Description of problem: "docker_registry_route_hostname" always assigned as "docker-registry-default.router.default.svc.cluster.local" when docker-registry certificates redeployed. Because "openshift.master.default_subdomain" variable does not exist in openshift_facts or related variables. e.g.> "{{ 'docker-registry-default.' ~ (openshift.master.default_subdomain | default('router.default.svc.cluster.local', true)) }}" * playbooks/common/openshift-cluster/redeploy-certificates/registry.yml ~~~ - set_fact: docker_registry_route_hostname: "{{ 'docker-registry-default.' ~ (openshift.master.default_subdomain | default('router.default.svc.cluster.local', true)) }}" changed_when: false - name: Generate registry certificate command: > {{ openshift.common.client_binary }} adm ca create-server-cert --signer-cert={{ openshift.common.config_base }}/master/ca.crt --signer-key={{ openshift.common.config_base }}/master/ca.key --signer-serial={{ openshift.common.config_base }}/master/ca.serial.txt --config={{ mktemp.stdout }}/admin.kubeconfig --hostnames="{{ docker_registry_service_ip.results.clusterip }},docker-registry.default.svc.cluster.local,{{ docker_registry_route_hostname }}" --cert={{ openshift.common.config_base }}/master/registry.crt --key={{ openshift.common.config_base }}/master/registry.key {% if openshift_version | oo_version_gte_3_5_or_1_5(openshift.common.deployment_type) | bool %} --expire-days={{ openshift_hosted_registry_cert_expire_days | default(730) }} {% endif %} ~~~ Version-Release number of the following components: rpm -q openshift-ansible openshift-ansible-3.5.110-1.git.0.6f1f193.el7.noarch rpm -q ansible ansible-2.3.1.0-3.el7.noarch ansible --version ansible 2.3.1.0 config file = /etc/ansible/ansible.cfg configured module search path = Default w/o overrides python version = 2.7.5 (default, May 3 2017, 07:55:04) [GCC 4.8.5 20150623 (Red Hat 4.8.5-14)] How reproducible: You can always reproduce this issue when you run "/usr/share/ansible/openshift-ansible/playbooks/byo/openshift-cluster/redeploy-registry-certificates.yml". 1. run the above playbooks. 2. extract "secret/registry-certificates" e.g.> # oc extract -n default secret/registry-certificates registry.crt 3. check the subject alternative name from the new certificates you redeployed. e.g.> # openssl x509 -text -noout -in registry.crt | grep "Subject Alternative Name" -A1 X509v3 Subject Alternative Name: DNS:docker-registry-default.router.default.svc.cluster.local, DNS:docker-registry.default.svc.cluster.local, DNS:170.30.1.46, IP Address:172.30.1.46 Steps to Reproduce: 1. 2. 3. Actual results: Please include the entire output from the last TASK line through the end of output if an error is generated Always docker-registry certificates generated as "docker-registry-default.router.default.svc.cluster.local" regardless "openshift.master.default_subdomain". Because "openshift.master.default_subdomain" is not existing in the playbooks or facts. Expected results: If "openshift_master_default_subdomain" is specified in the inventory file, docker-registry certificates should issue to use the subdomain. Additional info: Please attach logs from ansible-playbook with the -vvv flag I think "openshift.master.default_subdomain" should be changed as "openshift_master_default_subdomain". Then the certificates issued correctly to use specified subdomain as follows. e.g.> X509v3 Subject Alternative Name: DNS:docker-registry-default.apps.example.com, DNS:docker-registry.default.svc.cluster.local, DNS:172.30.133.246, IP Address:172.30.133.246
To be reviewed as part of https://issues.redhat.com/browse/CORS-1470
Jira issue https://issues.redhat.com/browse/CORS-1470 was not scheduled for the current sprint.
This bug was opened against v3.5 and has already been fixed in v3.10+. https://github.com/openshift/openshift-ansible/pull/8215