Bug 1421037

Summary: Should add '-n default' to the 'oc replace' command in redeploy-registry-certificates playbook
Product: OpenShift Container Platform Reporter: Gaoyun Pei <gpei>
Component: InstallerAssignee: Andrew Butcher <abutcher>
Status: CLOSED ERRATA QA Contact: Gaoyun Pei <gpei>
Severity: medium Docs Contact:
Priority: medium    
Version: 3.5.0CC: aos-bugs, jokerman, mmccomas, sreber
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
undefined
 Story Points: ---
Clone Of: Environment:
Last Closed: 2017-04-11 21:23:18 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1422638    
Bug Blocks: 1397958    

Description Gaoyun Pei 2017-02-10 08:11:27 UTC 
Description of problem:
For the "Update registry certificates secret" step in https://github.com/openshift/openshift-ansible/blob/openshift-ansible-3.5.6-1/playbooks/common/openshift-cluster/redeploy-certificates/registry.yml#L72
we should also specify '-n default' for 'oc replace -f - ' command.


Version-Release number of selected component (if applicable):
openshift-ansible-3.5.6-1.git.0.5e6099d.el7.noarch

How reproducible:
Always

Steps to Reproduce:
1.Setup an ocp-3.5 env, log into master and create a new project
[root@ip-172-18-3-137 ~]# oc new-project test

2.Run registry cert redeploy playbook against the env
ansible-playbook -i host playbooks/byo/openshift-cluster/redeploy-registry-certificates.yml


Actual results:
TASK [Update registry certificates secret] *************************************
fatal: [ec2-54-152-140-183.compute-1.amazonaws.com]: FAILED! => {
    "changed": true, 
    "cmd": "oc secret new registry-certificates /etc/origin/master/registry.crt /etc/origin/master/registry.key --config=/tmp/openshift-ansible-lh3xU2/admin.kubeconfig -n default -o json | oc replace -f -", 
    "delta": "0:00:00.733213", 
    "end": "2017-02-10 02:51:05.399517", 
    "failed": true, 
    "rc": 1, 
    "start": "2017-02-10 02:51:04.666304", 
    "warnings": []
}

STDERR:

Error from server (NotFound): error when replacing "STDIN": secrets "registry-certificates" not found


Expected results:


Additional info:
Comment 1 Andrew Butcher 2017-02-13 14:56:34 UTC 
Proposed fix: https://github.com/openshift/openshift-ansible/pull/3300
Comment 3 Gaoyun Pei 2017-02-15 04:35:11 UTC 
Test with openshift-ansible-3.5.8-1.git.0.0e02ef8.el7.noarch

The new playbook will fail when running against a containerized env on AtomicHost

TASK [lib_openshift : lib_openshift ensure python-ruamel-yaml package is on target] ***
fatal: [gpei-35-debugging-master-1.0214-1i0.qe.rhcloud.com]: FAILED! => {
    "changed": false, 
    "failed": true
}

MSG:

Could not find a module for unknown.


Filed a new bug BZ#1422348 about role lib_openshift not matched with AtomicHost
Comment 4 Scott Dodson 2017-02-17 02:05:04 UTC 
Additional changes have been made.
Comment 5 Gaoyun Pei 2017-02-17 09:52:21 UTC 
Verify this bug with openshift-ansible-3.5.10-1.git.0.ba66b63.el7.noarch

For containerized env on AtomicHost, run registry cert redeploy playbook against the env after changing the project to not "default" on master.

ansible-playbook -v -i host /usr/share/ansible/openshift-ansible/playbooks/byo/openshift-cluster/redeploy-registry-certificates.yml

Playbook could run successfully, registry certificates secret was updated, and new sti-build test could pass.