OpenShift components themselves call the masterURL. We ensure that the internal API endpoint is trusted by all OpenShift components. I strongly suggest following the documentation even if it appears to work otherwise, changing this behavior might result in breaking during an upgrade or other scenario where a custom certificate at the masterURL wasn't accounted for.
On Wed, Aug 29, 2018 at 9:06 AM, Daniel Comnea <[email protected]> wrote: > Hi, > > I'm trying to understand from a technical point of view the hard requirement > around namedCertificates and the hostname associated with the > masterPublicURL vs masterURL. > > According to the docs [1] it says > > " > The namedCertificates section should be configured only for the host name > associated with the masterPublicURLand oauthConfig.assetPublicURL settings n > the /etc/origin/master/master-config.yaml file. Using a custom serving > certificate for the host name associated with the masterURL will result in > TLS errors as infrastructure components will attempt to contact the master > API using the internal masterURL host. > " > > However the above note/ requirement doesn't applies to the self-signed > certificated generated by the openshift-ansible installer and as such the OP > can have the same value defined to the below variables in his/her inventory > > openshift_master_cluster_public_hostname => map to masterPublicURL > openshift_master_cluster_hostname => map to masterURL > > > without having any side effect - ie TLS errors. > > Is there anything "special" around the self-signed certificates produced by > the openshift-ansible installer which doesn't generate any TLS errors ? > If not then i'd expect same TLS errors as for when the namedCertificates > section is present. > > > Dani > > [1] > https://docs.openshift.com/container-platform/3.10/install_config/certificate_customization.html#configuring-custom-certificates > > > _______________________________________________ > dev mailing list > [email protected] > http://lists.openshift.redhat.com/openshiftmm/listinfo/dev > -- Michael Gugino Senior Software Engineer - OpenShift [email protected] 540-846-0304 _______________________________________________ dev mailing list [email protected] http://lists.openshift.redhat.com/openshiftmm/listinfo/dev
