Red Hat Bugzilla – Bug 1507617
Etcd should communicate over SSL and be authenticated to
Last modified: 2017-11-28 17:20:29 EST
Description of problem: The connection of the broker to etcd should be over SSL and have authentication using x509 certs. Version-Release number of selected component (if applicable): How reproducible: Always Steps to Reproduce: 1. Start Ansible Broker and notice http:// connection to etcd 2. 3. Actual results: http:// connection Expected results: https:// Additional info:
Fixed with PR: https://github.com/openshift/ansible-service-broker/pull/522
*** Bug 1504957 has been marked as a duplicate of this bug. ***
Commits pushed to master at https://github.com/openshift/openshift-ansible https://github.com/openshift/openshift-ansible/commit/3ee9a2368c1bba68477aacbb4b950eee32939eee Bug 1507617- Move etcd into its own service/dc with SSL https://github.com/openshift/openshift-ansible/commit/3d1677e3e2db0cac168e9cdec692506ed86f32d2 Merge pull request #5976 from fabianvf/asb-etcd-certs Bug 1507617- Move etcd into its own service/dc with SSL
In regard to comment #5. 1. In order to use the template to deploy the broker, you also need to generate the required certificates for etcd. Here is an example of what steps are required: https://github.com/openshift/ansible-service-broker/blob/master/scripts/run_latest_build.sh#L80-L89 2. For openshift-ansible, this PR to openshift-ansible adds the support for ansible installer: https://github.com/openshift/openshift-ansible/pull/5976 Also note that a newer broker image is required to use etcd authentication. I'd recommend using ansible-service-broker-1.0.18-1.el7 or later
*** Bug 1510706 has been marked as a duplicate of this bug. ***
Test code of PR https://github.com/openshift/ansible-service-broker/blob/master/scripts/run_latest_build.sh#L80-L89 caused ansible-service-catalog install failed. Error info: TASK [ansible_service_broker : set_fact] *************************************** Wednesday 08 November 2017 01:17:00 +0000 (0:00:00.078) 0:14:21.223 **** [WARNING]: Unable to find '/etc/origin/ansible-service-broker/client.pem' in expected paths. fatal: [host-8-241-56.host.centralci.eng.rdu2.redhat.com]: FAILED! => {"failed": true, "msg": "An unhandled exception occurred while running the lookup plugin 'file'. Error was a <class 'ansible.errors.AnsibleError'>, original message: could not locate file in lookup: /etc/origin/ansible-service-broker/client.pem"} to retry, use: --limit @/home/slave2/workspace/Launch Environment Flexy/private-openshift-ansible/playbooks/byo/config.retry This is a block issue.
In addition info for Comment 9: This test based on the image: brew-pulp-docker01.web.prod.ext.phx2.redhat.com:8888/openshift3/ose-ansible-service-broker:v3.7.0-0.197.0.0 Its version is 1.0.18. [root@host-172-16-120-57 ~]# docker run --rm --entrypoint=asbd brew-pulp-docker01.web.prod.ext.phx2.redhat.com:8888/openshift3/ose-ansible-service-broker:v3.7.0-0.197.0.0 --version 1.0.18
(In reply to Zhang Cheng from comment #8) > Test code of PR > https://github.com/openshift/ansible-service-broker/blob/master/scripts/ > run_latest_build.sh#L80-L89 caused ansible-service-catalog install failed. > > Error info: > TASK [ansible_service_broker : set_fact] > *************************************** > Wednesday 08 November 2017 01:17:00 +0000 (0:00:00.078) 0:14:21.223 > **** > [WARNING]: Unable to find '/etc/origin/ansible-service-broker/client.pem' in > expected paths. > > fatal: [host-8-241-56.host.centralci.eng.rdu2.redhat.com]: FAILED! => > {"failed": true, "msg": "An unhandled exception occurred while running the > lookup plugin 'file'. Error was a <class 'ansible.errors.AnsibleError'>, > original message: could not locate file in lookup: > /etc/origin/ansible-service-broker/client.pem"} > to retry, use: --limit @/home/slave2/workspace/Launch Environment > Flexy/private-openshift-ansible/playbooks/byo/config.retry > > This is a block issue. Sorry, in my comment 8, the relate PR should be https://github.com/openshift/openshift-ansible/pull/5976
Hello, I notice that you are attempting to tell the broker in a container, to look at the /tmp/cert directory for certs, did you create a secret with all of that data and mount it at that location? Please get back ASAP so I can test and re-produce.
@Shawn Oh, For problem #1, sorry for the mistake, I think I configured a mismatched ca file. I will double check this point and the template ways. Please trying to solve the problem #2, we could not create the cluster by using the ansible-installer. Thanks!
Openshift installer should be fixed by the PRs mentioned in this bug https://bugzilla.redhat.com/show_bug.cgi?id=1510706, I think that bug is already tracking ansible-installer issues. the run latest script is working and I cannot reproduce problem #1 in my environment.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2017:3188