1417682 – [3.3] Backport openshift_certificate_expiry role

Bug 1417682 - [3.3] Backport openshift_certificate_expiry role

Summary: [3.3] Backport openshift_certificate_expiry role

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Installer
Sub Component:
Version:	3.3.1
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	high
Target Milestone:	---
Target Release:	3.3.1
Assignee:	Tim Bielawa
QA Contact:	Gaoyun Pei
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2017-01-30 16:10 UTC by Tim Bielawa
Modified:	2017-03-06 16:38 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	Enhancement
Doc Text:	The certificate expiry checker has been backported to the OCP 3.3 playbooks.
Clone Of:
Environment:
Last Closed:	2017-03-06 16:38:16 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2017:0448	0	normal	SHIPPED_LIVE	Important: ansible and openshift-ansible security and bug fix update	2017-03-06 21:36:25 UTC

Description Tim Bielawa 2017-01-30 16:10:26 UTC

Description of problem:

The openshift_certificate_expiry module needs to be backported and tested to help with the growing numbers of customers running into problems with their certificates expiring and an upcoming KBS article.


Related PR: https://github.com/openshift/openshift-ansible/pull/3208

Comment 2 Gaoyun Pei 2017-02-07 09:30:48 UTC

Test with openshift-ansible-3.3.63-1.git.0.b82a158.el7.noarch, run the example playbook by following https://github.com/tbielawa/openshift-ansible/blob/3efe6dd1f113c2f09a15fea7d61389296b5e9a67/roles/openshift_certificate_expiry/README.md#run-with-ansible-playbook


[root@gpei-test-ansible openshift-ansible]# pwd
/usr/share/ansible/openshift-ansible
[root@gpei-test-ansible openshift-ansible]# ansible-playbook -v -i ~/host ./roles/openshift_certificate_expiry/examples/playbooks/easy-mode.yaml 
Using /etc/ansible/ansible.cfg as config file
ERROR! the role 'openshift_certificate_expiry' was not found in /usr/share/ansible/openshift-ansible/roles/openshift_certificate_expiry/examples/playbooks/roles:/etc/ansible/roles:/usr/share/ansible/openshift-ansible/roles/openshift_certificate_expiry/examples/playbooks

The error appears to have been in '/usr/share/ansible/openshift-ansible/roles/openshift_certificate_expiry/examples/playbooks/easy-mode.yaml': line 21, column 7, but may
be elsewhere in the file depending on the exact syntax problem.

The offending line appears to be:

  roles:
    - role: openshift_certificate_expiry
      ^ here

Comment 3 Tim Bielawa 2017-02-09 18:05:48 UTC

Fix submitted https://github.com/openshift/openshift-ansible/pull/3315

Comment 5 Gaoyun Pei 2017-02-14 10:01:32 UTC

The same error as https://bugzilla.redhat.com/show_bug.cgi?id=1417681#c5 when testing with openshift-ansible-3.3.64-1.git.0.43bfb06.el7.noarch.rpm

Comment 7 Gaoyun Pei 2017-02-22 10:02:35 UTC

Verify this bug with openshift-ansible-3.3.65-1.git.0.1c66f89.el7

All the example playbooks could run successfully against rpm/container env, could detect certs used in the cluster well.

The playbooks could give correct result about the number of cert in expired/OK/warning status on each host, and all the configurable variables in this role were working well.

Comment 9 errata-xmlrpc 2017-03-06 16:38:16 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2017:0448

Note You need to log in before you can comment on or make changes to this bug.