Bug 1781691
| Summary: | Always redeployed docker-registry certificates as "docker-registry-default.router.default.svc.cluster.local" | ||
|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | Daein Park <dapark> |
| Component: | Installer | Assignee: | aos-install |
| Installer sub component: | openshift-ansible | QA Contact: | Johnny Liu <jialiu> |
| Status: | CLOSED CURRENTRELEASE | Docs Contact: | |
| Severity: | medium | ||
| Priority: | medium | CC: | bleanhar |
| Version: | 3.5.0 | Keywords: | UpcomingSprint |
| Target Milestone: | --- | ||
| Target Release: | 3.11.z | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-08-21 20:23:38 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
To be reviewed as part of https://issues.redhat.com/browse/CORS-1470 Jira issue https://issues.redhat.com/browse/CORS-1470 was not scheduled for the current sprint. This bug was opened against v3.5 and has already been fixed in v3.10+. https://github.com/openshift/openshift-ansible/pull/8215 |
Description of problem: "docker_registry_route_hostname" always assigned as "docker-registry-default.router.default.svc.cluster.local" when docker-registry certificates redeployed. Because "openshift.master.default_subdomain" variable does not exist in openshift_facts or related variables. e.g.> "{{ 'docker-registry-default.' ~ (openshift.master.default_subdomain | default('router.default.svc.cluster.local', true)) }}" * playbooks/common/openshift-cluster/redeploy-certificates/registry.yml ~~~ - set_fact: docker_registry_route_hostname: "{{ 'docker-registry-default.' ~ (openshift.master.default_subdomain | default('router.default.svc.cluster.local', true)) }}" changed_when: false - name: Generate registry certificate command: > {{ openshift.common.client_binary }} adm ca create-server-cert --signer-cert={{ openshift.common.config_base }}/master/ca.crt --signer-key={{ openshift.common.config_base }}/master/ca.key --signer-serial={{ openshift.common.config_base }}/master/ca.serial.txt --config={{ mktemp.stdout }}/admin.kubeconfig --hostnames="{{ docker_registry_service_ip.results.clusterip }},docker-registry.default.svc.cluster.local,{{ docker_registry_route_hostname }}" --cert={{ openshift.common.config_base }}/master/registry.crt --key={{ openshift.common.config_base }}/master/registry.key {% if openshift_version | oo_version_gte_3_5_or_1_5(openshift.common.deployment_type) | bool %} --expire-days={{ openshift_hosted_registry_cert_expire_days | default(730) }} {% endif %} ~~~ Version-Release number of the following components: rpm -q openshift-ansible openshift-ansible-3.5.110-1.git.0.6f1f193.el7.noarch rpm -q ansible ansible-2.3.1.0-3.el7.noarch ansible --version ansible 2.3.1.0 config file = /etc/ansible/ansible.cfg configured module search path = Default w/o overrides python version = 2.7.5 (default, May 3 2017, 07:55:04) [GCC 4.8.5 20150623 (Red Hat 4.8.5-14)] How reproducible: You can always reproduce this issue when you run "/usr/share/ansible/openshift-ansible/playbooks/byo/openshift-cluster/redeploy-registry-certificates.yml". 1. run the above playbooks. 2. extract "secret/registry-certificates" e.g.> # oc extract -n default secret/registry-certificates registry.crt 3. check the subject alternative name from the new certificates you redeployed. e.g.> # openssl x509 -text -noout -in registry.crt | grep "Subject Alternative Name" -A1 X509v3 Subject Alternative Name: DNS:docker-registry-default.router.default.svc.cluster.local, DNS:docker-registry.default.svc.cluster.local, DNS:170.30.1.46, IP Address:172.30.1.46 Steps to Reproduce: 1. 2. 3. Actual results: Please include the entire output from the last TASK line through the end of output if an error is generated Always docker-registry certificates generated as "docker-registry-default.router.default.svc.cluster.local" regardless "openshift.master.default_subdomain". Because "openshift.master.default_subdomain" is not existing in the playbooks or facts. Expected results: If "openshift_master_default_subdomain" is specified in the inventory file, docker-registry certificates should issue to use the subdomain. Additional info: Please attach logs from ansible-playbook with the -vvv flag I think "openshift.master.default_subdomain" should be changed as "openshift_master_default_subdomain". Then the certificates issued correctly to use specified subdomain as follows. e.g.> X509v3 Subject Alternative Name: DNS:docker-registry-default.apps.example.com, DNS:docker-registry.default.svc.cluster.local, DNS:172.30.133.246, IP Address:172.30.133.246