Hi Niklas,
lets drop "example.com" and switch to the actual host and domain
names. Inventory file and master-config.yaml are attached.
On 3/26/19 5:29 PM, Nikolas Philips wrote:
Hi Harri,
as far as I can tell your inventory config looks ok.
Is in the certificate "/work/okd01/ssl/okd01.cert.pem" the hostname/CN "okd01.example.com
<http://okd01.example.com>" listed? For example '*.okd01.example.com
<http://okd01.example.com>' wouldn't work. I remember having a similar issue...
The certificates are correct, AFAICT. CN is set to okd01.aixigo.de.
There is also a DNS entry in the certificate:
X509v3 Subject Alternative Name:
DNS:okd01.aixigo.de
Did you get any warnings while running the redeploy_certificates playbook?
I tried: The redeploy-certificates playbook got stuck for more than
60 minutes :-(.
Last message
:
:
PLAY [Restart nodes]
***************************************************************************************************
TASK [Gathering Facts]
*************************************************************************************************
ok: [okd01b.ac.aixigo.de]
TASK [Restart docker]
**************************************************************************************************
AFAICS it is stuck on okd01b here:
root 48897 7406 0 09:59 ? 00:00:00 \_ sshd: root@pts/1
root 49097 48897 0 09:59 pts/1 00:00:00 \_ /bin/sh -c /usr/bin/python
/root/.ansible/tmp/ansible-tmp-1553677155.03-134576205842945/AnsiballZ_systemd.py
&& sle
root 49109 49097 0 09:59 pts/1 00:00:00 \_ /usr/bin/python
/root/.ansible/tmp/ansible-tmp-1553677155.03-134576205842945/AnsiballZ_systemd.py
root 49117 49109 0 09:59 pts/1 00:00:00 \_
/usr/bin/systemctl restart docker
root 49118 49117 0 09:59 pts/1 00:00:00 \_
/usr/bin/systemd-tty-ask-password-agent --watch
root 49119 49117 0 09:59 pts/1 00:00:00 \_
/usr/bin/pkttyagent --notify-fd 5 --fallback
I am not sure, but shouldn't ansible run its remote scripts
without controlling terminal?
Did you check the master API logs (run from master node with 'master-logs api
api') is there a hint why the certs aren't delivered?
Is in the /etc/origin/master/master-config.yaml (see namedCertificates) the
correct certificate referenced?
This is what I see in master-config.yaml (attached):
:
:
serviceAccountConfig:
limitSecretReferences: false
managedNames:
- default
- builder
- deployer
masterCA: ca-bundle.crt
privateKeyFile: serviceaccounts.private.key
publicKeyFiles:
- serviceaccounts.public.key
servingInfo:
bindAddress: 0.0.0.0:8443
bindNetwork: tcp4
certFile: master.server.crt
clientCA: ca.crt
keyFile: master.server.key
maxRequestsInFlight: 500
namedCertificates:
- certFile: /etc/origin/master/named_certificates/okd01.aixigo.de.cert.pem
keyFile: /etc/origin/master/named_certificates/okd01.aixigo.de.key.pem
names:
- okd01.aixigo.de
requestTimeoutSeconds: 3600
volumeConfig:
dynamicProvisioningEnabled: true
Please note that the cafile for named isn't mentioned in master-config.yaml
at all.
Did you used on purpose the same key for two different certificates?
Yes. Its the same IP address, anyway. Next time I will use a common
certificate for okd01.aixigo.de and *.okd01.aixigo.de.
Regards
Harri
# Create an OSEv3 group that contains the masters, nodes, and etcd groups
[OSEv3:children]
masters
nodes
etcd
# Set variables common for all OSEv3 hosts
[OSEv3:vars]
clustername=okd01
clusterdomain=aixigo.de
# openshift_clusterid=okd01.aixigo.de
openshift_release="3.11"
openshift_deployment_type=origin
openshift_master_cluster_hostname=okd01.aixigo.de
openshift_master_cluster_public_hostname=okd01.aixigo.de
openshift_master_default_subdomain=okd01.aixigo.de
# SSH user, this user should allow ssh based auth without requiring a password
ansible_ssh_user=root
# If ansible_ssh_user is not root, ansible_become must be set to true
#ansible_become=true
openshift_master_overwrite_named_certificates=true
openshift_master_named_certificates=[{"certfile":
"/export/source/hdunkel/work/okd01/ssl/okd01.aixigo.de.cert.pem", "keyfile":
"/export/source/hdunkel/work/okd01/ssl/okd01.aixigo.de.key.pem", "names":
["okd01.aixigo.de"], "cafile":
"/export/source/hdunkel/work/okd01/ssl/ca.cert.pem" }]
openshift_hosted_router_certificate={"certfile":
"/export/source/hdunkel/work/okd01/ssl/star.okd01.aixigo.de.cert.pem",
"keyfile": "/export/source/hdunkel/work/okd01/ssl/okd01.aixigo.de.key.pem",
"cafile": "/export/source/hdunkel/work/okd01/ssl/ca.cert.pem" }
# login credentials for admin accout
openshift_master_identity_providers=[{'name': 'htpasswd_auth', 'login': 'true',
'challenge': 'true', 'kind': 'HTPasswdPasswordIdentityProvider'}]
openshift_master_htpasswd_users={'admin':
'$apr1$xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx', 'hdunkel':
'$apr1$yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy'}
# use
# oc create clusterrolebinding registry-controller
--clusterrole=cluster-admin --user=admin
#
# to assign the "cluster-admin" role to the admin account.
# Registry Storage
openshift_hosted_registry_storage_kind=nfs
openshift_hosted_registry_storage_access_modes=['ReadWriteMany']
openshift_hosted_registry_storage_host=nasl007.ac.aixigo.de
openshift_hosted_registry_storage_nfs_directory=/space/okd01
openshift_hosted_registry_storage_volume_name=registry
openshift_hosted_registry_storage_volume_size=20Gi
# Metrics
openshift_metrics_install_metrics=true
# host group for masters
[masters]
okd01a.ac.aixigo.de
# host group for etcd
[etcd]
okd01a.ac.aixigo.de
# okd01b.ac.aixigo.de
# host group for nodes, includes region info
[nodes]
okd01a.ac.aixigo.de openshift_node_group_name='node-config-master-infra'
okd01b.ac.aixigo.de openshift_node_group_name='node-config-compute'
# node2.ac.aixigo.de openshift_node_group_name='node-config-compute'
# infra-node1.ac.aixigo.de openshift_node_group_name='node-config-infra'
# infra-node2.ac.aixigo.de openshift_node_group_name='node-config-infra'
admissionConfig:
pluginConfig:
BuildDefaults:
configuration:
apiVersion: v1
env: []
kind: BuildDefaultsConfig
resources:
limits: {}
requests: {}
BuildOverrides:
configuration:
apiVersion: v1
kind: BuildOverridesConfig
openshift.io/ImagePolicy:
configuration:
apiVersion: v1
executionRules:
- matchImageAnnotations:
- key: images.openshift.io/deny-execution
value: 'true'
name: execution-denied
onResources:
- resource: pods
- resource: builds
reject: true
skipOnResolutionFailure: true
kind: ImagePolicyConfig
aggregatorConfig:
proxyClientInfo:
certFile: aggregator-front-proxy.crt
keyFile: aggregator-front-proxy.key
apiLevels:
- v1
apiVersion: v1
authConfig:
requestHeader:
clientCA: front-proxy-ca.crt
clientCommonNames:
- aggregator-front-proxy
extraHeaderPrefixes:
- X-Remote-Extra-
groupHeaders:
- X-Remote-Group
usernameHeaders:
- X-Remote-User
controllerConfig:
election:
lockName: openshift-master-controllers
serviceServingCert:
signer:
certFile: service-signer.crt
keyFile: service-signer.key
controllers: '*'
corsAllowedOrigins:
- (?i)//127\.0\.0\.1(:|\z)
- (?i)//localhost(:|\z)
- (?i)//172\.19\.96\.96(:|\z)
- (?i)//kubernetes\.default(:|\z)
- (?i)//kubernetes\.default\.svc\.cluster\.local(:|\z)
- (?i)//kubernetes(:|\z)
- (?i)//openshift\.default(:|\z)
- (?i)//openshift\.default\.svc(:|\z)
- (?i)//172\.30\.0\.1(:|\z)
- (?i)//okd01\.aixigo\.de(:|\z)
- (?i)//okd01a\.ac\.aixigo\.de(:|\z)
- (?i)//openshift\.default\.svc\.cluster\.local(:|\z)
- (?i)//kubernetes\.default\.svc(:|\z)
- (?i)//openshift(:|\z)
dnsConfig:
bindAddress: 0.0.0.0:8053
bindNetwork: tcp4
etcdClientInfo:
ca: master.etcd-ca.crt
certFile: master.etcd-client.crt
keyFile: master.etcd-client.key
urls:
- https://okd01a.ac.aixigo.de:2379
etcdStorageConfig:
kubernetesStoragePrefix: kubernetes.io
kubernetesStorageVersion: v1
openShiftStoragePrefix: openshift.io
openShiftStorageVersion: v1
imageConfig:
format: docker.io/openshift/origin-${component}:${version}
latest: false
imagePolicyConfig:
internalRegistryHostname: docker-registry.default.svc:5000
kind: MasterConfig
kubeletClientInfo:
ca: ca-bundle.crt
certFile: master.kubelet-client.crt
keyFile: master.kubelet-client.key
port: 10250
kubernetesMasterConfig:
apiServerArguments:
storage-backend:
- etcd3
storage-media-type:
- application/vnd.kubernetes.protobuf
controllerArguments:
cluster-signing-cert-file:
- /etc/origin/master/ca.crt
cluster-signing-key-file:
- /etc/origin/master/ca.key
pv-recycler-pod-template-filepath-hostpath:
- /etc/origin/master/recycler_pod.yaml
pv-recycler-pod-template-filepath-nfs:
- /etc/origin/master/recycler_pod.yaml
masterCount: 1
masterIP: 172.19.96.96
podEvictionTimeout: null
proxyClientInfo:
certFile: master.proxy-client.crt
keyFile: master.proxy-client.key
schedulerArguments: null
schedulerConfigFile: /etc/origin/master/scheduler.json
servicesNodePortRange: ''
servicesSubnet: 172.30.0.0/16
staticNodeNames: []
masterClients:
externalKubernetesClientConnectionOverrides:
acceptContentTypes: application/vnd.kubernetes.protobuf,application/json
burst: 400
contentType: application/vnd.kubernetes.protobuf
qps: 200
externalKubernetesKubeConfig: ''
openshiftLoopbackClientConnectionOverrides:
acceptContentTypes: application/vnd.kubernetes.protobuf,application/json
burst: 600
contentType: application/vnd.kubernetes.protobuf
qps: 300
openshiftLoopbackKubeConfig: openshift-master.kubeconfig
masterPublicURL: https://okd01.aixigo.de:8443
networkConfig:
clusterNetworks:
- cidr: 10.128.0.0/14
hostSubnetLength: 9
externalIPNetworkCIDRs:
- 0.0.0.0/0
networkPluginName: redhat/openshift-ovs-subnet
serviceNetworkCIDR: 172.30.0.0/16
oauthConfig:
assetPublicURL: https://okd01.aixigo.de:8443/console/
grantConfig:
method: auto
identityProviders:
- challenge: true
login: true
mappingMethod: claim
name: htpasswd_auth
provider:
apiVersion: v1
file: /etc/origin/master/htpasswd
kind: HTPasswdPasswordIdentityProvider
masterCA: ca-bundle.crt
masterPublicURL: https://okd01.aixigo.de:8443
masterURL: https://okd01.aixigo.de:8443
sessionConfig:
sessionMaxAgeSeconds: 3600
sessionName: ssn
sessionSecretsFile: /etc/origin/master/session-secrets.yaml
tokenConfig:
accessTokenMaxAgeSeconds: 86400
authorizeTokenMaxAgeSeconds: 500
pauseControllers: false
policyConfig:
bootstrapPolicyFile: /etc/origin/master/policy.json
openshiftInfrastructureNamespace: openshift-infra
openshiftSharedResourcesNamespace: openshift
projectConfig:
defaultNodeSelector: node-role.kubernetes.io/compute=true
projectRequestMessage: ''
projectRequestTemplate: ''
securityAllocator:
mcsAllocatorRange: s0:/2
mcsLabelsPerProject: 5
uidAllocatorRange: 1000000000-1999999999/10000
routingConfig:
subdomain: okd01.aixigo.de
serviceAccountConfig:
limitSecretReferences: false
managedNames:
- default
- builder
- deployer
masterCA: ca-bundle.crt
privateKeyFile: serviceaccounts.private.key
publicKeyFiles:
- serviceaccounts.public.key
servingInfo:
bindAddress: 0.0.0.0:8443
bindNetwork: tcp4
certFile: master.server.crt
clientCA: ca.crt
keyFile: master.server.key
maxRequestsInFlight: 500
namedCertificates:
- certFile: /etc/origin/master/named_certificates/okd01.aixigo.de.cert.pem
keyFile: /etc/origin/master/named_certificates/okd01.aixigo.de.key.pem
names:
- okd01.aixigo.de
requestTimeoutSeconds: 3600
volumeConfig:
dynamicProvisioningEnabled: true
_______________________________________________
users mailing list
[email protected]
http://lists.openshift.redhat.com/openshiftmm/listinfo/users
