Bug 1696198

Summary: after running redeploy-certificates.yml playbook grafana, prometheus and alertmanager routes are not accessible anymore
Product: OpenShift Container Platform Reporter: Joel Rosental R. <jrosenta>
Component: InstallerAssignee: Vadim Rutkovsky <vrutkovs>
Installer sub component: openshift-ansible QA Contact: Junqi Zhao <juzhao>
Status: CLOSED ERRATA Docs Contact:
Severity: high    
Priority: unspecified CC: gpei, hgomes, vrutkovs, yapei, zhuchkov.alex
Version: 3.11.0   
Target Milestone: ---   
Target Release: 3.11.z   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: openshift-ansible-3.11.104-1.git.0.379a011.el7 Doc Type: Bug Fix
Doc Text:
Cause: monitoring certificates were not updated after cert redeploy Consequence: prometheus, grafana and alertmanager UI were broken Fix: component's TLS secrets and pods are removed during cert redeploy Result: alermanager, prometheus and grafana UI work correctly after cert redeploy
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-06 02:00:29 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1697169    
Attachments:
Description Flags
received an invalid certificate none

Description Joel Rosental R. 2019-04-04 10:20:03 UTC 
Description of problem:
After running redeploy-certificates.yml playbook the grafana, alertmanager and prometheus routes don't work anymore, I get an "Application is not available" error message.

Workaround: deleting the "*-tls" secrets in openshift-monitoring namespace and restarting the pods solves the issue as the secrets get re-created by the operator.

Version-Release number of the following components:
$ rpm -q openshift-ansible
openshift-ansible-3.11.92-1.git.0.f2fade7.el7.noarch

$ rpm -q ansible
ansible-2.6.15-1.el7ae.noarch

ansible --version
ansible 2.6.15

How reproducible:
Always

Steps to Reproduce:
1. ansible-playbook -i hosts /usr/share/ansible/openshift-ansible/playbooks/redeploy-certificates.yml
2. try accessing
3.

Actual results:
An error message stating "Application is not available" is shown instead of accessing the requested resource.

Expected results:
The redeploy-certificates.yml playbook should take care of this.

Additional info:
N/A
Comment 1 Vadim Rutkovsky 2019-04-08 11:19:59 UTC 
Created PR for 3.11 https://github.com/openshift/openshift-ansible/pull/11472 - it removes TLS secrets, deletes pods and waits for pods to come up
Comment 5 Junqi Zhao 2019-04-16 08:28:55 UTC 
Created attachment 1555405 [details]
received an invalid certificate
Comment 12 errata-xmlrpc 2019-06-06 02:00:29 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:0794