Bug 1812413 - configuring openid provider, optional argument "ca" is always set in the master-config.yaml
Summary: configuring openid provider, optional argument "ca" is always set in the mast...
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Installer
Version: unspecified
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
: 3.11.z
Assignee: Russell Teague
QA Contact: Johnny Liu
URL:
Whiteboard:
: 1733103 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-03-11 09:41 UTC by German Parente
Modified: 2023-10-06 19:24 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-05-26 13:21:18 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description German Parente 2020-03-11 09:41:48 UTC 
Description of problem:

Version-Release number of the following components:
rpm -q openshift-ansible
openshift-ansible-3.11.170-2.git.5.8802564.el7.noarch

rpm -q ansible
ansible-2.6.20-1.el7ae.noarch

ansible --version
ansible 2.6.20
  config file = /home/quicklab/ansible.cfg
  configured module search path = [u'/home/quicklab/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python2.7/site-packages/ansible
  executable location = /usr/bin/ansible
  python version = 2.7.5 (default, Jun 11 2019, 14:33:56) [GCC 4.8.5 20150623 (Red Hat 4.8.5-39)]


How reproducible: always

Steps to Reproduce: define this variable with no "ca":

openshift_master_identity_providers=[{'name': 'dfs_openid_provider', 'challenge': 'false', 'login': 'true', 'mappingMethod' : 'claim', 'kind': 'OpenIDIdentityProvider', 'claims': {'id': ['unique_name'], 'email': ['email'], 'name': ['name'], 'preferredUsername': ['preferedUserName']}, 'clientID': 'xxx', 'clientSecret': 'yyy',  'urls': { 'authorize' : 'https://example.com/adfs/oauth2/authorize' , 'token' : 'https://example.com/adfs/oauth2/token'}}]

In identity providers we will have this by default:

  identityProviders:
  - challenge: false
    login: true
    mappingMethod: claim
    name: dfs_openid_provider
    provider:
      apiVersion: v1
      ca: /etc/origin/master/dfs_openid_provider_openid_ca.crt
      claims:
        email:
        - email
        id:
        - unique_name
        name:
        - name
        preferredUsername:
        - preferedUserName
      clientID: xxx
      clientSecret: yyy
      kind: OpenIDIdentityProvider
      urls:
        authorize: https://example.com/adfs/oauth2/authorize
        token: https://example.com/adfs/oauth2/token

So, "ca: /etc/origin/master/dfs_openid_provider_openid_ca.crt"

This is similar to bz 1687997 that was closed as not a bug.

However, it seems to me that when we don't specify a ca in the provider, at inventory level, it should not be added in the final config in master-config.yaml
Comment 3 Brenton Leanhardt 2020-05-06 14:04:33 UTC 
As I read the code and our documentation it seems clear to me that the 'ca' field is intended to always be set.  Can someone help us understand why the customer does not want to use this file?

My assumption is that their identity provider's certificate was issued by an already trusted, public CA.  Can you confirm?

If that is the case I wouldn't suggest patching openshift-ansible on 3.11 at this point but instead simply placing the already trusted CA in the location the installer wants it.  I'll talk with our maintainers and make sure I'm not over simplifying the situation.
Comment 6 Brenton Leanhardt 2020-05-12 19:29:33 UTC 
*** Bug 1733103 has been marked as a duplicate of this bug. ***
Note You need to log in before you can comment on or make changes to this bug.