Bug 1746143 - update-ca-trust required on 3.11 post install with custom CA cert but included in 3.9 install process per openshift_node_certificates playbook
Summary: update-ca-trust required on 3.11 post install with custom CA cert but include...
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Installer
Version: 3.11.0
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
: 3.11.z
Assignee: Joseph Callen
QA Contact: Gaoyun Pei
Depends On:
TreeView+ depends on / blocked
Reported: 2019-08-27 18:26 UTC by Benjamin Milne
Modified: 2019-11-18 14:52 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2019-11-18 14:52:08 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Github openshift openshift-ansible pull 11968 0 'None' closed Bug 1746143: Add CA to system trust 2020-10-23 19:02:54 UTC
Red Hat Product Errata RHBA-2019:3817 0 None None None 2019-11-18 14:52:18 UTC

Description Benjamin Milne 2019-08-27 18:26:09 UTC
Description of problem:
When installing OCP 3.11 with the CA defined as via the following:

openshift_hosted_registry_routecertificates= "{'certfile': '<path>/org-cert.pem', 'keyfile': '<path>/org-privkey.pem', 'cafile': '<path>/org-chain.pem'}"

The user is required to follow the "day two process" outlined here: https://docs.openshift.com/container-platform/3.11/day_two_guide/docker_tasks.html#day-two-guide-managing-docker-certs to allow nodes to trust when this is just a custom CA cert not an external registry.

This was not a problem on 3.9 installations.

We have determined that the steps from the following (3.9) are not performed the same in the new bootstrap process in 3.11.


Actual results:
Customer installs on 3.11 and is required to run update-ca-trust to pull using custom CA from a NON-external registry. This works in 3.9.

Expected results:
Customer does not need to perform any additional tasks to have correct CA trusted.

Comment 8 Gaoyun Pei 2019-11-09 15:22:57 UTC
Verify this bug with openshift-ansible-3.11.154-1.git.0.7a11cbe.el7.noarch.rpm

The required 'Update CA trust' and 'restart docker/node' steps were added during node bootstrap.

TASK [openshift_node : Update CA trust] ****************************************
changed: [ci-vm-10-0-148-101.hosted.upshift.rdu2.redhat.com] => {"changed": true, "cmd": ["update-ca-trust", "extract"], "delta": "0:00:00.521362", "end": "2019-11-09 01:02:43.293125", "rc": 0, "start": "2019-11-09 01:02:42.771763", "stderr": "", "stderr_lines": [], "stdout": "", "stdout_lines": []}


TASK [Mark node unschedulable] *************************************************
changed: [ci-vm-10-0-148-101.hosted.upshift.rdu2.redhat.com -> ci-vm-10-0-150-88.hosted.upshift.rdu2.redhat.com] => {"attempts": 1, "changed": true, "module_results": {"cmd": "/usr/bin/oc adm manage-node qe-gpei-4node-1 --schedulable=False", "nodes": [{"name": "qe-gpei-4node-1", "schedulable": false}], "results": "NAME              STATUS                     ROLES     AGE       VERSION\nqe-gpei-4node-1   Ready,SchedulingDisabled   compute   2m        v1.11.0+d4cacc0\n", "returncode": 0}, "state": "present"}


TASK [Restart docker] **********************************************************
changed: [ci-vm-10-0-148-101.hosted.upshift.rdu2.redhat.com] => {"attempts": 1, "changed": true, "name": "docker", "state": "started", "status": {"ActiveEnterTimestamp": "Sat 2019-11-09 00:40:42 EST", "ActiveEnterTimestampMonotonic": "313678084...

TASK [restart node] ************************************************************
changed: [ci-vm-10-0-148-101.hosted.upshift.rdu2.redhat.com] => {"changed": true, "name": "atomic-openshift-node", "state": "started", "status": {"ActiveEnterTimestamp": "Sat 2019-11-09 01:02:59 EST", "ActiveEnterTimestampMonotonic": "1650236299"...

Comment 11 errata-xmlrpc 2019-11-18 14:52:08 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.