Bug 1754081

Summary: Certificate expiration playbooks no longer include node certificate details
Product: OpenShift Container Platform Reporter: Luke Stanton <lstanton>
Component: InstallerAssignee: Joseph Callen <jcallen>
Installer sub component: openshift-ansible QA Contact: Gaoyun Pei <gpei>
Status: CLOSED ERRATA Docs Contact:
Severity: high    
Priority: unspecified CC: agawand, bleanhar, bmilne, jcallen, tmanor
Version: 3.11.0   
Target Milestone: ---   
Target Release: 3.11.z   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-03-20 00:12:40 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Certificate check none

Description Luke Stanton 2019-09-20 19:30:09 UTC 
Description of problem:

The cert expiration playbooks in the openshift-ansible/playbooks/openshift-checks/certificate_expiry folder no longer include details about node cert expirations. This functionality appears to have been lost with the release of 3.10 and the advent of node-bootstrapping, and has caused concern for some users who expect to see node cert expiration details in the reports. It would also be helpful since users have to manually approve csr's unless they explicitly enable auto-approval, and currently there isn't a user-friendly way to see the node cert details.

Version-Release number of the following components:
N/A

How reproducible:
Consistently

Steps to Reproduce:
Run any of the expiration playbooks

Actual results:
Node cert details are not included in the expiration reports

Expected results:
Node cert details would be include in the expiration reports
Comment 2 Joseph Callen 2019-09-30 19:50:12 UTC 
Created attachment 1621259 [details]
Certificate check
Comment 14 Gaoyun Pei 2020-03-10 03:30:32 UTC 
Verify this bug with openshift-ansible-3.11.187-1.git.0.154c878.el7.noarch.rpm

kubelet-client-current.pem also would be checked on the node.

ok: [ec2-54-236-2-0.compute-1.amazonaws.com] => {
    "changed": false, 
    "check_results": {
        "etcd": [], 
        "kubeconfigs": [
            {
                "cert_cn": "O:system:nodes, CN:system:node:ip-172-18-8-236.ec2.internal", 
                "days_remaining": 365, 
                "expiry": "2021-03-09 11:14:00", 
                "health": "ok", 
                "issuer": "CN=openshift-signer@1583752313 ", 
                "path": "/etc/origin/node/certificates/kubelet-client-current.pem", 
                "serial": 455478036503548873119013422819392730190736310737, 
                "serial_hex": "0x4fc8576f1578b9eeef581e36fb1a3b01dd14c1d1L"
            }, 
            {
                "cert_cn": "O:system:nodes, CN:system:node:ip-172-18-8-236.ec2.internal", 
                "days_remaining": 365, 
                "expiry": "2021-03-09 11:14:00", 
                "health": "ok", 
                "issuer": "CN=openshift-signer@1583752313 ", 
                "path": "/etc/origin/node/certificates/kubelet-client-current.pem", 
                "serial": 455478036503548873119013422819392730190736310737, 
                "serial_hex": "0x4fc8576f1578b9eeef581e36fb1a3b01dd14c1d1L"
            }
        ], 
        "meta": {
            "checked_at_time": "2020-03-09 09:54:44.874875", 
            "show_all": "True", 
            "warn_before_date": "2021-03-09 09:54:44.874875", 
            "warning_days": 365
        }, 
        "ocp_certs": [
            {
                "cert_cn": "CN:openshift-signer@1583752313", 
                "days_remaining": 1825, 
                "expiry": "2025-03-08 11:11:54", 
                "health": "ok", 
                "issuer": "CN=openshift-signer@1583752313 ", 
                "path": "/etc/origin/node/client-ca.crt", 
                "serial": 1, 
                "serial_hex": "0x1"
            }, 
            {
                "cert_cn": "CN:openshift-signer@1583752313", 
                "days_remaining": 1825, 
                "expiry": "2025-03-08 11:11:54", 
                "health": "ok", 
                "issuer": "CN=openshift-signer@1583752313 ", 
                "path": "/etc/origin/node/client-ca.crt", 
                "serial": 1, 
                "serial_hex": "0x1"
            }
        ], 
        "registry": [], 
        "router": []
    }, 
    "invocation": {
        "module_args": {
            "config_base": "/etc/origin", 
            "show_all": true, 
            "warning_days": 365
        }
    }, 
    "msg": "Checked 4 total certificates. Expired/Warning/OK: 0/0/4. Warning window: 365 days", 
    "rc": 0



The playbook will fail when the cert got warning(the valid time of the cert is less than openshift_certificate_expiry_warning_days)

ok: [ec2-54-160-134-97.compute-1.amazonaws.com] => {
    "changed": false, 
    "check_results": {
        "etcd": [], 
        "kubeconfigs": [
            {
                "cert_cn": "O:system:nodes, CN:system:node:ip-172-18-12-32.ec2.internal", 
                "days_remaining": 160, 
                "expiry": "2021-03-10 01:58:00", 
                "health": "warning", 
                "issuer": "CN=openshift-signer@1583805359 ", 
                "path": "/etc/origin/node/certificates/kubelet-client-current.pem", 
                "serial": 142775096935884355427465619168187843708673448761, 
                "serial_hex": "0x190241bbb730ff18a1bca529c4ff3939e845db39L"
            }, 
            {
                "cert_cn": "O:system:nodes, CN:system:node:ip-172-18-12-32.ec2.internal", 
                "days_remaining": 160, 
                "expiry": "2021-03-10 01:58:00", 
                "health": "warning", 
                "issuer": "CN=openshift-signer@1583805359 ", 
                "path": "/etc/origin/node/certificates/kubelet-client-current.pem", 
                "serial": 142775096935884355427465619168187843708673448761, 
                "serial_hex": "0x190241bbb730ff18a1bca529c4ff3939e845db39L"
            }
        ], 
        "meta": {
            "checked_at_time": "2020-10-01 00:02:55.098336", 
            "show_all": "True", 
            "warn_before_date": "2021-10-01 00:02:55.098336", 
            "warning_days": 365
        }, 
        "ocp_certs": [
            {
                "cert_cn": "CN:openshift-signer@1583805359", 
                "days_remaining": 1620, 
                "expiry": "2025-03-09 01:56:00", 
                "health": "ok", 
                "issuer": "CN=openshift-signer@1583805359 ", 
                "path": "/etc/origin/node/client-ca.crt", 
                "serial": 1, 
                "serial_hex": "0x1"
            }, 
            {
                "cert_cn": "CN:openshift-signer@1583805359", 
                "days_remaining": 1620, 
                "expiry": "2025-03-09 01:56:00", 
                "health": "ok", 
                "issuer": "CN=openshift-signer@1583805359 ", 
                "path": "/etc/origin/node/client-ca.crt", 
                "serial": 1, 
                "serial_hex": "0x1"
            }
        ], 
        "registry": [], 
        "router": []
    }, 
    "invocation": {
        "module_args": {
            "config_base": "/etc/origin", 
            "show_all": true, 
            "warning_days": 365
        }
    }, 
    "msg": "Checked 4 total certificates. Expired/Warning/OK: 0/2/2. Warning window: 365 days", 
    "rc": 0, 
    "summary": {
        "etcd_certificates": 0, 
        "expired": 0, 
        "kubeconfig_certificates": 2, 
        "ok": 2, 
        "registry_certs": 0, 
        "router_certs": 0, 
        "system_certificates": 2, 
        "total": 4, 
        "warning": 2
    }, 
    "warn_certs": true
}
...


TASK [openshift_certificate_expiry : Fail when certs are near or already expired] ***
task path: /home/slave6/workspace/Run-Ansible-Playbooks-Nextge/private-openshift-ansible/roles/openshift_certificate_expiry/tasks/main.yml:39
skipping: [ec2-54-224-254-230.compute-1.amazonaws.com] => {
    "changed": false, 
    "skip_reason": "Conditional result was False"
}
fatal: [ec2-54-160-134-97.compute-1.amazonaws.com]: FAILED! => {
    "changed": false, 
    "msg": "Cluster certificates found to be expired or within 365 days of expiring. You may view the report at /home/slave6/cert-expiry-report.20201001T000252.html or /home/slave6/cert-expiry-report.20201001T000252.json.\n"
}
Comment 16 errata-xmlrpc 2020-03-20 00:12:40 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:0793
Comment 17 Scott Dodson 2020-04-06 18:15:07 UTC 
*** Bug 1785745 has been marked as a duplicate of this bug. ***
Comment 18 Red Hat Bugzilla 2024-02-04 04:25:23 UTC 
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 120 days