Bug 1417681

Test with openshift-ansible-3.4.59-1.git.0.d813eb7.el7.noarch, run the example playbook against an ocp-3.4 cluster by following https://github.com/tbielawa/openshift-ansible/blob/3efe6dd1f113c2f09a15fea7d61389296b5e9a67/roles/openshift_certificate_expiry/README.md#run-with-ansible-playbook


[root@gpei-test-ansible openshift-ansible]# pwd
/usr/share/ansible/openshift-ansible
[root@gpei-test-ansible openshift-ansible]# ansible-playbook -v -i ~/host ./roles/openshift_certificate_expiry/examples/playbooks/easy-mode.yaml 
Using /etc/ansible/ansible.cfg as config file
ERROR! the role 'openshift_certificate_expiry' was not found in /usr/share/ansible/openshift-ansible/roles/openshift_certificate_expiry/examples/playbooks/roles:/etc/ansible/roles:/usr/share/ansible/openshift-ansible/roles/openshift_certificate_expiry/examples/playbooks

The error appears to have been in '/usr/share/ansible/openshift-ansible/roles/openshift_certificate_expiry/examples/playbooks/easy-mode.yaml': line 21, column 7, but may
be elsewhere in the file depending on the exact syntax problem.

The offending line appears to be:

  roles:
    - role: openshift_certificate_expiry
      ^ here

Fix submitted https://github.com/openshift/openshift-ansible/pull/3316

Test with openshift-ansible-3.4.60-1.git.0.1ef027f.el7.noarch

It's working well against ocp env built on RHEL, but for containerized env on Atomic Host, the expiration checker playbook will fail due to "No module named OpenSSL.crypto"

Here's an example test. A containerized ocp-3.4.1.7 env built with qe-rhel-atomic-cloud-726_1 image on AWS configured in the host file.

[root@gpei-test-ansible ~]# ansible-playbook -v -i host /usr/share/ansible/openshift-ansible/playbooks/certificate_expiry/easy-mode.yaml 
Using /etc/ansible/ansible.cfg as config file

PLAY [Check cert expirys] ******************************************************

TASK [openshift_certificate_expiry : Check cert expirys on host] ***************
fatal: [ec2-x.compute-1.amazonaws.com]: FAILED! => {
    "changed": false, 
    "failed": true, 
    "module_stderr": "Shared connection to ec2-x.compute-1.amazonaws.com closed.\r\n", 
    "module_stdout": "Traceback (most recent call last):\r\n  File \"/tmp/ansible_7d4N_3/ansible_module_openshift_cert_expiry.py\", line 14, in <module>\r\n    import OpenSSL.crypto\r\nImportError: No module named OpenSSL.crypto\r\n"
}

MSG:

MODULE FAILURE

fatal: [ec2-54-x.compute-1.amazonaws.com]: FAILED! => {
    "changed": false, 
    "failed": true, 
    "module_stderr": "Shared connection to ec2-54-x.compute-1.amazonaws.com closed.\r\n", 
    "module_stdout": "Traceback (most recent call last):\r\n  File \"/tmp/ansible_7Wdo4k/ansible_module_openshift_cert_expiry.py\", line 14, in <module>\r\n    import OpenSSL.crypto\r\nImportError: No module named OpenSSL.crypto\r\n"
}

MSG:

MODULE FAILURE

Right now I don't think we can fix atomic host. We'll need to invest significant engineering time in determining the best way forward to provide ansible dependencies on atomic host.

Verify this bug with openshift-ansible-3.4.64-1.git.0.7bb288c.el7

All the example playbooks could run successfully against rpm/container env, could detect certs used in the cluster well.

The playbooks could give correct result about the number of cert in expired/OK/warning status on each host, and all the configurable variables in this role were working well.

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2017:0448