Bug 1814451

Summary: Certificate expiration playbooks do not report on aggregator-front-proxy.crt or front-proxy-ca.crt
Product: OpenShift Container Platform Reporter: Luke Stanton <lstanton>
Component: InstallerAssignee: Luke Stanton <lstanton>
Installer sub component: openshift-ansible QA Contact: Gaoyun Pei <gpei>
Status: CLOSED ERRATA Docs Contact:
Severity: medium    
Priority: unspecified CC: bleanhar, gene_siepka, sdodson
Version: 3.11.0   
Target Milestone: ---   
Target Release: 3.11.z   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-06-17 20:21:27 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Luke Stanton 2020-03-17 22:18:58 UTC 
The cert expiration playbooks in the openshift-ansible/playbooks/openshift-checks/certificate_expiry folder do not report on the aggregator-front-proxy.crt or front-proxy-ca.crt certificates. An expired aggregator-front-proxy.crt in particular causes problems with extension api servers like the metrics server and is difficult to diagnose. Having these certificates show up on the expiration report would make this kind of problem much easier to track down.

Version-Release number of the following components:
N/A

How reproducible:
Consistently

Steps to Reproduce:
Run any of the expiration playbooks

Actual results:
Extension api-server proxy certificate details are not included in the expiration reports

Expected results:
Extension api-server proxy certificate details woud be included in the expiration reports

Additional information:

-- Relevant master-config.yaml --
aggregatorConfig:
  proxyClientInfo:
    certFile: aggregator-front-proxy.crt
authConfig:
  requestHeader:
    clientCA: front-proxy-ca.crt
Comment 6 Luke Stanton 2020-05-25 21:54:16 UTC 
https://github.com/openshift/openshift-ansible/pull/12172
Comment 9 Gaoyun Pei 2020-06-10 07:59:19 UTC 
Verify this bug with openshift-ansible-3.11.232-1.git.0.f0f2213.el7.noarch

Check the certificate using playbook:
ansible-playbook -i host /usr/share/ansible/openshift-ansible/playbooks/openshift-checks/certificate_expiry/easy-mode.yaml

we could see aggregator-front-proxy.crt and front-proxy-ca.crt were in the checking list:

          "cert_cn": "CN:aggregator-front-proxy",
          "days_remaining": 730,
          "expiry": "2022-06-10 04:31:13",
          "health": "ok",
          "issuer": "CN=openshift-signer@1591763467 ",
          "path": "/etc/origin/master/aggregator-front-proxy.crt",
          "serial": 8,
          "serial_hex": "0x8"

          "cert_cn": "CN:openshift-signer@1591763467",
          "days_remaining": 1825,
          "expiry": "2025-06-09 04:31:07",
          "health": "ok",
          "issuer": "CN=openshift-signer@1591763467 ",
          "path": "/etc/origin/master/front-proxy-ca.crt",
          "serial": 1,
          "serial_hex": "0x1"
Comment 11 errata-xmlrpc 2020-06-17 20:21:27 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:2477