Bug 1667063

Summary: After running redeploy-certificates.yml playbook in OCP 3.11 webconsole stop working
Product: OpenShift Container Platform Reporter: Manikandan Somasundaram <msomasun>
Component: InstallerAssignee: Vadim Rutkovsky <vrutkovs>
Installer sub component: openshift-ansible QA Contact: Yanping Zhang <yanpzhan>
Status: CLOSED ERRATA Docs Contact:
Severity: medium    
Priority: medium CC: bbeaudoi, gpei, jkaur, mirollin, mtaru, travi, vrutkovs
Version: 3.11.0   
Target Milestone: ---   
Target Release: 3.11.z   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Cause: playbook which redeployed master certificates didn't update webconsole secrets Consequence: webconsole failed to start when master certs were redeployed Fix: webconsole secrets are recreated during master cewrt redeploy playbook Result: webconsole works correctly after master cert redeploy
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-26 09:07:54 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
consolepodlog
none
ansibleplaybooklog none

Comment 10 Yanping Zhang 2019-03-07 10:25:10 UTC 
OCP cluster version:
openshift v3.11.92
kubernetes v1.11.0+d4cacc0
openshift-ansible version:
openshift-ansible-3.11.92-1.git.0.f2fade7.el7.noarch
Run playbook: ansible-playbook -i /path/to/inventory /usr/share/ansible/openshift-ansible/playbooks/openshift-master/redeploy-certificates.yml
After finished, web console can be accessed, secret webconsole-serving-cert and web console pod are newly created.
Check admin console project, no new pod/secret are created. Try to login to console, it could be accessed at first, but after a while, it failed to open console url.
The console pod log shows failed info, pls refer to attachment.
Comment 11 Yanping Zhang 2019-03-07 10:25:45 UTC 
Created attachment 1541801 [details]
consolepodlog
Comment 12 Yanping Zhang 2019-03-07 10:27:06 UTC 
Created attachment 1541802 [details]
ansibleplaybooklog
Comment 13 Vadim Rutkovsky 2019-03-12 10:54:41 UTC 
Right, admin console certs are not being redeployed.

Created https://github.com/openshift/openshift-ansible/pull/11341 to fix this
Comment 14 Vadim Rutkovsky 2019-03-15 10:18:03 UTC 
Fix is available in openshift-ansible-3.11.95-1
Comment 15 Yanping Zhang 2019-03-19 08:57:50 UTC 
ansible version:
openshift-ansible-3.11.97-1.git.0.5bb60b0.el7.noarch.rpm
ocp cluster version: openshift v3.11.97

Run below playbooks separately: 
ansible-playbook -i /path/to/inventory /usr/share/ansible/openshift-ansible/playbooks/openshift-master/redeploy-certificates.yml
ansible-playbook -i /path/to/inventory /usr/share/ansible/openshift-ansible/playbooks/redeploy-certificates.yml
After finished, web console can be accessed, secret webconsole-serving-cert and web console pod are newly created. And console can be accessed, secret console-serving-cert and console pod are newly created.

The bug is fixed, so move it to Verified.
Comment 17 errata-xmlrpc 2019-06-26 09:07:54 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:1605