Bug 1754081
Summary: | Certificate expiration playbooks no longer include node certificate details | ||||||
---|---|---|---|---|---|---|---|
Product: | OpenShift Container Platform | Reporter: | Luke Stanton <lstanton> | ||||
Component: | Installer | Assignee: | Joseph Callen <jcallen> | ||||
Installer sub component: | openshift-ansible | QA Contact: | Gaoyun Pei <gpei> | ||||
Status: | CLOSED ERRATA | Docs Contact: | |||||
Severity: | high | ||||||
Priority: | unspecified | CC: | agawand, bleanhar, bmilne, jcallen, tmanor | ||||
Version: | 3.11.0 | ||||||
Target Milestone: | --- | ||||||
Target Release: | 3.11.z | ||||||
Hardware: | Unspecified | ||||||
OS: | Unspecified | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | If docs needed, set a value | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2020-03-20 00:12:40 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
Description
Luke Stanton
2019-09-20 19:30:09 UTC
Created attachment 1621259 [details]
Certificate check
Verify this bug with openshift-ansible-3.11.187-1.git.0.154c878.el7.noarch.rpm kubelet-client-current.pem also would be checked on the node. ok: [ec2-54-236-2-0.compute-1.amazonaws.com] => { "changed": false, "check_results": { "etcd": [], "kubeconfigs": [ { "cert_cn": "O:system:nodes, CN:system:node:ip-172-18-8-236.ec2.internal", "days_remaining": 365, "expiry": "2021-03-09 11:14:00", "health": "ok", "issuer": "CN=openshift-signer@1583752313 ", "path": "/etc/origin/node/certificates/kubelet-client-current.pem", "serial": 455478036503548873119013422819392730190736310737, "serial_hex": "0x4fc8576f1578b9eeef581e36fb1a3b01dd14c1d1L" }, { "cert_cn": "O:system:nodes, CN:system:node:ip-172-18-8-236.ec2.internal", "days_remaining": 365, "expiry": "2021-03-09 11:14:00", "health": "ok", "issuer": "CN=openshift-signer@1583752313 ", "path": "/etc/origin/node/certificates/kubelet-client-current.pem", "serial": 455478036503548873119013422819392730190736310737, "serial_hex": "0x4fc8576f1578b9eeef581e36fb1a3b01dd14c1d1L" } ], "meta": { "checked_at_time": "2020-03-09 09:54:44.874875", "show_all": "True", "warn_before_date": "2021-03-09 09:54:44.874875", "warning_days": 365 }, "ocp_certs": [ { "cert_cn": "CN:openshift-signer@1583752313", "days_remaining": 1825, "expiry": "2025-03-08 11:11:54", "health": "ok", "issuer": "CN=openshift-signer@1583752313 ", "path": "/etc/origin/node/client-ca.crt", "serial": 1, "serial_hex": "0x1" }, { "cert_cn": "CN:openshift-signer@1583752313", "days_remaining": 1825, "expiry": "2025-03-08 11:11:54", "health": "ok", "issuer": "CN=openshift-signer@1583752313 ", "path": "/etc/origin/node/client-ca.crt", "serial": 1, "serial_hex": "0x1" } ], "registry": [], "router": [] }, "invocation": { "module_args": { "config_base": "/etc/origin", "show_all": true, "warning_days": 365 } }, "msg": "Checked 4 total certificates. Expired/Warning/OK: 0/0/4. Warning window: 365 days", "rc": 0 The playbook will fail when the cert got warning(the valid time of the cert is less than openshift_certificate_expiry_warning_days) ok: [ec2-54-160-134-97.compute-1.amazonaws.com] => { "changed": false, "check_results": { "etcd": [], "kubeconfigs": [ { "cert_cn": "O:system:nodes, CN:system:node:ip-172-18-12-32.ec2.internal", "days_remaining": 160, "expiry": "2021-03-10 01:58:00", "health": "warning", "issuer": "CN=openshift-signer@1583805359 ", "path": "/etc/origin/node/certificates/kubelet-client-current.pem", "serial": 142775096935884355427465619168187843708673448761, "serial_hex": "0x190241bbb730ff18a1bca529c4ff3939e845db39L" }, { "cert_cn": "O:system:nodes, CN:system:node:ip-172-18-12-32.ec2.internal", "days_remaining": 160, "expiry": "2021-03-10 01:58:00", "health": "warning", "issuer": "CN=openshift-signer@1583805359 ", "path": "/etc/origin/node/certificates/kubelet-client-current.pem", "serial": 142775096935884355427465619168187843708673448761, "serial_hex": "0x190241bbb730ff18a1bca529c4ff3939e845db39L" } ], "meta": { "checked_at_time": "2020-10-01 00:02:55.098336", "show_all": "True", "warn_before_date": "2021-10-01 00:02:55.098336", "warning_days": 365 }, "ocp_certs": [ { "cert_cn": "CN:openshift-signer@1583805359", "days_remaining": 1620, "expiry": "2025-03-09 01:56:00", "health": "ok", "issuer": "CN=openshift-signer@1583805359 ", "path": "/etc/origin/node/client-ca.crt", "serial": 1, "serial_hex": "0x1" }, { "cert_cn": "CN:openshift-signer@1583805359", "days_remaining": 1620, "expiry": "2025-03-09 01:56:00", "health": "ok", "issuer": "CN=openshift-signer@1583805359 ", "path": "/etc/origin/node/client-ca.crt", "serial": 1, "serial_hex": "0x1" } ], "registry": [], "router": [] }, "invocation": { "module_args": { "config_base": "/etc/origin", "show_all": true, "warning_days": 365 } }, "msg": "Checked 4 total certificates. Expired/Warning/OK: 0/2/2. Warning window: 365 days", "rc": 0, "summary": { "etcd_certificates": 0, "expired": 0, "kubeconfig_certificates": 2, "ok": 2, "registry_certs": 0, "router_certs": 0, "system_certificates": 2, "total": 4, "warning": 2 }, "warn_certs": true } ... TASK [openshift_certificate_expiry : Fail when certs are near or already expired] *** task path: /home/slave6/workspace/Run-Ansible-Playbooks-Nextge/private-openshift-ansible/roles/openshift_certificate_expiry/tasks/main.yml:39 skipping: [ec2-54-224-254-230.compute-1.amazonaws.com] => { "changed": false, "skip_reason": "Conditional result was False" } fatal: [ec2-54-160-134-97.compute-1.amazonaws.com]: FAILED! => { "changed": false, "msg": "Cluster certificates found to be expired or within 365 days of expiring. You may view the report at /home/slave6/cert-expiry-report.20201001T000252.html or /home/slave6/cert-expiry-report.20201001T000252.json.\n" } Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:0793 *** Bug 1785745 has been marked as a duplicate of this bug. *** The needinfo request[s] on this closed bug have been removed as they have been unresolved for 120 days |