Description of problem: The redeploy-etcd-ca.yml playbook didn't update the ca.crt under /var/lib/etcd/etcd.etcd/etc directory which is used by etcd system container. Version-Release number of selected component (if applicable): openshift-ansible-3.6.126.1-1.git.0.41d2313.el7.noarch How reproducible: Always Steps to Reproduce: 1.Set up an ocp-3.6 cluster with etcd system container used 2.Run redeploy-etcd-ca.yml playbook to update the ca cert of etcd ansible-playbook -i host openshift-ansible/playbooks/byo/openshift-cluster/redeploy-etcd-ca.yml 3. Check the ca.crt used by etcd system conatiner /var/lib/etcd/etcd.etcd/etc/ca.crt it's still the old one. Actual results: Expected results: Additional info:
@Giuseppe Are the etcd certificates copied to /var/lib/etcd/etcd.etcd/etc referenced in any configuration? /etc/etcd/etcd.conf points to the certificates within /etc/etcd/ in my install. /etc/etcd/etcd.conf: ETCD_CA_FILE=/etc/etcd/ca.crt ETCD_CERT_FILE=/etc/etcd/server.crt ETCD_KEY_FILE=/etc/etcd/server.key ETCD_PEER_CA_FILE=/etc/etcd/ca.crt ETCD_PEER_CERT_FILE=/etc/etcd/peer.crt ETCD_PEER_KEY_FILE=/etc/etcd/peer.key
@Andrew for the etcd system container the files under /etc are not used at all (when we first created the etcd system container we didn't have a nice way to do that, we have new features now so it will probably cleaned up later) so for now all the files used by the etcd system container are in /var/lib/etcd/etcd.etcd/etc. I think it is enough to copy the new files to "etcd_system_container_cert_config_dir" when the directory exists, so they are keep in sync in both directories. This is what we already do in roles/etcd_server_certificates/tasks/main.yml.
Thanks. I think we'll want to update etcd_ca to also sync the CA when replaced.
I'd really like to have no differences at all with these files wrt the system container. To do so we need to be able to specify arbitrary mount points in the system container, this is currently blocked on: https://bugzilla.redhat.com/show_bug.cgi?id=1484326 Once we have that feature, we can use exactly the same mount points that are used in the Docker container also in the etcd system container, and we will be able to drop all the custom paths to handle the etcd system container differently.
This looks like it was resolved by: https://github.com/openshift/openshift-ansible/pull/5655 That merged in October.
This bug is targeted for 3.9, while this bug is attached to a 3.5/3.6/3.7 errata, pls attach it to a correct errata.
Verify this bug with openshift-ansible-3.9.0-0.24.0.git.0.735690f.el7.noarch.rpm Run etcd redeploy-ca.yml against an ocp-3.9 cluster which is using etcd system container. #ansible-playbook -i host /usr/share/ansible/openshift-ansible/playbooks/openshift-etcd/redeploy-ca.yml After playbook finished, the etcd ca cert /etc/etcd/ca.crt was updated as expected.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:0489