Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1596297 - Cluster router certificate gets copied into the wrong directory [NEEDINFO]
Summary: Cluster router certificate gets copied into the wrong directory
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Installer
Version: 3.7.0
Hardware: All
OS: Linux
Target Milestone: ---
: 3.7.z
Assignee: Scott Dodson
QA Contact: Johnny Liu
Depends On:
TreeView+ depends on / blocked
Reported: 2018-06-28 14:41 UTC by Gabor Burges
Modified: 2018-08-23 13:37 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2018-08-23 13:37:36 UTC
Target Upstream Version:
sdodson: needinfo? (gburges)

Attachments (Terms of Use)

Description Gabor Burges 2018-06-28 14:41:05 UTC
Description of problem: external certificates don't end up in their rghtful directory, messes up the environment upon certificate renewal

Version-Release number of the following components:
rpm -qa openshift-ansible
rpm -qa ansible
ansible --version
  config file = /etc/ansible/ansible.cfg
  configured module search path = [u'/home/gburges/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python2.7/site-packages/ansible
  executable location = /usr/bin/ansible
  python version = 2.7.5 (default, May  3 2017, 07:55:04) [GCC 4.8.5 20150623 (Red Hat 4.8.5-14)]

How reproducible: provision a new cluster with external certificates

Steps to Reproduce:

Actual results:
Please include the entire output from the last TASK line through the end of output if an error is generated

Expected results:

Additional info:
Please attach logs from ansible-playbook with the -vvv flag

The external certs should be in /etc/origin/master/named_certificates/ on the masters after an install (that's where the renewal playbook looks for it, and that's where we monitor them for expiration). However quite a few of our cluster in Openshift Online and dedicated environments are having it misplaced, the router cert (*.<shard>.<cluster> and key are in /etc/origin/master/ with the internal certificates. This makes renewal more manual and complicated.

Comment 1 Scott Dodson 2018-07-10 17:20:49 UTC

The installer copies them to /etc/origin/master and as far as I can tell it always has. named_certificates is used for something else. Can the tooling not simply be updated to monitor certificates in two locations?


Comment 2 Scott Dodson 2018-08-09 13:14:19 UTC

Is this still an issue?

Note You need to log in before you can comment on or make changes to this bug.