Bug 1460971
| Summary: | [3.3] Redeploy CA will try to restart services when certs are expired, causing failure. | ||
|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | Gaoyun Pei <gpei> |
| Component: | Installer | Assignee: | Andrew Butcher <abutcher> |
| Status: | CLOSED ERRATA | QA Contact: | Gaoyun Pei <gpei> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 3.3.1 | CC: | abutcher, aos-bugs, jokerman, mmccomas, rhowe, smunilla |
| Target Milestone: | --- | ||
| Target Release: | 3.3.1 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | 1452367 | Environment: | |
| Last Closed: | 2017-06-29 13:33:14 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1452367 | ||
| Bug Blocks: | |||
|
Comment 1
Scott Dodson
2017-06-14 01:52:58 UTC
Test with openshift-ansible-3.3.91-1.git.0.b0e1696.el7.noarch, redeploy CA playbook failed as:
PLAY [Validate configuration for rolling restart] ******************************
TASK [setup] *******************************************************************
fatal: [ec2-54-84-99-242.compute-1.amazonaws.com]: FAILED! => {
"failed": true
}
MSG:
The conditional check '('expired' not in hostvars | oo_select_keys(groups['oo_masters_to_config']) | oo_collect('check_results.check_results.ocp_certs') | oo_collect('health', {'path':hostvars[groups.oo_first_master.0].openshift.common.config_base ~ "/master/master.server.crt"})) and ('expired' not in hostvars | oo_select_keys(groups['oo_masters_to_config']) | oo_collect('check_results.check_results.ocp_certs') | oo_collect('health', {'path':hostvars[groups.oo_first_master.0].openshift.common.config_base ~ "/master/ca-bundle.crt"}))' failed. The error was: 'list' object has no attribute 'get'
to retry, use: --limit @/usr/share/ansible/openshift-ansible/playbooks/byo/openshift-cluster/redeploy-openshift-ca.retry
Test with openshift-ansible-3.3.100-1.git.0.5fe2079.el7.noarch When openshift certs expired, run openshift CA cert redeployment playbook ansible-playbook -i host /usr/share/ansible/openshift-ansible/playbooks/byo/openshift-cluster/redeploy-openshift-ca.yml Redeploy openshift CA playbook will skip restart master/node service since expired cert detected. For redeploy etcd CA playbook, it's blocked by BZ#1463774 now, will verify it once BZ#1463774 fixed Verify this bug with openshift-ansible-3.3.102-1.git.0.7983529.el7.noarch When openshift certs expired, redeploy openshift CA cert ansible-playbook -i host /usr/share/ansible/openshift-ansible/playbooks/byo/openshift-cluster/redeploy-openshift-ca.yml Redeploy openshift CA playbook will update openshift CA cert and skip restart master/node service since expired cert detected. Redeploy etcd CA cert ansible-playbook -i host /usr/share/ansible/openshift-ansible/playbooks/byo/openshift-cluster/redeploy-etcd-ca.yml Redeploy openshift CA playbook will update etcd CA cert and skip restart etcd/master service since expired cert detected. Redeploy openshift certs next: ansible-playbook -i host /usr/share/ansible/openshift-ansible/playbooks/byo/openshift-cluster/redeploy-certificates.yml This playbook will generate new certs and restart etcd/master/docker/node service. Then all the certs were replaced by new certs, ocp env works well again. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:1666 |