Bug 1446745 - [3.3] Redeploy certificates fails with custom openshift_hosted_router_certificate
Summary: [3.3] Redeploy certificates fails with custom openshift_hosted_router_certifi...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Installer
Version: 3.3.1
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: ---
: ---
Assignee: Andrew Butcher
QA Contact: Gaoyun Pei
URL:
Whiteboard:
Depends On: 1446737
Blocks: 1446741
TreeView+ depends on / blocked
 
Reported: 2017-04-28 17:43 UTC by Andrew Butcher
Modified: 2017-05-17 17:40 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 1446737
Environment:
Last Closed: 2017-05-17 17:40:38 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2017:1244 0 normal SHIPPED_LIVE Important: ansible and openshift-ansible security and bug fix update 2017-05-25 21:43:49 UTC

Description Andrew Butcher 2017-04-28 17:43:14 UTC 
+++ This bug was initially created as a clone of Bug #1446737 +++

Description of problem:

Certificate redeployment (redeploy-certificates.yml) fails to redeploy router when a custom router certificate has been provided during install via openshift_hosted_router_certificate.


For example:

openshift_hosted_router_certificate={'certfile': '/home/abutcher/wildcard-flibberty-jibbet.com.crt', 'keyfile': '/home/abutcher/wildcard-flibberty-jibbet.com.key', 'cafile'\
: '/home/abutcher/wildcard-ca.crt'}


Redeployment tasks will complete successfully but the router redeploy will not complete.

TASK [Update router environment variables] *************************************
skipping: [ec2-54-146-165-55.compute-1.amazonaws.com] => {"changed": false, "skip_reason": "Conditional check failed", "skipped": true}

TASK [Delete existing router certificate secret] *******************************
changed: [ec2-54-146-165-55.compute-1.amazonaws.com] => {"changed": true, "cmd": ["oc", "delete", "secret/router-certs", "--config=/tmp/openshift-ansible-dqqYTg/admin.kubeconfig", "-n", "default"], "delta": "0:00:00.503799", "end": "2017-04-14 01:49:38.548672", "rc": 0, "start": "2017-04-14 01:49:38.044873", "stderr": "", "stdout": "secret \"router-certs\" deleted", "stdout_lines": ["secret \"router-certs\" deleted"], "warnings": []}

TASK [Remove router service annotations] ***************************************
changed: [ec2-54-146-165-55.compute-1.amazonaws.com] => {"changed": true, "cmd": ["oc", "annotate", "service/router", "service.alpha.openshift.io/serving-cert-secret-name-", "service.alpha.openshift.io/serving-cert-signed-by-", "--config=/tmp/openshift-ansible-dqqYTg/admin.kubeconfig", "-n", "default"], "delta": "0:00:00.497830", "end": "2017-04-14 01:49:40.743203", "rc": 0, "start": "2017-04-14 01:49:40.245373", "stderr": "", "stdout": "service \"router\" annotated", "stdout_lines": ["service \"router\" annotated"], "warnings": []}

TASK [Add serving-cert-secret annotation to router service] ********************
changed: [ec2-54-146-165-55.compute-1.amazonaws.com] => {"changed": true, "cmd": ["oc", "annotate", "service/router", "service.alpha.openshift.io/serving-cert-secret-name=router-certs", "--config=/tmp/openshift-ansible-dqqYTg/admin.kubeconfig", "-n", "default"], "delta": "0:00:00.517662", "end": "2017-04-14 01:49:42.896729", "rc": 0, "start": "2017-04-14 01:49:42.379067", "stderr": "", "stdout": "service \"router\" annotated", "stdout_lines": ["service \"router\" annotated"], "warnings": []}

TASK [Redeploy router] *********************************************************
changed: [ec2-54-146-165-55.compute-1.amazonaws.com] => {"changed": true, "cmd": ["oc", "deploy", "dc/router", "--latest", "--config=/tmp/openshift-ansible-dqqYTg/admin.kubeconfig", "-n", "default"], "delta": "0:00:00.512418", "end": "2017-04-14 01:49:45.097579", "rc": 0, "start": "2017-04-14 01:49:44.585161", "stderr": "", "stdout": "Started deployment #3", "stdout_lines": ["Started deployment #3"], "warnings": []}


After redeployment the router pod will get stuck in ContainerCreating due to secrets "router-certs" not found.

Version-Release number of selected component (if applicable):
openshift-ansible-3.3.72-1.git.0.d10f480.el7

How reproducible:
Always.

Steps to Reproduce:
1. Deploy a cluster specifying a custom router certificate via openshift_hosted_router_certificate.
2. Redeploy certificates. The router certificates can be targeted directly by running playbooks/byo/openshift-cluster/redeploy-router-certificates.yml

Actual results:
Router pod is not successfully redeployed.

Expected results:
Router pod is successfully redeployed.

Additional info:
Comment 1 Andrew Butcher 2017-05-03 15:28:24 UTC 
https://github.com/openshift/openshift-ansible/pull/4042
Comment 3 Gaoyun Pei 2017-05-04 05:40:05 UTC 
Verify this bug with openshift-ansible-3.3.75-1.git.0.ce1661a.el7.noarch

When custom router certificate provided during install via openshift_hosted_router_certificate, run redeploy cert playbook against the cluster, custom router cert would be retained and router pod was running well.
Comment 5 errata-xmlrpc 2017-05-17 17:40:38 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2017:1244
Note You need to log in before you can comment on or make changes to this bug.