Bug 1667981

Summary: [3.10] After running redeploy-certificates.yml playbook in OCP 3.10 webconsole stop working.
Product: OpenShift Container Platform Reporter: Dmitry Zhukovski <dzhukous>
Component: InstallerAssignee: Vadim Rutkovsky <vrutkovs>
Status: CLOSED ERRATA QA Contact: Yanping Zhang <yanpzhan>
Severity: high Docs Contact:
Priority: unspecified    
Version: 3.10.0CC: aos-bugs, clasohm, gpei, jokerman, mmccomas, openshift-bugs-escalate, vrutkovs
Target Milestone: ---   
Target Release: 3.10.z   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Cause: playbook which redeployed master certificates didn't update webconsole secrets Consequence: webconsole failed to start when master certs were redeployed Fix: webconsole secrets are recreated during master cewrt redeploy playbook Result: webconsole works correctly after master cert redeploy
 Story Points: ---
Clone Of: 1592303 Environment:
Last Closed: 2019-04-09 23:40:43 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1592303, 1596233    
Bug Blocks: 1596557, 1623987    

Comment 4 Vadim Rutkovsky 2019-01-23 09:40:07 UTC 
This works correctly when playbooks/redeploy-certificates.yml is being run.
However when only playbooks/openshift-master/redeploy-certificates.yml is started.
This affects 3.9, 3.10 and 3.9. 

https://github.com/openshift/openshift-ansible/pull/9713 should be used as a base: create a new webconsole-only redeploy playbook and run it when master certs are being redeployed
Comment 5 Vadim Rutkovsky 2019-02-26 15:23:26 UTC 
Created 3.11 PR - https://github.com/openshift/openshift-ansible/pull/11246
Comment 6 Vadim Rutkovsky 2019-02-28 18:45:06 UTC 
3.10 PR - https://github.com/openshift/openshift-ansible/pull/11270
Comment 7 Vadim Rutkovsky 2019-03-05 08:28:04 UTC 
Fix is available in openshift-ansible-3.10.120-1
Comment 8 Yanping Zhang 2019-03-06 07:00:31 UTC 
OCP cluster version:
openshift v3.10.121
kubernetes v1.10.0+b81c8f8
openshift-ansible version:
openshift-ansible-3.10.122-1.git.0.05498cb.el7.noarch

Run playbook: ansible-playbook -i /path/to/inventory /usr/share/ansible/openshift-ansible/playbooks/openshift-master/redeploy-certificates.yml
After finished, web console can be accessed, secret webconsole-serving-cert and web console pod are newly created.
The bug has been fixed, so move it to Verified.
Comment 10 errata-xmlrpc 2019-04-09 23:40:43 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:0620