Bug 1417680

Summary: [3.2] Backport openshift_certificate_expiry role
Product: OpenShift Container Platform Reporter: Tim Bielawa <tbielawa>
Component: InstallerAssignee: Tim Bielawa <tbielawa>
Status: CLOSED ERRATA QA Contact: Gaoyun Pei <gpei>
Severity: high Docs Contact:
Priority: unspecified    
Version: 3.2.1CC: aos-bugs, jokerman, mmccomas
Target Milestone: ---   
Target Release: 3.2.1   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Enhancement
Doc Text:
The certificate expiry checker has been backported to the OCP 3.2 playbooks.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2017-03-06 16:38:10 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Tim Bielawa 2017-01-30 16:09:59 UTC 
Description of problem:

The openshift_certificate_expiry module needs to be backported and tested to help with the growing numbers of customers running into problems with their certificates expiring and an upcoming KBS article.


Related PR: https://github.com/openshift/openshift-ansible/pull/3207
Comment 2 Gaoyun Pei 2017-02-07 09:33:31 UTC 
Test with openshift-ansible-3.2.49-1.git.0.fc41501.el7.noarch, run the example playbook against an ocp-3.2 cluster by following https://github.com/tbielawa/openshift-ansible/blob/3efe6dd1f113c2f09a15fea7d61389296b5e9a67/roles/openshift_certificate_expiry/README.md#run-with-ansible-playbook


[root@gpei-test-ansible openshift-ansible]# pwd
/usr/share/ansible/openshift-ansible
[root@gpei-test-ansible openshift-ansible]# ansible-playbook -v -i ~/host ./roles/openshift_certificate_expiry/examples/playbooks/easy-mode.yaml 
Using /etc/ansible/ansible.cfg as config file
ERROR! the role 'openshift_certificate_expiry' was not found in /usr/share/ansible/openshift-ansible/roles/openshift_certificate_expiry/examples/playbooks/roles:/etc/ansible/roles:/usr/share/ansible/openshift-ansible/roles/openshift_certificate_expiry/examples/playbooks

The error appears to have been in '/usr/share/ansible/openshift-ansible/roles/openshift_certificate_expiry/examples/playbooks/easy-mode.yaml': line 21, column 7, but may
be elsewhere in the file depending on the exact syntax problem.

The offending line appears to be:

  roles:
    - role: openshift_certificate_expiry
      ^ here
Comment 3 Tim Bielawa 2017-02-09 18:05:37 UTC 
Fix submitted https://github.com/openshift/openshift-ansible/pull/3314
Comment 5 Gaoyun Pei 2017-02-14 10:00:41 UTC 
The same error as https://bugzilla.redhat.com/show_bug.cgi?id=1417681#c5 when testing with openshift-ansible-3.2.50-1.git.0.df25cf2.el7.noarch
Comment 7 Gaoyun Pei 2017-02-22 10:00:42 UTC 
Verify this bug with openshift-ansible-3.2.51-1.git.0.d851c61.el7

All the example playbooks could run successfully against rpm/container env, could detect certs used in the cluster well.

The playbooks could give correct result about the number of cert in expired/OK/warning status on each host, and all the configurable variables in this role were working well.
Comment 9 errata-xmlrpc 2017-03-06 16:38:10 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2017:0448