Bug 1579320

Summary: etcd certificate re-deploy during Red Hat OpenShift Container Platform 3.9 upgrade is failing
Product: OpenShift Container Platform Reporter: Vadim Rutkovsky <vrutkovs>
Component: InstallerAssignee: Vadim Rutkovsky <vrutkovs>
Status: CLOSED CURRENTRELEASE QA Contact: Gaoyun Pei <gpei>
Severity: high Docs Contact:
Priority: high    
Version: 3.9.0CC: aos-bugs, gpei, jialiu, jokerman, mmccomas, sreber, vlaad
Target Milestone: ---   
Target Release: 3.9.z   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1578934 Environment:
Last Closed: 2018-09-06 18:27:41 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1578934, 1579321    
Bug Blocks: 1579319    

Comment 1 Vadim Rutkovsky 2018-05-17 11:30:16 UTC 
Created https://github.com/openshift/openshift-ansible/pull/8403
Comment 2 Vadim Rutkovsky 2018-05-28 08:15:32 UTC 
Fix is available in openshift-ansible-3.9.30-1
Comment 3 Gaoyun Pei 2018-06-19 09:13:56 UTC 
Verify this bug with openshift-ansible-3.9.31-1.git.34.154617d.el7.noarch.rpm.

During 3.7 to 3.9 upgrade, when etcd redeploy-certificates.yml is called, it could backup etcd certs and generate new cert files correctly.

Copy file steps:

TASK [etcd : file] **********************************************************************************************************************************************************
changed: [qe-gpei-rpm37-master-1.0618-2lg.qe.rhcloud.com -> qe-gpei-rpm37-etcd-1.0618-2lg.qe.rhcloud.com] => {"changed": true, "dest": "/etc/etcd/generated_certs/openshift-master-qe-gpei-rpm37-master-1/master.etcd-ca.crt", "failed": false, "gid": 0, "group": "root", "mode": "0644", "owner": "root", "secontext": "unconfined_u:object_r:etc_t:s0", "size": 1895, "src": "/etc/etcd/ca/ca.crt", "state": "hard", "uid": 0}

...

TASK [etcd : file] **********************************************************************************************************************************************************
changed: [qe-gpei-rpm37-etcd-1.0618-2lg.qe.rhcloud.com -> qe-gpei-rpm37-etcd-1.0618-2lg.qe.rhcloud.com] => {"changed": true, "dest": "/etc/etcd/generated_certs/etcd-qe-gpei-rpm37-etcd-1/ca.crt", "failed": false, "gid": 0, "group": "root", "mode": "0644", "owner": "root", "secontext": "unconfined_u:object_r:etc_t:s0", "size": 1895, "src": "/etc/etcd/ca/ca.crt", "state": "hard", "uid": 0}