[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: OpenShift v3 now running in HTTPS mode by default



For those on Mac on Mavericks, if you have installed Xcode the version of curl that comes with it may not support TLS 1.2 and so be unable to connect to OpenShift (which prevents you running hack/test-cmd.sh).  You will either need to install curl from Brew and symlink it into your path somewhere, or revert Xcode, or find the original binary.


On Jan 21, 2015, at 1:53 PM, Jordan Liggitt <jliggitt redhat com> wrote:

As of today[1], HTTPS is the default for the OpenShift master, the OpenShift command-line client, and the OpenShift web console.

When running in HTTPS, "openshift start" now does the following:
1. Generates a certificate authority
2. Creates a self-signed certificate for the API server
3. Creates client certificates for system components to use when communicating with the API
4. Creates client certificates and a .kubeconfig file for an admin user

The generated certificates are placed under "openshift.local.certificates" (changeable using the "--cert-dir" parameter).



Why is this awesome?
It makes sure we have the wiring in place for all parts of the system to be able to speak securely to each other, and lets us start turning on authentication and authorization



How do I access the OpenShift master?
The default url is now https://<ip>:8443 (available locally as https://localhost:8443)



Why does osc, curl, my web browser, and <my favorite tool> complain about SSL certificates
"openshift start" creates a certificate to serve on https. API clients need to include the root certificate bundle in the list of trusted certs. This is located in $CERT_DIR/master/root.crt

1. To get your browser working:
- add an exception to trust the generated certificate the first time you access the master.

2. To get osc working:
- Preferred: use the generated admin user by passing --kubeconfig=$CERT_DIR/admin/.kubeconfig or setting KUBECONFIG=$CERT_DIR/admin/.kubeconfig (make sure you have read access to the files under $CERT_DIR/admin)
- Acceptable: pass "--certificate-authority=$CERT_DIR/master/root.crt"
- Bad (don't get used to doing this): pass "--insecure-skip-tls-verify=true"

3. To get curl working:
- Preferred: pass "--cacert $CERT_DIR/master/root.crt" or set CURL_CA_BUNDLE=$CERT_DIR/master/root.crt
- Bad (don't get used to doing this): pass "--insecure"


How do I go back to HTTP?
Why would you even ask that? You're making the EFF cry :-(

If you really need to, you can do the following to get the old default behaviour back:

openshift start: pass "--master=http://:8080"
osc: pass "--server=http://localhost:8080"



Do the tests use HTTPS?
Yes, when running tests (test-end-to-end.sh, test-cmd.sh, etc), the defaults for scheme and port are "https" and "8443", respectively.

Set the environment variables API_SCHEME and API_PORT to override the defaults.



If you have any questions, or run into issues, please let me know.


Jordan


[1] https://github.com/openshift/origin/pull/638

_______________________________________________
dev mailing list
dev lists openshift redhat com
http://lists.openshift.redhat.com/openshiftmm/listinfo/dev

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]