I had many issues doing what you suggest, at the beginning I couldn't start the nodes because of the following error : *cannot fetch "default" cluster network: Get https://console:8443/oapi/v1/clusternetworks/default <https://console:8443/oapi/v1/clusternetworks/default>: x509: certificate signed by unknown authority*
I fixed it by redeploying nodes certificates, but later the upgrade playbook couldn't work correctly. I finished by removing the custom certificates. Regards, On Thu, Aug 30, 2018 at 4:41 PM Michael Gugino <[email protected]> wrote: > OpenShift components themselves call the masterURL. We ensure that > the internal API endpoint is trusted by all OpenShift components. I > strongly suggest following the documentation even if it appears to > work otherwise, changing this behavior might result in breaking during > an upgrade or other scenario where a custom certificate at the > masterURL wasn't accounted for. > > On Wed, Aug 29, 2018 at 9:06 AM, Daniel Comnea <[email protected]> > wrote: > > Hi, > > > > I'm trying to understand from a technical point of view the hard > requirement > > around namedCertificates and the hostname associated with the > > masterPublicURL vs masterURL. > > > > According to the docs [1] it says > > > > " > > The namedCertificates section should be configured only for the host name > > associated with the masterPublicURLand oauthConfig.assetPublicURL > settings n > > the /etc/origin/master/master-config.yaml file. Using a custom serving > > certificate for the host name associated with the masterURL will result > in > > TLS errors as infrastructure components will attempt to contact the > master > > API using the internal masterURL host. > > " > > > > However the above note/ requirement doesn't applies to the self-signed > > certificated generated by the openshift-ansible installer and as such > the OP > > can have the same value defined to the below variables in his/her > inventory > > > > openshift_master_cluster_public_hostname => map to masterPublicURL > > openshift_master_cluster_hostname => map to masterURL > > > > > > without having any side effect - ie TLS errors. > > > > Is there anything "special" around the self-signed certificates produced > by > > the openshift-ansible installer which doesn't generate any TLS errors ? > > If not then i'd expect same TLS errors as for when the namedCertificates > > section is present. > > > > > > Dani > > > > [1] > > > https://docs.openshift.com/container-platform/3.10/install_config/certificate_customization.html#configuring-custom-certificates > > > > > > _______________________________________________ > > dev mailing list > > [email protected] > > http://lists.openshift.redhat.com/openshiftmm/listinfo/dev > > > > > > -- > Michael Gugino > Senior Software Engineer - OpenShift > [email protected] > 540-846-0304 > > _______________________________________________ > dev mailing list > [email protected] > http://lists.openshift.redhat.com/openshiftmm/listinfo/dev > -- SALAHDDINE ABERKAN CONSULTANT Red Hat EMEA <https://www.redhat.com/> <https://red.ht/sig> TRIED. TESTED. TRUSTED. <https://redhat.com/trusted>
_______________________________________________ dev mailing list [email protected] http://lists.openshift.redhat.com/openshiftmm/listinfo/dev
