1357801 – install failed with customized router cert files

Bug 1357801 - install failed with customized router cert files

Summary: install failed with customized router cert files

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Installer
Sub Component:
Version:	3.2.1
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	---
Target Release:	---
Assignee:	Andrew Butcher
QA Contact:	Anping Li
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-07-19 08:17 UTC by Anping Li
Modified:	2016-08-18 19:29 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:	Previously, the installer failed when defining customized router certificate files using the openshift_hosted_router_certificate Ansible variable. This bug fix ensures that the certificate contents are properly checked when using this variable, and as a result this issue no longer occurs.
Clone Of:
Environment:
Last Closed:	2016-08-18 19:29:13 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
ansible installation logs (920.33 KB, application/x-gzip) 2016-07-19 08:17 UTC, Anping Li	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2016:1639	0	normal	SHIPPED_LIVE	OpenShift Enterprise atomic-openshift-utils bug fix and enhancement update	2016-08-18 23:26:45 UTC

Description Anping Li 2016-07-19 08:17:20 UTC

Created attachment 1181485 [details]
ansible installation logs

Description of problem:
nstall failed if specified openshift_hosted_router_certificate={"certfile": "/root/ha1/config/router.crt", "keyfile": "/root/ha1/config/router.key"}

Version-Release number of selected component (if applicable):
atomic-openshift-utils-3.2.13

How reproducible:
always

Steps to Reproduce:
1) install Openshift v3.2 HA environment
2) set openshift_hosted_router_certificate in inventory 
  [OSEv3:children]
  masters
  nodes
  etcd
  lb
  nfs
  
  [OSEv3:vars]
  ansible_ssh_user=root
  openshift_use_openshift_sdn=true
  deployment_type=openshift-enterprise
  openshift_use_dnsmasq=False
  openshift_master_default_subdomain=host2.example.com
  openshift_docker_additional_registries=virt-openshift-05.lab.eng.nay.redhat.com:5000
  openshift_docker_insecure_registries=virt-openshift-05.lab.eng.nay.redhat.com:5000
  oreg_url=virt-openshift-05.lab.eng.nay.redhat.com:5000/openshift3/ose-${component}:${version}
  openshift_master_identity_providers=[{'name': 'allow_all', 'login': 'true', 'challenge': 'true', 'kind': 'AllowAllPasswordIdentityProvider'}]
  
  openshift_master_cluster_method=native
  openshift_master_cluster_hostname=ha1master.example.com
  openshift_master_cluster_public_hostname=ha1master.example.com
  
  openshift_hosted_router_selector='region=route'
  openshift_hosted_router_replicas=1
  openshift_hosted_router_certificate={"certfile": "/root/ha1/config/router.crt", "keyfile": "/root/ha1/config/router.key"}
  openshift_release=3.2
  
  [masters]
  ha1master1.example.com  openshift_hostname=ha1master1.example.com openshift_public_hostname=ha1master1.example.com
  ha1master2.example.com  openshift_hostname=ha1master2.example.com openshift_public_hostname=ha1master2.example.com
  
  [etcd]
  ha1node2.example.com  openshift_hostname=ha1node2.example.com openshift_public_hostname=ha1node2.example.com
  
  [nodes]
  ha1master1.example.com  openshift_node_labels="{'region': 'mylove', 'zone': 'default'}" openshift_hostname=ha1master1.example.com openshift_public_hostname=ha1master1.example.com openshift_schedulable=true
  ha1master2.example.com  openshift_node_labels="{'region': 'mylove', 'zone': 'default'}" openshift_hostname=ha1master2.example.com openshift_public_hostname=ha1master2.example.com openshift_schedulable=true
  ha1master3.example.com  openshift_node_labels="{'region': 'infra', 'zone': 'default'}" openshift_hostname=ha1master3.example.com openshift_public_hostname=ha1master3.example.com openshift_schedulable=true
  ha1node1.example.com  openshift_node_labels="{'region': 'route', 'zone': 'east'}" openshift_hostname=ha1node1.example.com openshift_public_hostname=ha1node1.example.com

  [lb]
  ha1master.example.com

  [nfs]
  ha1master1.example.com

3) run config playbook 
 ansible-playbook -i config/2master1etcd2nodes /usr/share/ansible/openshift-ansible/playbooks/byo/config.yml -vvv| tee installmix_mylove.logs



Actual results:
TASK: [openshift_hosted | fail ] **********************************************
<ha1master1.example.com> ESTABLISH CONNECTION FOR USER: root
failed: [ha1master1.example.com] => {"failed": true}
msg: 'certfile', 'keyfile' and 'cafile' keys must be specified when supplying the openshift_hosted_router_certificate variable.

FATAL: all hosts have already failed -- aborting


Expected results:


Additional info:

Comment 1 Anping Li 2016-07-19 09:23:38 UTC

if remove the line, openshift_hosted_router_certificate={"certfile": "/root/ha1/config/router.crt", "keyfile": "/root/ha1/config/router.key"}, and run playbook, I got the following message.


TASK: [openshift_hosted | set_fact ] ****************************************** 
<ha1master1.example.com> ESTABLISH CONNECTION FOR USER: root
fatal: [ha1master1.example.com] => Failed to template {{ openshift.hosted.router.replicas | default((openshift_hosted_router_nodes_json.stdout | from_json)['items'] | length) }}: an unexpected type error occurred. Error was expected string or buffer

FATAL: all hosts have already failed -- aborting

Comment 2 Andrew Butcher 2016-07-19 20:53:47 UTC

Documentation steps for adding a wildcard router certificate [1] instruct combining certificate, key and CA contents into a PEM certificate that will be set as the default router certificate. The openshift_hosted_router_certificate variable previously only required "certfile" and "keyfile" keys but now correctly requires that a "cafile" key also be specified.

I ran into a different set of errors after attempting the scenario described above. Proposed fixes for what I encountered are in https://github.com/openshift/openshift-ansible/pull/2179

[1] https://docs.openshift.com/enterprise/3.2/install_config/install/deploy_router.html#using-wildcard-certificates

Comment 4 Anping Li 2016-08-05 12:33:36 UTC

It works well with atomic-openshift-utils-3.2.18-1.git.0.2015d79.el7.noarch

Comment 6 errata-xmlrpc 2016-08-18 19:29:13 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2016:1639

Note You need to log in before you can comment on or make changes to this bug.