-
Notifications
You must be signed in to change notification settings - Fork 2.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow setting certificates validity period during installation #3581
Allow setting certificates validity period during installation #3581
Conversation
Current state/open questions:
|
1.5 packages haven't been created yet afaik. I can get you configuration for testing 3.5 internally.
This can be accomplished using a host level variable For example,
We have an internal variable for configuring external etcd CA validity
This process uses the same code updated here so I expect that no changes will be required.
Adding these variables to https://github.com/openshift/openshift-ansible/blob/master/inventory/byo/hosts.ose.example with a small explanation will be a good start. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Curious about default setting and the value for the default expiry days.
@@ -73,6 +73,9 @@ | |||
--hostnames="{{ docker_registry_service_ip.results.clusterip }},docker-registry.default.svc.cluster.local,{{ docker_registry_route_hostname }}" | |||
--cert={{ openshift.common.config_base }}/master/registry.crt | |||
--key={{ openshift.common.config_base }}/master/registry.key | |||
{% if openshift.common.version_gte_3_5_or_1_5 | bool %} | |||
--expire-days={{ openshift_registry_cert_expire_days | default(730) }} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we issue 1 year certs now, you're suggesting a 2 year default expiry here. Do we have it defined somewhere how long we want certs to be valid for?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Below, in some vars file I'm seeing defaults for expire days being set.
roles/openshift_ca/vars/main.yml
+openshift_ca_cert_expire_days: 1825
+openshift_master_cert_expire_days: 730
roles/openshift_master_certificates/vars/main.yml
+openshift_master_cert_expire_days: 730
roles/openshift_node_certificates/vars/main.yml
+openshift_node_cert_expire_days: 730
But here you are using default(730)
in case openshift_registry_cert_expire_days
is not defined. Should that not also be added to a roles vars/
/defaults/
file?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we issue 1 year certs now, you're suggesting a 2 year default expiry here.
I'm using oadm ca
default values here. How it's possible that ansible installer uses 1 year certificates and in the same time uses oadm
with its default values of 2 (and 5) years? It only possible if a) we have a modified oadm
for some reason b) we're generating certs manually somewhere.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
But here you are using default(730) in case openshift_registry_cert_expire_days is not defined. Should that not also be added to a roles vars//defaults/ file?
I'm setting default values for roles but here it's impossible because it's not a role but just a playbook, so I'm using explicit default()
here. Do you know how it can be improved?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No idea how to improve that. Thanks for explaining!
@@ -88,7 +88,7 @@ | |||
# This should NOT replace the CA due to --overwrite=false when a CA already exists. | |||
- name: Create the master certificates if they do not already exist | |||
command: > | |||
{{ hostvars[openshift_ca_host].openshift.common.client_binary }} adm create-master-certs | |||
{{ hostvars[openshift_ca_host].openshift.common.client_binary }} adm ca create-master-certs |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just curious, did this not work in the past without the ca
sub-sub command there?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a warning about using deprecated command.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍
295ab3c
to
436cf09
Compare
Ok, I've updated the code and tested it against OSE v3.5 on RHEL. It works fine on 1 node with embedded etcd. I was checking an expiration dates of all
|
@mfojtik Is it still in the scope of my task? Technically it's not because these certificates are generated by |
These changes LGTM.
All are covered here afaict.
QE will pick up when we move our cluster lifecycle card to complete.
There is a separate playbook for rolling CA redeployment |
@php-coder said
If you want a thorough test of the new depoyment I suggest you use the cert expiry checker we have now Using your existing inventory file you can run:
|
436cf09
to
3b87f81
Compare
[merge] |
[test]ing while waiting on the merge queue |
aos-ci-test |
3b87f81 - State: success - All Test Contexts: aos-ci-jenkins/OS_unit_tests - Logs: https://aos-ci.s3.amazonaws.com/openshift/openshift-ansible/jenkins-openshift-ansible-2-unit-tests-1089/3b87f8180e751e6bebe8c9227eeb4100ffef8eba.txt |
3b87f81 - State: error - All Test Contexts: aos-ci-jenkins/OS_3.4_containerized - Logs: https://aos-ci.s3.amazonaws.com/openshift/openshift-ansible/jenkins-openshift-ansible-3-test-matrix-CONTAINERIZED=_containerized,OSE_VER=3.4,PYTHON=System-CPython-2.7,TOPOLOGY=openshift-cluster-containerized,TargetBranch=master,nodes=openshift-ansible-slave-1093/3b87f8180e751e6bebe8c9227eeb4100ffef8eba.txt |
3b87f81 - State: success - All Test Contexts: "aos-ci-jenkins/OS_3.4_NOT_containerized, aos-ci-jenkins/OS_3.4_NOT_containerized_e2e_tests" - Logs: https://aos-ci.s3.amazonaws.com/openshift/openshift-ansible/jenkins-openshift-ansible-3-test-matrix-CONTAINERIZED=_NOT_containerized,OSE_VER=3.4,PYTHON=System-CPython-2.7,TOPOLOGY=openshift-cluster,TargetBranch=master,nodes=openshift-ansible-slave-1093/3b87f8180e751e6bebe8c9227eeb4100ffef8eba.txt |
3b87f81 - State: success - All Test Contexts: "aos-ci-jenkins/OS_3.5_NOT_containerized, aos-ci-jenkins/OS_3.5_NOT_containerized_e2e_tests" - Logs: https://aos-ci.s3.amazonaws.com/openshift/openshift-ansible/jenkins-openshift-ansible-3-test-matrix-CONTAINERIZED=_NOT_containerized,OSE_VER=3.5,PYTHON=System-CPython-2.7,TOPOLOGY=openshift-cluster,TargetBranch=master,nodes=openshift-ansible-slave-1093/3b87f8180e751e6bebe8c9227eeb4100ffef8eba.txt |
3b87f81 - State: success - All Test Contexts: "aos-ci-jenkins/OS_3.5_containerized, aos-ci-jenkins/OS_3.5_containerized_e2e_tests" - Logs: https://aos-ci.s3.amazonaws.com/openshift/openshift-ansible/jenkins-openshift-ansible-3-test-matrix-CONTAINERIZED=_containerized,OSE_VER=3.5,PYTHON=System-CPython-2.7,TOPOLOGY=openshift-cluster-containerized,TargetBranch=master,nodes=openshift-ansible-slave-1093/3b87f8180e751e6bebe8c9227eeb4100ffef8eba.txt |
The first one is very strange because it could not compile a test:
The second one is a test-flake openshift/origin#12797 @abutcher could you re-run merge process, please? |
flake openshift/origin#12797 |
aos-ci-test is failing on 3.4 because --expire-days hasn't been backported there. Though, why is it only failing for containerized installs? |
I suspect that |
oh, that's probably right. |
continuous-integration/openshift-jenkins/merge SUCCESS (https://ci.openshift.redhat.com/jenkins/job/test_pull_request_openshift_ansible_extended_conformance_install/84/) (Base Commit: 403b5c5) |
How we'll merge it? How I can help? |
Ping. |
aos-ci-test |
3b87f81 - State: success - All Test Contexts: aos-ci-jenkins/OS_unit_tests - Logs: https://aos-ci.s3.amazonaws.com/openshift/openshift-ansible/jenkins-openshift-ansible-2-unit-tests-1163/3b87f8180e751e6bebe8c9227eeb4100ffef8eba.txt |
3b87f81 - State: error - All Test Contexts: aos-ci-jenkins/OS_3.4_containerized - Logs: https://aos-ci.s3.amazonaws.com/openshift/openshift-ansible/jenkins-openshift-ansible-3-test-matrix-CONTAINERIZED=_containerized,OSE_VER=3.4,PYTHON=System-CPython-2.7,TOPOLOGY=openshift-cluster-containerized,TargetBranch=master,nodes=openshift-ansible-slave-1166/3b87f8180e751e6bebe8c9227eeb4100ffef8eba.txt |
3b87f81 - State: success - All Test Contexts: "aos-ci-jenkins/OS_3.4_NOT_containerized, aos-ci-jenkins/OS_3.4_NOT_containerized_e2e_tests" - Logs: https://aos-ci.s3.amazonaws.com/openshift/openshift-ansible/jenkins-openshift-ansible-3-test-matrix-CONTAINERIZED=_NOT_containerized,OSE_VER=3.4,PYTHON=System-CPython-2.7,TOPOLOGY=openshift-cluster,TargetBranch=master,nodes=openshift-ansible-slave-1166/3b87f8180e751e6bebe8c9227eeb4100ffef8eba.txt |
Containerized installation fails because |
@php-coder I'm looking into how we can address this. |
@php-coder Once #3769 merges the version comparisons can use the new filters https://gist.github.com/abutcher/c60a27f6fa9abf4ae365fc24738349ee. |
@abutcher Thank you! I'm watching and waiting :) |
…t_expire_days parameter.
…cert_expire_days parameters.
3b87f81
to
638e419
Compare
@abutcher Updated and ready to be tested/merged. |
Evaluated for openshift ansible test up to 638e419 |
continuous-integration/openshift-jenkins/test SUCCESS (https://ci.openshift.redhat.com/jenkins/job/test_pull_request_openshift_ansible_extended_conformance_install/84/) (Base Commit: 403b5c5) |
aos-ci-test |
[merge] |
Evaluated for openshift ansible merge up to 638e419 |
This PR is adding support for setting certificates validity period during installation. It's done by passing
--expire-days
and--signer-expire-days
options tooc adm
that were adding in v1.5 (see openshift/origin#11814)Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1275176
Trello: https://trello.com/c/MV4uHYdW/367-leverage-the-new-expire-days-in-the-ansible-playbooks
PTAL @abutcher @tbielawa
CC @mfojtik