Description of problem: The openshift_certificate_expiry module needs to be backported and tested to help with the growing numbers of customers running into problems with their certificates expiring and an upcoming KBS article. Related PR: https://github.com/openshift/openshift-ansible/pull/3209
Test with openshift-ansible-3.4.59-1.git.0.d813eb7.el7.noarch, run the example playbook against an ocp-3.4 cluster by following https://github.com/tbielawa/openshift-ansible/blob/3efe6dd1f113c2f09a15fea7d61389296b5e9a67/roles/openshift_certificate_expiry/README.md#run-with-ansible-playbook [root@gpei-test-ansible openshift-ansible]# pwd /usr/share/ansible/openshift-ansible [root@gpei-test-ansible openshift-ansible]# ansible-playbook -v -i ~/host ./roles/openshift_certificate_expiry/examples/playbooks/easy-mode.yaml Using /etc/ansible/ansible.cfg as config file ERROR! the role 'openshift_certificate_expiry' was not found in /usr/share/ansible/openshift-ansible/roles/openshift_certificate_expiry/examples/playbooks/roles:/etc/ansible/roles:/usr/share/ansible/openshift-ansible/roles/openshift_certificate_expiry/examples/playbooks The error appears to have been in '/usr/share/ansible/openshift-ansible/roles/openshift_certificate_expiry/examples/playbooks/easy-mode.yaml': line 21, column 7, but may be elsewhere in the file depending on the exact syntax problem. The offending line appears to be: roles: - role: openshift_certificate_expiry ^ here
Fix submitted https://github.com/openshift/openshift-ansible/pull/3316
Test with openshift-ansible-3.4.60-1.git.0.1ef027f.el7.noarch It's working well against ocp env built on RHEL, but for containerized env on Atomic Host, the expiration checker playbook will fail due to "No module named OpenSSL.crypto" Here's an example test. A containerized ocp-3.4.1.7 env built with qe-rhel-atomic-cloud-726_1 image on AWS configured in the host file. [root@gpei-test-ansible ~]# ansible-playbook -v -i host /usr/share/ansible/openshift-ansible/playbooks/certificate_expiry/easy-mode.yaml Using /etc/ansible/ansible.cfg as config file PLAY [Check cert expirys] ****************************************************** TASK [openshift_certificate_expiry : Check cert expirys on host] *************** fatal: [ec2-x.compute-1.amazonaws.com]: FAILED! => { "changed": false, "failed": true, "module_stderr": "Shared connection to ec2-x.compute-1.amazonaws.com closed.\r\n", "module_stdout": "Traceback (most recent call last):\r\n File \"/tmp/ansible_7d4N_3/ansible_module_openshift_cert_expiry.py\", line 14, in <module>\r\n import OpenSSL.crypto\r\nImportError: No module named OpenSSL.crypto\r\n" } MSG: MODULE FAILURE fatal: [ec2-54-x.compute-1.amazonaws.com]: FAILED! => { "changed": false, "failed": true, "module_stderr": "Shared connection to ec2-54-x.compute-1.amazonaws.com closed.\r\n", "module_stdout": "Traceback (most recent call last):\r\n File \"/tmp/ansible_7Wdo4k/ansible_module_openshift_cert_expiry.py\", line 14, in <module>\r\n import OpenSSL.crypto\r\nImportError: No module named OpenSSL.crypto\r\n" } MSG: MODULE FAILURE
Right now I don't think we can fix atomic host. We'll need to invest significant engineering time in determining the best way forward to provide ansible dependencies on atomic host.
Verify this bug with openshift-ansible-3.4.64-1.git.0.7bb288c.el7 All the example playbooks could run successfully against rpm/container env, could detect certs used in the cluster well. The playbooks could give correct result about the number of cert in expired/OK/warning status on each host, and all the configurable variables in this role were working well.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2017:0448