Bug 1421037 - Should add '-n default' to the 'oc replace' command in redeploy-registry-certificates playbook
Summary: Should add '-n default' to the 'oc replace' command in redeploy-registry-cert...
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Installer
Version: 3.5.0
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
: ---
Assignee: Andrew Butcher
QA Contact: Gaoyun Pei
Depends On: 1422638
Blocks: 1397958
TreeView+ depends on / blocked
Reported: 2017-02-10 08:11 UTC by Gaoyun Pei
Modified: 2017-07-24 14:11 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: No Doc Update
Doc Text:
Clone Of:
Last Closed: 2017-04-11 21:23:18 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2017:0903 0 normal SHIPPED_LIVE OpenShift Container Platform atomic-openshift-utils bug fix and enhancement 2017-04-12 22:45:42 UTC

Description Gaoyun Pei 2017-02-10 08:11:27 UTC
Description of problem:
For the "Update registry certificates secret" step in https://github.com/openshift/openshift-ansible/blob/openshift-ansible-3.5.6-1/playbooks/common/openshift-cluster/redeploy-certificates/registry.yml#L72
we should also specify '-n default' for 'oc replace -f - ' command.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1.Setup an ocp-3.5 env, log into master and create a new project
[root@ip-172-18-3-137 ~]# oc new-project test

2.Run registry cert redeploy playbook against the env
ansible-playbook -i host playbooks/byo/openshift-cluster/redeploy-registry-certificates.yml

Actual results:
TASK [Update registry certificates secret] *************************************
fatal: [ec2-54-152-140-183.compute-1.amazonaws.com]: FAILED! => {
    "changed": true, 
    "cmd": "oc secret new registry-certificates /etc/origin/master/registry.crt /etc/origin/master/registry.key --config=/tmp/openshift-ansible-lh3xU2/admin.kubeconfig -n default -o json | oc replace -f -", 
    "delta": "0:00:00.733213", 
    "end": "2017-02-10 02:51:05.399517", 
    "failed": true, 
    "rc": 1, 
    "start": "2017-02-10 02:51:04.666304", 
    "warnings": []


Error from server (NotFound): error when replacing "STDIN": secrets "registry-certificates" not found

Expected results:

Additional info:

Comment 1 Andrew Butcher 2017-02-13 14:56:34 UTC
Proposed fix: https://github.com/openshift/openshift-ansible/pull/3300

Comment 3 Gaoyun Pei 2017-02-15 04:35:11 UTC
Test with openshift-ansible-3.5.8-1.git.0.0e02ef8.el7.noarch

The new playbook will fail when running against a containerized env on AtomicHost

TASK [lib_openshift : lib_openshift ensure python-ruamel-yaml package is on target] ***
fatal: [gpei-35-debugging-master-1.0214-1i0.qe.rhcloud.com]: FAILED! => {
    "changed": false, 
    "failed": true


Could not find a module for unknown.

Filed a new bug BZ#1422348 about role lib_openshift not matched with AtomicHost

Comment 4 Scott Dodson 2017-02-17 02:05:04 UTC
Additional changes have been made.

Comment 5 Gaoyun Pei 2017-02-17 09:52:21 UTC
Verify this bug with openshift-ansible-3.5.10-1.git.0.ba66b63.el7.noarch

For containerized env on AtomicHost, run registry cert redeploy playbook against the env after changing the project to not "default" on master.

ansible-playbook -v -i host /usr/share/ansible/openshift-ansible/playbooks/byo/openshift-cluster/redeploy-registry-certificates.yml

Playbook could run successfully, registry certificates secret was updated, and new sti-build test could pass.

Note You need to log in before you can comment on or make changes to this bug.