This service will be undergoing maintenance at 00:00 UTC, 2017-10-23 It is expected to last about 30 minutes
Bug 1460971 - [3.3] Redeploy CA will try to restart services when certs are expired, causing failure.
[3.3] Redeploy CA will try to restart services when certs are expired, causin...
Status: CLOSED ERRATA
Product: OpenShift Container Platform
Classification: Red Hat
Component: Installer (Show other bugs)
3.3.1
Unspecified Unspecified
medium Severity medium
: ---
: 3.3.1
Assigned To: Andrew Butcher
Gaoyun Pei
:
Depends On: 1452367
Blocks:
  Show dependency treegraph
 
Reported: 2017-06-13 05:37 EDT by Gaoyun Pei
Modified: 2017-06-29 09:33 EDT (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1452367
Environment:
Last Closed: 2017-06-29 09:33:14 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Comment 3 Gaoyun Pei 2017-06-15 05:19:44 EDT
Test with openshift-ansible-3.3.91-1.git.0.b0e1696.el7.noarch, redeploy CA playbook failed as:

PLAY [Validate configuration for rolling restart] ******************************

TASK [setup] *******************************************************************
fatal: [ec2-54-84-99-242.compute-1.amazonaws.com]: FAILED! => {
    "failed": true
}

MSG:

The conditional check '('expired' not in hostvars | oo_select_keys(groups['oo_masters_to_config']) | oo_collect('check_results.check_results.ocp_certs') | oo_collect('health', {'path':hostvars[groups.oo_first_master.0].openshift.common.config_base ~ "/master/master.server.crt"})) and ('expired' not in hostvars | oo_select_keys(groups['oo_masters_to_config']) | oo_collect('check_results.check_results.ocp_certs') | oo_collect('health', {'path':hostvars[groups.oo_first_master.0].openshift.common.config_base ~ "/master/ca-bundle.crt"}))' failed. The error was: 'list' object has no attribute 'get'
	to retry, use: --limit @/usr/share/ansible/openshift-ansible/playbooks/byo/openshift-cluster/redeploy-openshift-ca.retry
Comment 7 Gaoyun Pei 2017-06-27 04:21:09 EDT
Test with openshift-ansible-3.3.100-1.git.0.5fe2079.el7.noarch

When openshift certs expired, run openshift CA cert redeployment playbook
ansible-playbook -i host /usr/share/ansible/openshift-ansible/playbooks/byo/openshift-cluster/redeploy-openshift-ca.yml

Redeploy openshift CA playbook will skip restart master/node service since expired cert detected.

For redeploy etcd CA playbook, it's blocked by BZ#1463774 now, will verify it once BZ#1463774 fixed
Comment 8 Gaoyun Pei 2017-06-27 23:29:09 EDT
Verify this bug with openshift-ansible-3.3.102-1.git.0.7983529.el7.noarch

When openshift certs expired, redeploy openshift CA cert
ansible-playbook -i host /usr/share/ansible/openshift-ansible/playbooks/byo/openshift-cluster/redeploy-openshift-ca.yml
Redeploy openshift CA playbook will update openshift CA cert and skip restart master/node service since expired cert detected. 

Redeploy etcd CA cert
ansible-playbook -i host /usr/share/ansible/openshift-ansible/playbooks/byo/openshift-cluster/redeploy-etcd-ca.yml
Redeploy openshift CA playbook will update etcd CA cert and skip restart etcd/master service since expired cert detected. 

Redeploy openshift certs next:
ansible-playbook -i host /usr/share/ansible/openshift-ansible/playbooks/byo/openshift-cluster/redeploy-certificates.yml
This playbook will generate new certs and restart etcd/master/docker/node service.

Then all the certs were replaced by new certs, ocp env works well again.
Comment 10 errata-xmlrpc 2017-06-29 09:33:14 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:1666

Note You need to log in before you can comment on or make changes to this bug.