Bug 1832379
Summary: | redeploy-openshift-ca.yml will fail if cert has an expiry less than 1 year | ||
---|---|---|---|
Product: | OpenShift Container Platform | Reporter: | Chuck Douglas <cdouglas> |
Component: | Installer | Assignee: | Russell Teague <rteague> |
Installer sub component: | openshift-ansible | QA Contact: | Gaoyun Pei <gpei> |
Status: | CLOSED ERRATA | Docs Contact: | |
Severity: | medium | ||
Priority: | medium | ||
Version: | 3.11.0 | ||
Target Milestone: | --- | ||
Target Release: | 3.11.z | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: |
When redeploying certificates, the cert expiry check provides little value because the expectation is that the certificates will be replaced. Additionally, there are situations where certificates are in an invalid state and redeploy is blocked by the check. Removing the checks will allow certificate redeploy to proceed without requiring additional inventory vars to override expiry days or invalid/missing certificates.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2020-05-28 05:44:13 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Chuck Douglas
2020-05-06 15:45:47 UTC
I agree this is not a good user experience, in that if you are intentionally redeploying certificates, you want it to proceed without having to override the check with an arbitrary value for openshift_certificate_expiry_warning_days. There are several factors at play here where this role (openshift_certificate_expiry) is used to check the expiry during different operations. - playbooks/openshift-checks/certificate_expiry - For checking/reporting on expiry status - playbooks/common/openshift-cluster/upgrades - During cluster upgrades - playbooks/openshift-etcd - Redeploying etcd certificates or CA - playbooks/openshift-master - Redploying OpenShift CA Recently I made a change [1] to remove the hardcoded openshift_certificate_expiry_warning_days in place during upgrades. It was preventing upgrades when certificates were less than 6 months, regardless of what was specified in the inventory. Upgrades are probably now blocked unless openshift_certificate_expiry_warning_days is overridden. The openshift_certificate_expiry role also has an option to fail on warnings (openshift_certificate_expiry_fail_on_warn) with a default value of true. This option can make sense when using the role when checking/reporting on certificate status, but may not make sense when trying to redeploy certificates or during upgrades. Warning the user of near certificate expiry during upgrades can make sense if the warning is done in a way that alerts the user, but I'm not sure we should fail an upgrade if certs expire in less than a year. I will get more input from the team on how we can strike a balance between warning and failing when certificates are within either specified or default openshift_certificate_expiry_warning_days. [1] https://github.com/openshift/openshift-ansible/pull/12154 After discussing with the team, I've opened a PR [1] to remove the expiry checks from the cert redeploy playbooks. Additionally, but not directly related, I opened a follow-up PR to [2] change the default for openshift_certificate_expiry_fail_on_warn to 'false' and to override the default expiry values during upgrades. [1] https://github.com/openshift/openshift-ansible/pull/12159 [2] https://github.com/openshift/openshift-ansible/pull/12158 Verify this bug with openshift-ansible-3.11.218-1.git.0.6f55149.el7.noarch. The redeploy-openshift-ca.yml playbook doesn't check whether certificates expired now, so certificates expired or within 365 days of expiring won't break the redeploy ca playbook. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:2215 |