderr_lines": [], "stdout": "", "stdout_lines": []} ... TASK [Mark node unschedulable] ************************************************* changed: [ci-vm-10-0-148-101.hosted.upshift.rdu2.redhat.com -> ci-vm-10-0-150-88.hosted.upshift.rdu2.redhat.com] => {"attempts": 1, "changed": true, "module_results": {"cmd": "/usr/bin/oc adm manage-node qe-gpei-4node-1 --schedulable=False", "nodes": [{"name": "qe-gpei-4node-1", "schedulable": false}], "results": "NAME STATUS ROLES AGE VERSION\nqe-gpei-4node-1 Ready,SchedulingDisabled compute 2m v1.11.0+d4cacc0\n", "returncode": 0}, "state": "present"} ... TASK [Restart docker] ********************************************************** changed: [ci-vm-10-0-148-101.hosted.upshift.rdu2.redhat.com] => {"attempts": 1, "changed": true, "name": "docker", "state": "started", "status": {"ActiveEnterTimestamp": "Sat 2019-11-09 00:40:42 EST", "ActiveEnterTimestampMonotonic": "313678084... TASK [restart node] ************************************************************ changed: [ci-vm-10-0-148-101.hosted.upshift.rdu2.redhat.com] => {"changed": true, "name": "atomic-openshift-node", "state": "started", "status": {"ActiveEnterTimestamp": "Sat 2019-11-09 01:02:59 EST", "ActiveEnterTimestampMonotonic": "1650236299"...
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2019:3817