Bug 1509859

Summary: Certificate expiry playbook run error
Product: OpenShift Container Platform Reporter: Miheer Salunke <misalunk>
Component: InstallerAssignee: Vadim Rutkovsky <vrutkovs>
Status: CLOSED ERRATA QA Contact: Gaoyun Pei <gpei>
Severity: high Docs Contact:
Priority: high    
Version: 3.5.0CC: aos-bugs, fshaikh, jokerman, misalunk, mmccomas, pdwyer, smunilla, vrutkovs
Target Milestone: ---Keywords: Reopened
Target Release: 3.6.z   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-09-26 04:10:45 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Comment 4 Scott Dodson 2018-01-24 13:33:29 UTC 
This looks like the cert expiry module assumes embedded etcd configuration betcause it's looking for etcdConfig.servingInfo which won't exist when the environment is not embedded. We should fix that check to ensure it does the right thing on non embedded environments especially given that's all that we support in 3.7 and later.
Comment 5 Vadim Rutkovsky 2018-01-25 13:50:23 UTC 
Can't seem to reproduce it in master, release-3.7 or openshift-ansible-3.5.120-1 branches. Works fine here both with dedicated or embedded etcd config.

Miheer, could you ask for customer's inventory file?
Comment 7 Vadim Rutkovsky 2018-03-07 13:04:03 UTC 
This doesn't look like an embedded etcd issue, but could be a permission issue to read the config (although root is used).

Miheer, is it reproducible on the latest openshift-ansible package? Which version is used there?
Comment 8 Miheer Salunke 2018-04-06 03:06:05 UTC 
(In reply to Vadim Rutkovsky from comment #7)
> This doesn't look like an embedded etcd issue, but could be a permission
> issue to read the config (although root is used).
> 
> Miheer, is it reproducible on the latest openshift-ansible package? Which
> version is used there?


Do you want me to have them "yum update atomic-openshift-util" ?

# rpm -q openshift-ansible
openshift-ansible-3.5.120-1.git.0.c60f69a.el7.noarch

For more details check comment 1
Comment 9 Vadim Rutkovsky 2018-04-10 10:23:49 UTC 
(In reply to Miheer Salunke from comment #8)
> Do you want me to have them "yum update atomic-openshift-util" ?
> 
> # rpm -q openshift-ansible
> openshift-ansible-3.5.120-1.git.0.c60f69a.el7.noarch
> 
> For more details check comment 1

The latest released RPM is openshift-ansible-3.5.146-1.git.0.fee1c99.el7.noarch.rpm. Could the customer update to it and re-run cert expiry playbooks?
Comment 10 Scott Dodson 2018-05-02 18:20:29 UTC 
Re-open if the problem persists in the latest version of 3.5 playbooks.
Comment 22 Vadim Rutkovsky 2018-08-21 11:59:07 UTC 
Right, it seems this cluster has remains from embedded etcd, so the playbook fails.

Created PR https://github.com/openshift/openshift-ansible/pull/9696
Comment 27 Vadim Rutkovsky 2018-09-10 08:16:54 UTC 
Fix is available in openshift-ansible-3.6.173.0.130-1
Comment 28 Gaoyun Pei 2018-09-11 05:12:46 UTC 
Waiting for openshift-ansible-3.6.173.0.130-1 rpm build
Comment 32 Gaoyun Pei 2018-09-13 03:14:03 UTC 
Verify this bug with openshift-ansible-3.6.173.0.130-1.git.0.22ddff9.el7.noarch.

When master-config.yaml has empty 'etcdConfig:' section, cert check playbook could run well.
Comment 34 errata-xmlrpc 2018-09-26 04:10:45 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2018:2654