Bug 2181223

Summary: deployments should delete kcache before deployment to make sure credentials are not expired
Product: Red Hat OpenStack Reporter: Ade Lee <alee>
Component: ansible-tripleo-ipaAssignee: Ade Lee <alee>
Status: NEW --- QA Contact: Jeremy Agee <jagee>
Severity: medium Docs Contact:
Priority: medium    
Version: 16.2 (Train)CC: dwilde
Target Milestone: z7Keywords: Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Ade Lee 2023-03-23 10:41:01 UTC 
Description of problem:

Customer ran into an issue where puppet/puppet-certmonger used the credentials in old ccache files when trying to issue a certificate, rather than looking at the keytab.  This resulted in expired creds being used and a failure to issue a certificate.

The solution to this was to remove the ccache files prior to the deployment.
The ccache was cleared with `kdestroy -A` and it was ran on all our compute nodes, however, The networkers and controllers had a valid ccache at the time so we didn't clear the ccache there but it would have also broken the deployment at some point for sure. KRB5CCNAME was not set so this was the default ccache that was being set/listed.

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info: