[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: OKD 3.11 openshift_logging_install_logging=true install fails - openshift_logging_es_nodeselector error

I've seen that one as well, indeed, even if your ldap server certificate was signed by a recognized authority, deployment would fail if 'insecure' was set to false without passing said CA to openshift_master_ldap_ca

In 3.9 and before, you'ld have been able to not provide a CA while still requiring validation, then relying on your hosts trust store. Since master-api is a container, openshift-ansible would assume, if 'insecure' is false, that a file /etc/origin/master/<privider-name>_ldap_ca.crt exists, when generating /etc/origin/master/master-config.yml.
Yet that ldap_ca file would be missing, leading to master-api not starting, unless setting openshift_master_ldap_ca, openshift_master_ldap_ca_file, or some manual intervention.

Your solution seems correct.
Or some openssl s_client -showcerts -connect ldap.example.com:636 </dev/null, fetching certificates out of your ldap, should show your CA chain, if you don't want a trust-everything configuration.

Feel free to open an issue on GitHub.
Although consider openshit 4 is on its way out, bare metal install "should" work, .... Deployment has been completely refactored, .. if you're just getting into OKD, it's good to know how 3.x used to work, though i'ld suggest you look at the new installer ;)

Have fun

On Sun, Jun 2, 2019, 4:12 PM Ricardo Mendes <maverickws outlook pt> wrote:

Hi Samuel,


Hope all is doing well thanks again for the quick reply.

So actually I had set this to



in the meanwhile and wasrunning deploy_cluster, it just completed successfully! Amazing.

I do think it should maybe be better documented or have more examples in the docs I guess.


I have another question since we’re at it…

I have an LDAP server with a valid certificate.

Using openshift_master_identity_providers=…LDAPPasswordIdentityProvider… I am expected to supply a certificate. But since I have a valid public certificate, which is trusted by up-to-date public certificate authority, I don’t intend to provide any.

So here, I baffled with these possible solutions:

Use the ‘insecure’ : ‘true’ paramenter… it’s a quick dirty fix you know the certificate is valid…

Or I’ve been waiting for the master-config.yaml to be created then I create a symlink to ca-bundle.crt so the master-api comes up, otherwise it will fail saying providername_ldap_ca.crt can’t be found.

The documentation states the following:


# LDAP auth

#openshift_master_identity_providers=[{'name': 'my_ldap_provider', 'challenge': 'true', 'login': 'true', 'kind': 'LDAPPasswordIdentityProvider', 'attributes': {'id': ['dn'], 'email': ['mail'], 'name': ['cn'], 'preferredUsername': ['uid']}, 'bindDN': '', 'bindPassword': '', 'insecure': 'false', 'url': 'ldap://ldap.example.com:389/ou=users,dc=example,dc=com?uid'}]

# Configuring the ldap ca certificate

#openshift_master_ldap_ca=<ca text>

# or

#openshift_master_ldap_ca_file=<path to local ca file to use>


# Available variables for configuring certificates for other identity providers:






If you specified 'insecure': 'true' in the openshift_master_identity_providers parameter for only an LDAP identity provider, you can omit the CA certificate.


So… for LDAP to work after deployment completes I login to master and edit master-config.yaml leaving the Provider ca: field empty… and all works perfectly.

I have tried multiple combinations to have this field empty reading from inventory file… do you have a suggestion?


I also feel this is poorly documented, and I am a little surprised because it seems people rather have an insecure quick fix than looking into the problem, I’ve been around issues and it happens around. Again I do believe many people will go with insecure even having valid certificates, but this doesn’t make much sense to me.


Kind regards,

Ricardo Mendes



From: Samuel Martín Moro <faust64 gmail com>
Date: Sunday, 2 June 2019 at 14:06
To: Ricardo Mendes <maverickws outlook pt>
Cc: OpenShift Users List <users lists openshift redhat com>
Subject: Re: OKD 3.11 openshift_logging_install_logging=true install fails - openshift_logging_es_nodeselector error





try that one:





alternatively, you might want to create some "group_vars" directory alongside your inventory, and add a file "group_vars/all.yaml", with the following:


  node-role.kubernetes.io/infra: "true"


as ini format can be quite painful, depending on which variables you need to set.






On Sun, Jun 2, 2019 at 1:23 PM Ricardo Mendes <maverickws outlook pt> wrote:

Hi all,


I am using a three server Setup as my inventory file below.

I am facing this issue where I can’t install ELK by setting `openshift_logging_install_logging=true` because I always get this error:


TASK [openshift_control_plane : Ensure that Elasticsearch has nodes to run on] ***************************************************************************************************

fatal: [master.domain.com]: FAILED! => {

    "assertion": false,

    "changed": false,

    "evaluated_to": false,

    "msg": "No schedulable nodes found matching node selector for Elasticsearch - 'infra=true'"



I have tried with the following variables:


openshift_logging_es_nodeselector={"node-type":"infrastructure"}  # as seen somewhere on documentation







My inventory file:








master.domain.com openshift_schedulable=True



master.domain.com openshift_schedulable=True



master.domain.com openshift_node_group_name='node-config-master' openshift_schedulable=True

infra.domain.com openshift_node_group_name='node-config-infra' openshift_schedulable=True

node01.domain.com openshift_node_group_name='node-config-compute' openshift_schedulable=True







I am out of ideas and I think my google is broken cause I can’t seem to find a suitable option that works… and each deploy_cluster takes over half an hour…


Anyone can point me in the right path? Thank you!


Kind regards,

Ricardo M


users mailing list
users lists openshift redhat com



Samuel Martín Moro
{EPITECH.} 2011

"Nobody wants to say how this works.
 Maybe nobody knows ..."

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]