Bug 1675133

Summary: Task set_loopback_context.yml sets context.user to the wrong name for openshift-master.kubeconfig
Product: OpenShift Container Platform Reporter: Ryan Howe <rhowe>
Component: InstallerAssignee: Russell Teague <rteague>
Installer sub component: openshift-ansible QA Contact: ge liu <geliu>
Status: CLOSED ERRATA Docs Contact:
Severity: unspecified    
Priority: unspecified CC: fgrosjea, gpei, jmalde, rteague
Version: 3.11.0   
Target Milestone: ---   
Target Release: 3.11.z   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
When a cluster is installed the username in the loopback kubeconfig is equal to hostname of that local master. This changes the variable to equal a value of what would originally be set.
Story Points: ---
Clone Of:
: 1686585 1686587 (view as bug list) Environment:
Last Closed: 2019-04-11 05:38:26 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1686585, 1686587    

Description Ryan Howe 2019-02-11 20:20:20 UTC
Description of problem:

If the current context for openshift-master.kubeconfig changes, an upgrade is run the Task set_loopback_context.yml will be called which will end up correcting the context but it changes the the context user reference to the wrong value. 


Version-Release number of selected component (if applicable):
3.11

How reproducible:
100%

Steps to Reproduce:
1. Change the project when using the openshift-master.kubeconfig 
# oc project proxytest --config=/etc/origin/master/openshift-master.kubeconfig

2. Run update playbook


Actual results:
openshift-master.kubeconfig gets a context created with a user that has a name of "system:openshift-master/CLUSTER_HOSTNAME:API_PORT"

Expected results:

openshift-master.kubeconfig gets a context created with a user that has a name of "system:openshift-master/MASTER_HOSTNAME:API_PORT"

matching the user already created for that kubeconfig.

Additional info:

https://github.com/openshift/openshift-ansible/issues/11158

Comment 1 Ryan Howe 2019-02-11 20:48:23 UTC
During the install this task is run and overwrite openshift-master.kubeconfig to use openshift.master.loopback_api_url

https://github.com/openshift/openshift-ansible/blob/release-3.11/roles/openshift_master_certificates/tasks/main.yml#L77-L78


Then this task during the update would change it to use openshift.master.loopback_user which is build using:
                         "system:openshift-master/{0}:{1}".format(api_hostname, ports['api']).replace('.', '-')

https://github.com/openshift/openshift-ansible/blob/release-3.11/roles/openshift_control_plane/tasks/set_loopback_context.yml#L22

Comment 2 Ryan Howe 2019-02-11 20:56:07 UTC
Same as bug 1467775 where this would fix the issue: 

   https://github.com/openshift/openshift-ansible/pull/10325/files

Comment 3 Ryan Howe 2019-02-11 21:32:36 UTC
Created PR for 3.11 branch: 

https://github.com/openshift/openshift-ansible/pull/11169

Comment 5 Russell Teague 2019-03-07 13:34:44 UTC
Merged https://github.com/openshift/openshift-ansible/pull/11169

Comment 6 Russell Teague 2019-03-11 15:24:22 UTC
In build openshift-ansible-3.11.93-1

Comment 8 ge liu 2019-03-20 03:19:18 UTC
Recreate with openshift-ansible-3.11.82-1.git.0.f29227a.el7.noarch.rpm:

1. Install HA env

2. Change project:

# oc project lgproj --config=/etc/origin/master/openshift-master.kubeconfig

3. Check openshift-master.kubeconfig:

- context:
    cluster: qe-geliu311old2master-etcd-1:443
    namespace: lgproj
    user: system:openshift-master/qe-geliu311old2master-etcd-1:443
  name: lgproj/qe-geliu311old2master-etcd-1:443/system:openshift-master

4. run upgrade.yaml playbook,

5. Check openshift-master.kubeconfig again:

- context:
    cluster: qe-geliu311old2master-etcd-1:443
    namespace: default
    user: system:openshift-master/qe-geliu311old2lb-1:443
  name: default/qe-geliu311old2master-etcd-1:443/system:openshift-master


Verified with openshift-ansible-3.11.98-1.git.0.3cfa7c3.el7.noarch.rpm:

Before run upgrade:

- context:
    cluster: qe-geliu311master-etcd-1:443
    namespace: default
    user: system:openshift-master/qe-geliu311master-etcd-1:443
  name: default/qe-geliu311master-etcd-1:443/system:openshift-master

after run upgrade:

- context:
    cluster: qe-geliu311master-etcd-1:443
    namespace: default
    user: system:openshift-master/qe-geliu311master-etcd-1:443
  name: default/qe-geliu311master-etcd-1:443/system:openshift-master

there is not unexpected change for user: system:openshift-master/qe-geliu311master-etcd-1:443

Comment 10 errata-xmlrpc 2019-04-11 05:38:26 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:0636