openshift-playbooks
openshift-playbooks copied to clipboard
redhat-cop
custom SSL cert option 2 should add info about CAfile
This doc: custom_certificates.adoc has chapter http://v1.uncontained.io/playbooks/installation/custom_certificates.html#option-2-configuring-openshift-to-use-component-specific-custom-certificates which instructs how to put custom cert for API. It instructs to use CA cert as parameter. I think this is not right in all cases.
If you have proper cert, e.g. letsencrypt or digisign, the CA is already know. On OCP/RHEL hosts the CA is already in /etc/ssl/certs/ca-bundle.crt -> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem file. So why the instruction asks for CA file in such case, and what would it do with it?
Should the guidance say that in case of official certificate (vs. selfsigned) you can leave out the cafile option?
I found the OCP official doc mentions the CA file to be optional:
https://docs.openshift.com/container-platform/3.7/install_config/certificate_customization.html
"
# An optional CA may be specified for each named certificate. CAs will
# be added to the OpenShift CA bundle which allows for the named
# certificate to be served for internal cluster communication.
" Should be mentioned here too.
@ikke-t - can you file an issue here? https://github.com/openshift/openshift-docs. I can then follow up and get the docs fixed for this issue and the others you mentioned in the openshift-sme list.
@ikke-t looking at the doc, I believe what you are saying is that we are including a CAfile in the configuration parameters:
openshift_master_named_certificates=[{"certfile": "/path/to/console.ocp-c1.myorg.com.crt", "keyfile": "/path/to/console.ocp-c1.myorg.com.key", "names": ["console.ocp-c1.myorg.com"], "cafile": "/path/to/console.ocp-c1.myorg.com.ca.crt"}]
And you're right, the CAfile is optional in the case that you have a publicly signed certificate from a commonly known CA. We should at this in a callout below that codeblock. Would that make sense?
If I am not mistaken, it's not even optional but totally ignored. So if I'm right, it should be removed from example not to confuse anyone.
21.2.2018 0.59 "Eric Sauer" [email protected] kirjoitti:
@ikke-t https://github.com/ikke-t looking at the doc, I believe what you are saying is that we are including a CAfile in the configuration parameters:
openshift_master_named_certificates=[{"certfile": "/path/to/console.ocp-c1.myorg.com.crt", "keyfile": "/path/to/console.ocp-c1.myorg.com.key", "names": ["console.ocp-c1.myorg.com"], "cafile": "/path/to/console.ocp-c1.myorg.com.ca.crt"}]
And you're right, the CAfile is optional in the case that you have a publicly signed certificate from a commonly known CA. We should at this in a callout below that codeblock. Would that make sense?
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/redhat-cop/openshift-playbooks/issues/243#issuecomment-367176715, or mute the thread https://github.com/notifications/unsubscribe-auth/ABF-KXVE3ml02IhP2JzgVS1nb-xo9nOgks5tW2pagaJpZM4R281z .