Bug 1721336

Summary: [3.10]redeploy-certificates playbook redeploys service signer certificate - causing internal apps not working
Product: OpenShift Container Platform Reporter: Vladislav Walek <vwalek>
Component: InstallerAssignee: Joseph Callen <jcallen>
Installer sub component: openshift-ansible QA Contact: Gaoyun Pei <gpei>
Status: CLOSED ERRATA Docs Contact:
Severity: high    
Priority: unspecified CC: jcallen, tmanor
Version: 3.10.0   
Target Milestone: ---   
Target Release: 3.10.z   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Cause: The service-signer was deleted and regenerated at each redeploy-certificates Consequence: Internal applications that depend on a service signer certificate would need to be regenerated or was invalid Fix: Remove service-signer from the list of certificates to be removed during a normal non-CA certificate redeployment Result: service-signer is only updated when the openshift ca has been renewed.
 Story Points: ---
Clone Of:
: 1748982 (view as bug list) Environment:
Last Closed: 2019-10-14 08:49:42 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Vladislav Walek 2019-06-18 01:08:05 UTC 
Description of problem:

when running /usr/share/ansible/openshift-ansible/playbooks/redeploy-certificates.yml, it redeploys also the service signer certificate, which is used to sign the internal services.

This causes that internal services stop working due certificate is invalid.
Only manual intervention fixes the issue.
The secrets are not reconfigured, admin must delete them to recreate them.

Version-Release number of the following components:
openshift 3.10 playbooks

How reproducible:
execute the playbook and check the service signer

Steps to Reproduce:
1.
2.
3.

Actual results:
the internal service will stop working

Expected results:
service signer should not be redeployed by default
only should be redeployed when new CA is deployed.

Additional info:
Comment 8 Gaoyun Pei 2019-10-09 09:22:47 UTC 
Verify this bug with openshift-ansible-3.10.175-1.git.0.19fd261.el7.noarch.rpm

openshift-ansible/playbooks/redeploy-certificates.yml wont't update service-signer certificates by default.

TASK [Remove service signer certificates] **************************************
skipping: [ci-vm-10-0-151-92.hosted.upshift.rdu2.redhat.com] => (item=service-signer.crt)  => {"changed": false, "item": "service-signer.crt", "skip_reason": "Conditional result was False", "skipped": true}
skipping: [ci-vm-10-0-151-92.hosted.upshift.rdu2.redhat.com] => (item=service-signer.key)  => {"changed": false, "item": "service-signer.key", "skip_reason": "Conditional result was False", "skipped": true}


With openshift_redeploy_openshift_ca=true set in inventory file, the service-signer certificates will be removed and regenerated.

TASK [Remove service signer certificates] **************************************
changed: [ci-vm-10-0-151-92.hosted.upshift.rdu2.redhat.com] => (item=service-signer.crt) => {"changed": true, "failed": false, "item": "service-signer.crt", "path": "/etc/origin/master/service-signer.crt", "state": "absent"}
changed: [ci-vm-10-0-151-92.hosted.upshift.rdu2.redhat.com] => (item=service-signer.key) => {"changed": true, "failed": false, "item": "service-signer.key", "path": "/etc/origin/master/service-signer.key", "state": "absent"}
Comment 10 errata-xmlrpc 2019-10-14 08:49:42 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:2987
Comment 11 Red Hat Bugzilla 2023-09-14 05:30:28 UTC 
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 1000 days