Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
First Last Prev Next    This bug is not in your last search results.
Bug 1417681 - [3.4] Backport openshift_certificate_expiry role
[3.4] Backport openshift_certificate_expiry role
Status: CLOSED ERRATA
Product: OpenShift Container Platform
Classification: Red Hat
Component: Installer (Show other bugs)
3.4.1
Unspecified Unspecified
unspecified Severity high
: ---
: 3.4.z
Assigned To: Tim Bielawa
Gaoyun Pei
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2017-01-30 11:10 EST by Tim Bielawa
Modified: 2017-03-06 11:38 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-03-06 11:38:13 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2017:0448 normal SHIPPED_LIVE Important: ansible and openshift-ansible security and bug fix update 2017-03-06 16:36:25 EST

  None (edit)
Description Tim Bielawa 2017-01-30 11:10:20 EST 
Description of problem:

The openshift_certificate_expiry module needs to be backported and tested to help with the growing numbers of customers running into problems with their certificates expiring and an upcoming KBS article.


Related PR: https://github.com/openshift/openshift-ansible/pull/3209
Comment 2 Gaoyun Pei 2017-02-07 04:32:52 EST 
Test with openshift-ansible-3.4.59-1.git.0.d813eb7.el7.noarch, run the example playbook against an ocp-3.4 cluster by following https://github.com/tbielawa/openshift-ansible/blob/3efe6dd1f113c2f09a15fea7d61389296b5e9a67/roles/openshift_certificate_expiry/README.md#run-with-ansible-playbook


[root@gpei-test-ansible openshift-ansible]# pwd
/usr/share/ansible/openshift-ansible
[root@gpei-test-ansible openshift-ansible]# ansible-playbook -v -i ~/host ./roles/openshift_certificate_expiry/examples/playbooks/easy-mode.yaml 
Using /etc/ansible/ansible.cfg as config file
ERROR! the role 'openshift_certificate_expiry' was not found in /usr/share/ansible/openshift-ansible/roles/openshift_certificate_expiry/examples/playbooks/roles:/etc/ansible/roles:/usr/share/ansible/openshift-ansible/roles/openshift_certificate_expiry/examples/playbooks

The error appears to have been in '/usr/share/ansible/openshift-ansible/roles/openshift_certificate_expiry/examples/playbooks/easy-mode.yaml': line 21, column 7, but may
be elsewhere in the file depending on the exact syntax problem.

The offending line appears to be:

  roles:
    - role: openshift_certificate_expiry
      ^ here
Comment 3 Tim Bielawa 2017-02-09 13:05:58 EST 
Fix submitted https://github.com/openshift/openshift-ansible/pull/3316
Comment 5 Gaoyun Pei 2017-02-14 04:57:13 EST 
Test with openshift-ansible-3.4.60-1.git.0.1ef027f.el7.noarch

It's working well against ocp env built on RHEL, but for containerized env on Atomic Host, the expiration checker playbook will fail due to "No module named OpenSSL.crypto"

Here's an example test. A containerized ocp-3.4.1.7 env built with qe-rhel-atomic-cloud-726_1 image on AWS configured in the host file.

[root@gpei-test-ansible ~]# ansible-playbook -v -i host /usr/share/ansible/openshift-ansible/playbooks/certificate_expiry/easy-mode.yaml 
Using /etc/ansible/ansible.cfg as config file

PLAY [Check cert expirys] ******************************************************

TASK [openshift_certificate_expiry : Check cert expirys on host] ***************
fatal: [ec2-x.compute-1.amazonaws.com]: FAILED! => {
    "changed": false, 
    "failed": true, 
    "module_stderr": "Shared connection to ec2-x.compute-1.amazonaws.com closed.\r\n", 
    "module_stdout": "Traceback (most recent call last):\r\n  File \"/tmp/ansible_7d4N_3/ansible_module_openshift_cert_expiry.py\", line 14, in <module>\r\n    import OpenSSL.crypto\r\nImportError: No module named OpenSSL.crypto\r\n"
}

MSG:

MODULE FAILURE

fatal: [ec2-54-x.compute-1.amazonaws.com]: FAILED! => {
    "changed": false, 
    "failed": true, 
    "module_stderr": "Shared connection to ec2-54-x.compute-1.amazonaws.com closed.\r\n", 
    "module_stdout": "Traceback (most recent call last):\r\n  File \"/tmp/ansible_7Wdo4k/ansible_module_openshift_cert_expiry.py\", line 14, in <module>\r\n    import OpenSSL.crypto\r\nImportError: No module named OpenSSL.crypto\r\n"
}

MSG:

MODULE FAILURE
Comment 6 Scott Dodson 2017-02-16 15:48:24 EST 
Right now I don't think we can fix atomic host. We'll need to invest significant engineering time in determining the best way forward to provide ansible dependencies on atomic host.
Comment 8 Gaoyun Pei 2017-02-22 05:02:33 EST 
Verify this bug with openshift-ansible-3.4.64-1.git.0.7bb288c.el7

All the example playbooks could run successfully against rpm/container env, could detect certs used in the cluster well.

The playbooks could give correct result about the number of cert in expired/OK/warning status on each host, and all the configurable variables in this role were working well.
Comment 10 errata-xmlrpc 2017-03-06 11:38:13 EST 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2017:0448
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.