Bug 1417681 - [3.4] Backport openshift_certificate_expiry role
Summary: [3.4] Backport openshift_certificate_expiry role
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Installer
Version: 3.4.1
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: ---
: 3.4.z
Assignee: Tim Bielawa
QA Contact: Gaoyun Pei
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-01-30 16:10 UTC by Tim Bielawa
Modified: 2017-03-06 16:38 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-03-06 16:38:13 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2017:0448 0 normal SHIPPED_LIVE Important: ansible and openshift-ansible security and bug fix update 2017-03-06 21:36:25 UTC

Description Tim Bielawa 2017-01-30 16:10:20 UTC
Description of problem:

The openshift_certificate_expiry module needs to be backported and tested to help with the growing numbers of customers running into problems with their certificates expiring and an upcoming KBS article.


Related PR: https://github.com/openshift/openshift-ansible/pull/3209

Comment 2 Gaoyun Pei 2017-02-07 09:32:52 UTC
Test with openshift-ansible-3.4.59-1.git.0.d813eb7.el7.noarch, run the example playbook against an ocp-3.4 cluster by following https://github.com/tbielawa/openshift-ansible/blob/3efe6dd1f113c2f09a15fea7d61389296b5e9a67/roles/openshift_certificate_expiry/README.md#run-with-ansible-playbook


[root@gpei-test-ansible openshift-ansible]# pwd
/usr/share/ansible/openshift-ansible
[root@gpei-test-ansible openshift-ansible]# ansible-playbook -v -i ~/host ./roles/openshift_certificate_expiry/examples/playbooks/easy-mode.yaml 
Using /etc/ansible/ansible.cfg as config file
ERROR! the role 'openshift_certificate_expiry' was not found in /usr/share/ansible/openshift-ansible/roles/openshift_certificate_expiry/examples/playbooks/roles:/etc/ansible/roles:/usr/share/ansible/openshift-ansible/roles/openshift_certificate_expiry/examples/playbooks

The error appears to have been in '/usr/share/ansible/openshift-ansible/roles/openshift_certificate_expiry/examples/playbooks/easy-mode.yaml': line 21, column 7, but may
be elsewhere in the file depending on the exact syntax problem.

The offending line appears to be:

  roles:
    - role: openshift_certificate_expiry
      ^ here

Comment 3 Tim Bielawa 2017-02-09 18:05:58 UTC
Fix submitted https://github.com/openshift/openshift-ansible/pull/3316

Comment 5 Gaoyun Pei 2017-02-14 09:57:13 UTC
Test with openshift-ansible-3.4.60-1.git.0.1ef027f.el7.noarch

It's working well against ocp env built on RHEL, but for containerized env on Atomic Host, the expiration checker playbook will fail due to "No module named OpenSSL.crypto"

Here's an example test. A containerized ocp-3.4.1.7 env built with qe-rhel-atomic-cloud-726_1 image on AWS configured in the host file.

[root@gpei-test-ansible ~]# ansible-playbook -v -i host /usr/share/ansible/openshift-ansible/playbooks/certificate_expiry/easy-mode.yaml 
Using /etc/ansible/ansible.cfg as config file

PLAY [Check cert expirys] ******************************************************

TASK [openshift_certificate_expiry : Check cert expirys on host] ***************
fatal: [ec2-x.compute-1.amazonaws.com]: FAILED! => {
    "changed": false, 
    "failed": true, 
    "module_stderr": "Shared connection to ec2-x.compute-1.amazonaws.com closed.\r\n", 
    "module_stdout": "Traceback (most recent call last):\r\n  File \"/tmp/ansible_7d4N_3/ansible_module_openshift_cert_expiry.py\", line 14, in <module>\r\n    import OpenSSL.crypto\r\nImportError: No module named OpenSSL.crypto\r\n"
}

MSG:

MODULE FAILURE

fatal: [ec2-54-x.compute-1.amazonaws.com]: FAILED! => {
    "changed": false, 
    "failed": true, 
    "module_stderr": "Shared connection to ec2-54-x.compute-1.amazonaws.com closed.\r\n", 
    "module_stdout": "Traceback (most recent call last):\r\n  File \"/tmp/ansible_7Wdo4k/ansible_module_openshift_cert_expiry.py\", line 14, in <module>\r\n    import OpenSSL.crypto\r\nImportError: No module named OpenSSL.crypto\r\n"
}

MSG:

MODULE FAILURE

Comment 6 Scott Dodson 2017-02-16 20:48:24 UTC
Right now I don't think we can fix atomic host. We'll need to invest significant engineering time in determining the best way forward to provide ansible dependencies on atomic host.

Comment 8 Gaoyun Pei 2017-02-22 10:02:33 UTC
Verify this bug with openshift-ansible-3.4.64-1.git.0.7bb288c.el7

All the example playbooks could run successfully against rpm/container env, could detect certs used in the cluster well.

The playbooks could give correct result about the number of cert in expired/OK/warning status on each host, and all the configurable variables in this role were working well.

Comment 10 errata-xmlrpc 2017-03-06 16:38:13 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2017:0448


Note You need to log in before you can comment on or make changes to this bug.