How to include the full chain (CA and/or intermediates) when using "openshift_master_named_certificates" variable
Issue
During cluster installations or when doing a retrofit, custom certificates can be configured using the openshift_master_named_certificates
and openshift_master_overwrite_named_certificates
parameters, which are configurable in the inventory file as follows:
openshift_master_overwrite_named_certificates=true
openshift_master_named_certificates=[{"certfile": "/path/on/host/to/crt-file", "keyfile": "/path/on/host/to/key-file", "names": ["public-master-host.com"], "cafile": "/path/on/host/to/ca-file"}]
Especially when using a self-signed CA of your own, it will be necessary to also include the CA and/or intermediate certificates within the chain in order to validate the certificate (like the cluster does with default certificates), however, this variable, despite accepting cafile
as an optional parameter, it will not concatenate that optional CA within the certfile
, it will only include it as part of global /etc/origin/master/ca-bundle.crt
.
Environment
- OpenShift Container Platform
- 3.11.x
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.