Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.

Bug 1596297

Summary: Cluster router certificate gets copied into the wrong directory
Product: OpenShift Container Platform Reporter: Gabor Burges <gburges>
Component: InstallerAssignee: Scott Dodson <sdodson>
Status: CLOSED INSUFFICIENT_DATA QA Contact: Johnny Liu <jialiu>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 3.7.0CC: aos-bugs, gburges, jokerman, mmccomas, scuppett
Target Milestone: ---Keywords: OpsBlocker
Target Release: 3.7.zFlags: sdodson: needinfo? (gburges)
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-08-23 13:37:36 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Gabor Burges 2018-06-28 14:41:05 UTC
Description of problem: external certificates don't end up in their rghtful directory, messes up the environment upon certificate renewal

Version-Release number of the following components:
rpm -qa openshift-ansible
openshift-ansible-3.7.23-1.git.0.bc406aa.el7.noarch
rpm -qa ansible
ansible-2.4.3.0-1.el7ae.noarch
ansible --version
ansible 2.4.3.0
  config file = /etc/ansible/ansible.cfg
  configured module search path = [u'/home/gburges/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python2.7/site-packages/ansible
  executable location = /usr/bin/ansible
  python version = 2.7.5 (default, May  3 2017, 07:55:04) [GCC 4.8.5 20150623 (Red Hat 4.8.5-14)]


How reproducible: provision a new cluster with external certificates

Steps to Reproduce:
1. 
2.
3.

Actual results:
Please include the entire output from the last TASK line through the end of output if an error is generated

Expected results:

Additional info:
Please attach logs from ansible-playbook with the -vvv flag

The external certs should be in /etc/origin/master/named_certificates/ on the masters after an install (that's where the renewal playbook looks for it, and that's where we monitor them for expiration). However quite a few of our cluster in Openshift Online and dedicated environments are having it misplaced, the router cert (*.<shard>.<cluster>.openshiftapps.com.crt) and key are in /etc/origin/master/ with the internal certificates. This makes renewal more manual and complicated.

Comment 1 Scott Dodson 2018-07-10 17:20:49 UTC
Gabor,

The installer copies them to /etc/origin/master and as far as I can tell it always has. named_certificates is used for something else. Can the tooling not simply be updated to monitor certificates in two locations?

--
Scott

Comment 2 Scott Dodson 2018-08-09 13:14:19 UTC
Gabor,

Is this still an issue?