I suppose my situation is a little different as I have a custom wildcard cert in a HA cluster. It sounds like for your configuration, that will work. As a work around for me now, I've secured the router with my custom wildcard cert and secured the registry using my custom CA with a self-signed cert (which includes the SNI IP and alt names).
________________________________ From: Lorenz Vanthillo [[email protected]] Sent: Thursday, December 15, 2016 9:08 AM To: Flynn, Conor; [email protected] Subject: Re: OpenShift origin v1.3.0: generate certificates based on our wildcard in playbook Hi, this seem to help for me? Does it for you? (apps.test.example.com is our wildcard) # default subdomain to use for exposed routes openshift_master_default_subdomain=apps.test.example.com I have to tell I'm just in a stadium of exploration. My router + registry are on my master-node atm which I will not implement in a production environment. I don't know if this is the reason why it's working? Maybe you can give some feedback about this? ________________________________ Van: Flynn, Conor <[email protected]> Verzonden: donderdag 15 december 2016 14:53:12 Aan: Lorenz Vanthillo; [email protected] Onderwerp: RE: OpenShift origin v1.3.0: generate certificates based on our wildcard in playbook Lorenz - I'm coming up against the same issue with my custom wildcard cert as it doesn't have the SNI IP of the registry that is created during the ansible install. I'm interested in your resolution or anyone else's in this regards. thanks Conor C. Conor Flynn Senior Systems Administrator Fairfield University ________________________________ From: [email protected] [[email protected]] on behalf of Lorenz Vanthillo [[email protected]] Sent: Thursday, December 15, 2016 8:31 AM To: [email protected] Subject: Re: OpenShift origin v1.3.0: generate certificates based on our wildcard in playbook Found it: # default subdomain to use for exposed routes #openshift_master_default_subdomain=apps.test.example.com ________________________________ Van: Lorenz Vanthillo <[email protected]> Verzonden: donderdag 15 december 2016 13:12:47 Aan: [email protected] Onderwerp: OpenShift origin v1.3.0: generate certificates based on our wildcard in playbook Hi, We are doing some testing with the playbook. We want to configure as much as possible inside the playbook. So our registry is automatically deployed on our infra node and it's secured. But we face this issue when we try to authenticate using its route: x509: certificate is valid for docker-registry-default.router.default.svc.cluster.local, docker-registry.default.svc.cluster.local, 172.30.106.12, not registry.my-wildcard.com Is there a way in the playbook to tell ansible to generate the certificates with an additional route so it's by default valid for our registry-route. _______________________________________________ users mailing list [email protected] http://lists.openshift.redhat.com/openshiftmm/listinfo/users
