Bug 1443741 - openshift-ansible encoutners error when generating cert
Summary: openshift-ansible encoutners error when generating cert
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Installer
Version: 3.5.0
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
: 3.5.z
Assignee: ewolinet
QA Contact: Peter Ruan
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-04-19 21:15 UTC by Peter Ruan
Modified: 2017-12-14 21:01 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Cause: When using openshift_metrics_heapster_standalone=true, the ca certificate was not generated. Consequence: The playbook would fail Fix: Allowed the ca cert to be generated also if openshift_metrics_heapster_standalone=true was set. Result: Playbook completes successfully
Clone Of:
Environment:
Last Closed: 2017-12-14 21:01:20 UTC
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2017:3438 normal SHIPPED_LIVE OpenShift Container Platform 3.6 and 3.5 bug fix and enhancement update 2017-12-15 01:58:11 UTC

Description Peter Ruan 2017-04-19 21:15:27 UTC 
Description of problem:
  Ansible installation of metrics failed when running playbook for openshift-metrics.yaml, I get an error indicating the cert is not valid.

error: --signer-cert, \"/tmp/openshift-metrics-ansible-g8NWMu/ca.crt\" must be a valid certificate file\nSee 'oadm ca create-server-cert -h' for help and examples.

Version-Release number of selected component (if applicable):
master

How reproducible:
always.

Steps to Reproduce:
1. git clone https://github.com/openshift/openshift-ansible/
2. ansible-playbook -i <your_inventory_file> -vvv openshift-ansible/playbooks/byo/openshift-cluster/openshift-metrics.yml

Actual results:
      <openshift-127.lab.sjc.redhat.com> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o 'IdentityFile="/tmp/tmp/libra.pem"' -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o User=root -o ConnectTimeout=10 -o ControlPath=/opt/app-root/src/.ansible/cp/ansible-ssh-%h-%p-%r -tt openshift-127.lab.sjc.redhat.com '/bin/sh -c '"'"'/usr/bin/python /root/.ansible/tmp/ansible-tmp-1492631599.51-261101884427092/command.py; rm -rf "/root/.ansible/tmp/ansible-tmp-1492631599.51-261101884427092/" > /dev/null 2>&1 && sleep 0'"'"''
      fatal: [openshift-127.lab.sjc.redhat.com]: FAILED! => {
          "changed": true,
          "cmd": [
              "oadm",
              "ca",
              "create-server-cert",
              "--config=/tmp/openshift-metrics-ansible-g8NWMu/admin.kubeconfig",
              "--key=/tmp/openshift-metrics-ansible-g8NWMu/heapster.key",
              "--cert=/tmp/openshift-metrics-ansible-g8NWMu/heapster.cert",
              "--hostnames=heapster",
              "--signer-cert=/tmp/openshift-metrics-ansible-g8NWMu/ca.crt",
              "--signer-key=/tmp/openshift-metrics-ansible-g8NWMu/ca.key",
              "--signer-serial=/tmp/openshift-metrics-ansible-g8NWMu/ca.serial.txt"
          ],
          "delta": "0:00:00.271453",
          "end": "2017-04-19 15:53:20.016426",
          "failed": true,
          "invocation": {
              "module_args": {
                  "_raw_params": "oadm ca create-server-cert --config=/tmp/openshift-metrics-ansible-g8NWMu/admin.kubeconfig --key='/tmp/openshift-metrics-ansible-g8NWMu/heapster.key' --cert='/tmp/openshift-metrics-ansible-g8NWMu/heapster.cert' --hostnames=heapster --signer-cert='/tmp/openshift-metrics-ansible-g8NWMu/ca.crt' --signer-key='/tmp/openshift-metrics-ansible-g8NWMu/ca.key' --signer-serial='/tmp/openshift-metrics-ansible-g8NWMu/ca.serial.txt'",
                  "_uses_shell": false,
                  "chdir": null,
                  "creates": null,
                  "executable": null,
                  "removes": null,
                  "warn": true
              },
              "module_name": "command"
          },
          "rc": 1,
          "start": "2017-04-19 15:53:19.744973",
          "stderr": "error: --signer-cert, \"/tmp/openshift-metrics-ansible-g8NWMu/ca.crt\" must be a valid certificate file\nSee 'oadm ca create-server-cert -h' for help and examples.",
          "stdout": "",
          "stdout_lines": [],
          "warnings": []
      }
      	to retry, use: --limit @/tmp/tmp/openshift-ansible/playbooks/byo/openshift-cluster/openshift-metrics.retry

      PLAY RECAP *********************************************************************
      localhost                  : ok=1    changed=0    unreachable=0    failed=0
      openshift-127.lab.sjc.redhat.com : ok=28   changed=0    unreachable=0    failed=1


Expected results:


Additional info:
Comment 1 Peter Ruan 2017-04-19 23:46:47 UTC 
Eric,
  It looks like it's an issue with my inventory.  If I comment out the setting

openshift_metrics_heapster_standalone=true (see below), then the installation will pass.  Do you know if setting above is valid?

==== working inventory file =======
[oo_first_master]
openshift-127.lab.sjc.redhat.com ansible_user=root ansible_ssh_user=root ansible_ssh_private_key_file="/tmp/tmp/libra.pem" openshift_public_hostname=openshift-127.lab.sjc.redhat.com

[oo_first_master:vars]
openshift_deployment_type=openshift-enterprise
openshift_release=v3.5
public_master_url=https://openshift-127.lab.sjc.redhat.com:8443

openshift_metrics_image_prefix=brew-pulp-docker01.web.prod.ext.phx2.redhat.com:8888/openshift3/
openshift_metrics_image_version=v3.5

openshift_metrics_install_metrics=true
#openshift_metrics_heapster_standalone=true
openshift_metrics_heapster_allowed_users=system:master-proxy

openshift_metrics_hawkular_hostname=metrics.0411-egz.qe.rhcloud.com
openshift_metrics_project=openshift-infra
Comment 2 Junqi Zhao 2017-04-20 05:17:34 UTC 
@Peter,
Tested on my environment, same error as you reported. 

I found this case in polarion, https://polarion.engineering.redhat.com/polarion/#/project/OSE/workitem?id=OCP-12879, and I believe penli had been tested this case and it  did not have problems then, but it throws out error now

Since we use byo/openshift-cluster/openshift-metrics.yml, the inventory file group names are changed, see the following file.

[OSEv3:children]
masters

[masters]
ec2-54-211-52-114.compute-1.amazonaws.com openshift_public_hostname=ec2-54-211-52-114.compute-1.amazonaws.com

[OSEv3:vars]
ansible_ssh_user=root
ansible_ssh_private_key_file="/root/libra.pem"
deployment_type=openshift-enterprise

openshift_metrics_install_metrics=true
openshift_metrics_hawkular_hostname=hawkular-metrics.0420-n0a.qe.rhcloud.com
openshift_metrics_project=openshift-infra

openshift_metrics_image_prefix=registry.ops.openshift.com/openshift3/
openshift_metrics_image_version=3.5.0
#openshift_metrics_heapster_standalone=true
openshift_metrics_heapster_allowed_users=system:master-proxy
openshift_metrics_project=openshift-infra
Comment 3 ewolinet 2017-04-20 23:29:41 UTC 
@Peter,

To my knowledge it should be a valid setting but I will confirm.
It may be that something new broke that setting.
Comment 5 Peter Ruan 2017-05-03 21:39:14 UTC 
Verfied that I can run metrics installation with 
oc v3.5.5.8
Comment 8 errata-xmlrpc 2017-12-14 21:01:20 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:3438
Note You need to log in before you can comment on or make changes to this bug.