Okay Michael, i understand, thank you for feedback. In this case i think will be reasonable to have a sanity check to fail in case the values are the same - ie enforce it in the code.
On Thu, Aug 30, 2018 at 3:40 PM Michael Gugino <[email protected]> wrote: > OpenShift components themselves call the masterURL. We ensure that > the internal API endpoint is trusted by all OpenShift components. I > strongly suggest following the documentation even if it appears to > work otherwise, changing this behavior might result in breaking during > an upgrade or other scenario where a custom certificate at the > masterURL wasn't accounted for. > > On Wed, Aug 29, 2018 at 9:06 AM, Daniel Comnea <[email protected]> > wrote: > > Hi, > > > > I'm trying to understand from a technical point of view the hard > requirement > > around namedCertificates and the hostname associated with the > > masterPublicURL vs masterURL. > > > > According to the docs [1] it says > > > > " > > The namedCertificates section should be configured only for the host name > > associated with the masterPublicURLand oauthConfig.assetPublicURL > settings n > > the /etc/origin/master/master-config.yaml file. Using a custom serving > > certificate for the host name associated with the masterURL will result > in > > TLS errors as infrastructure components will attempt to contact the > master > > API using the internal masterURL host. > > " > > > > However the above note/ requirement doesn't applies to the self-signed > > certificated generated by the openshift-ansible installer and as such > the OP > > can have the same value defined to the below variables in his/her > inventory > > > > openshift_master_cluster_public_hostname => map to masterPublicURL > > openshift_master_cluster_hostname => map to masterURL > > > > > > without having any side effect - ie TLS errors. > > > > Is there anything "special" around the self-signed certificates produced > by > > the openshift-ansible installer which doesn't generate any TLS errors ? > > If not then i'd expect same TLS errors as for when the namedCertificates > > section is present. > > > > > > Dani > > > > [1] > > > https://docs.openshift.com/container-platform/3.10/install_config/certificate_customization.html#configuring-custom-certificates > > > > > > _______________________________________________ > > dev mailing list > > [email protected] > > http://lists.openshift.redhat.com/openshiftmm/listinfo/dev > > > > > > -- > Michael Gugino > Senior Software Engineer - OpenShift > [email protected] > 540-846-0304 >
_______________________________________________ dev mailing list [email protected] http://lists.openshift.redhat.com/openshiftmm/listinfo/dev
