Bug 1507617
| Summary: | Etcd should communicate over SSL and be authenticated to | ||
|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | Shawn Hurley <shurley> |
| Component: | Service Broker | Assignee: | Shawn Hurley <shurley> |
| Status: | CLOSED ERRATA | QA Contact: | Jian Zhang <jiazha> |
| Severity: | urgent | Docs Contact: | |
| Priority: | urgent | ||
| Version: | 3.7.0 | CC: | aos-bugs, chezhang, dzager, jiazha, jmatthew, qixuan.wang, shurley, smunilla, wmeng |
| Target Milestone: | --- | ||
| Target Release: | 3.7.0 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2017-11-28 22:20:29 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 1508582, 1509366, 1509680, 1510546 | ||
|
Description
Shawn Hurley
2017-10-30 17:53:45 UTC
Fixed with PR: https://github.com/openshift/ansible-service-broker/pull/522 *** Bug 1504957 has been marked as a duplicate of this bug. *** Commits pushed to master at https://github.com/openshift/openshift-ansible https://github.com/openshift/openshift-ansible/commit/3ee9a2368c1bba68477aacbb4b950eee32939eee Bug 1507617- Move etcd into its own service/dc with SSL https://github.com/openshift/openshift-ansible/commit/3d1677e3e2db0cac168e9cdec692506ed86f32d2 Merge pull request #5976 from fabianvf/asb-etcd-certs Bug 1507617- Move etcd into its own service/dc with SSL In regard to comment #5. 1. In order to use the template to deploy the broker, you also need to generate the required certificates for etcd. Here is an example of what steps are required: https://github.com/openshift/ansible-service-broker/blob/master/scripts/run_latest_build.sh#L80-L89 2. For openshift-ansible, this PR to openshift-ansible adds the support for ansible installer: https://github.com/openshift/openshift-ansible/pull/5976 Also note that a newer broker image is required to use etcd authentication. I'd recommend using ansible-service-broker-1.0.18-1.el7 or later *** Bug 1510706 has been marked as a duplicate of this bug. *** Test code of PR https://github.com/openshift/ansible-service-broker/blob/master/scripts/run_latest_build.sh#L80-L89 caused ansible-service-catalog install failed. Error info: TASK [ansible_service_broker : set_fact] *************************************** Wednesday 08 November 2017 01:17:00 +0000 (0:00:00.078) 0:14:21.223 **** [WARNING]: Unable to find '/etc/origin/ansible-service-broker/client.pem' in expected paths. fatal: [host-8-241-56.host.centralci.eng.rdu2.redhat.com]: FAILED! => {"failed": true, "msg": "An unhandled exception occurred while running the lookup plugin 'file'. Error was a <class 'ansible.errors.AnsibleError'>, original message: could not locate file in lookup: /etc/origin/ansible-service-broker/client.pem"} to retry, use: --limit @/home/slave2/workspace/Launch Environment Flexy/private-openshift-ansible/playbooks/byo/config.retry This is a block issue. In addition info for Comment 9: This test based on the image: brew-pulp-docker01.web.prod.ext.phx2.redhat.com:8888/openshift3/ose-ansible-service-broker:v3.7.0-0.197.0.0 Its version is 1.0.18. [root@host-172-16-120-57 ~]# docker run --rm --entrypoint=asbd brew-pulp-docker01.web.prod.ext.phx2.redhat.com:8888/openshift3/ose-ansible-service-broker:v3.7.0-0.197.0.0 --version 1.0.18 (In reply to Zhang Cheng from comment #8) > Test code of PR > https://github.com/openshift/ansible-service-broker/blob/master/scripts/ > run_latest_build.sh#L80-L89 caused ansible-service-catalog install failed. > > Error info: > TASK [ansible_service_broker : set_fact] > *************************************** > Wednesday 08 November 2017 01:17:00 +0000 (0:00:00.078) 0:14:21.223 > **** > [WARNING]: Unable to find '/etc/origin/ansible-service-broker/client.pem' in > expected paths. > > fatal: [host-8-241-56.host.centralci.eng.rdu2.redhat.com]: FAILED! => > {"failed": true, "msg": "An unhandled exception occurred while running the > lookup plugin 'file'. Error was a <class 'ansible.errors.AnsibleError'>, > original message: could not locate file in lookup: > /etc/origin/ansible-service-broker/client.pem"} > to retry, use: --limit @/home/slave2/workspace/Launch Environment > Flexy/private-openshift-ansible/playbooks/byo/config.retry > > This is a block issue. Sorry, in my comment 8, the relate PR should be https://github.com/openshift/openshift-ansible/pull/5976 Hello, I notice that you are attempting to tell the broker in a container, to look at the /tmp/cert directory for certs, did you create a secret with all of that data and mount it at that location? Please get back ASAP so I can test and re-produce. @Shawn Oh, For problem #1, sorry for the mistake, I think I configured a mismatched ca file. I will double check this point and the template ways. Please trying to solve the problem #2, we could not create the cluster by using the ansible-installer. Thanks! Openshift installer should be fixed by the PRs mentioned in this bug https://bugzilla.redhat.com/show_bug.cgi?id=1510706, I think that bug is already tracking ansible-installer issues. the run latest script is working and I cannot reproduce problem #1 in my environment. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2017:3188 |