Description of problem: Version-Release number of the following components: rpm -q openshift-ansible openshift-ansible-3.11.170-2.git.5.8802564.el7.noarch rpm -q ansible ansible-2.6.20-1.el7ae.noarch ansible --version ansible 2.6.20 config file = /home/quicklab/ansible.cfg configured module search path = [u'/home/quicklab/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules'] ansible python module location = /usr/lib/python2.7/site-packages/ansible executable location = /usr/bin/ansible python version = 2.7.5 (default, Jun 11 2019, 14:33:56) [GCC 4.8.5 20150623 (Red Hat 4.8.5-39)] How reproducible: always Steps to Reproduce: define this variable with no "ca": openshift_master_identity_providers=[{'name': 'dfs_openid_provider', 'challenge': 'false', 'login': 'true', 'mappingMethod' : 'claim', 'kind': 'OpenIDIdentityProvider', 'claims': {'id': ['unique_name'], 'email': ['email'], 'name': ['name'], 'preferredUsername': ['preferedUserName']}, 'clientID': 'xxx', 'clientSecret': 'yyy', 'urls': { 'authorize' : 'https://example.com/adfs/oauth2/authorize' , 'token' : 'https://example.com/adfs/oauth2/token'}}] In identity providers we will have this by default: identityProviders: - challenge: false login: true mappingMethod: claim name: dfs_openid_provider provider: apiVersion: v1 ca: /etc/origin/master/dfs_openid_provider_openid_ca.crt claims: email: - email id: - unique_name name: - name preferredUsername: - preferedUserName clientID: xxx clientSecret: yyy kind: OpenIDIdentityProvider urls: authorize: https://example.com/adfs/oauth2/authorize token: https://example.com/adfs/oauth2/token So, "ca: /etc/origin/master/dfs_openid_provider_openid_ca.crt" This is similar to bz 1687997 that was closed as not a bug. However, it seems to me that when we don't specify a ca in the provider, at inventory level, it should not be added in the final config in master-config.yaml
As I read the code and our documentation it seems clear to me that the 'ca' field is intended to always be set. Can someone help us understand why the customer does not want to use this file? My assumption is that their identity provider's certificate was issued by an already trusted, public CA. Can you confirm? If that is the case I wouldn't suggest patching openshift-ansible on 3.11 at this point but instead simply placing the already trusted CA in the location the installer wants it. I'll talk with our maintainers and make sure I'm not over simplifying the situation.
*** Bug 1733103 has been marked as a duplicate of this bug. ***