Bug 1460972 - [3.2] Redeploy CA will try to restart services when certs are expired, causing failure.
[3.2] Redeploy CA will try to restart services when certs are expired, causin...
Status: CLOSED ERRATA
Product: OpenShift Container Platform
Classification: Red Hat
Component: Installer (Show other bugs)
3.2.1
Unspecified Unspecified
medium Severity medium
: ---
: 3.2.1
Assigned To: Andrew Butcher
Gaoyun Pei
:
Depends On: 1452367 1463775
Blocks:
  Show dependency treegraph
 
Reported: 2017-06-13 05:37 EDT by Gaoyun Pei
Modified: 2017-06-29 09:33 EDT (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1452367
Environment:
Last Closed: 2017-06-29 09:33:14 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2017:1666 normal SHIPPED_LIVE OpenShift Container Platform atomic-openshift-utils bug fix and enhancement 2017-06-29 13:32:39 EDT

  None (edit)
Comment 3 Gaoyun Pei 2017-06-15 05:19:38 EDT
Test with openshift-ansible-3.2.58-1.git.0.f2dce3a.el7, redeploy CA playbook failed as:

PLAY [Validate configuration for rolling restart] ******************************

TASK [setup] *******************************************************************
fatal: [ec2-54-174-141-248.compute-1.amazonaws.com]: FAILED! => {"failed": true, "msg": "The conditional check '('expired' not in hostvars | oo_select_keys(groups['oo_masters_to_config']) | oo_collect('check_results.check_results.ocp_certs') | oo_collect('health', {'path':hostvars[groups.oo_first_master.0].openshift.common.config_base ~ \"/master/master.server.crt\"})) and ('expired' not in hostvars | oo_select_keys(groups['oo_masters_to_config']) | oo_collect('check_results.check_results.ocp_certs') | oo_collect('health', {'path':hostvars[groups.oo_first_master.0].openshift.common.config_base ~ \"/master/ca-bundle.crt\"}))' failed. The error was: 'list' object has no attribute 'get'"}
	to retry, use: --limit @/root/work/redeploy_cert/openshift-ansible/playbooks/byo/openshift-cluster/redeploy-openshift-ca.retry
Comment 7 Gaoyun Pei 2017-06-27 03:14:01 EDT
Test with openshift-ansible-3.2.60-1.git.0.f082225.el7.noarch

When openshift certs expired, run openshift CA cert redeployment playbook
ansible-playbook -i host /usr/share/ansible/openshift-ansible/playbooks/byo/openshift-cluster/redeploy-openshift-ca.yml

Redeploy openshift CA playbook will skip restart master/node service since expired cert detected.

For redeploy etcd CA playbook, it's blocked by BZ#1463775 now, will verify it once BZ#1463775 fixed
Comment 8 Gaoyun Pei 2017-06-28 02:15:01 EDT
Verify this bug with openshift-ansible-3.2.61-1.git.0.4bf0fd2.el7.noarch

When openshift certs expired, redeploy openshift CA cert
ansible-playbook -i host /usr/share/ansible/openshift-ansible/playbooks/byo/openshift-cluster/redeploy-openshift-ca.yml
Redeploy openshift CA playbook will update openshift CA cert and skip restart master/node service since expired cert detected. 

Redeploy etcd CA cert
ansible-playbook -i host /usr/share/ansible/openshift-ansible/playbooks/byo/openshift-cluster/redeploy-etcd-ca.yml
Redeploy openshift CA playbook will update etcd CA cert and skip restart etcd/master service since expired cert detected. 

Redeploy openshift certs next:
ansible-playbook -i host /usr/share/ansible/openshift-ansible/playbooks/byo/openshift-cluster/redeploy-certificates.yml
This playbook will generate new certs and restart etcd/master/docker/node service.

Then all the certs were replaced by new certs, ocp env works well again.
Comment 10 errata-xmlrpc 2017-06-29 09:33:14 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:1666

Note You need to log in before you can comment on or make changes to this bug.