Bug 1510546 - ASB fails to install after recent etcd cert changes
Summary: ASB fails to install after recent etcd cert changes
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Service Broker
Version: 3.7.0
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
: 3.7.0
Assignee: Fabian von Feilitzsch
QA Contact: Zhang Cheng
URL:
Whiteboard:
Depends On: 1507617
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-11-07 16:19 UTC by Scott Dodson
Modified: 2017-11-28 08:28 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-11-10 21:00:44 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2017:3188 0 normal SHIPPED_LIVE Moderate: Red Hat OpenShift Container Platform 3.7 security, bug, and enhancement update 2017-11-29 02:34:54 UTC

Description Scott Dodson 2017-11-07 16:19:53 UTC
As observed here https://openshift-gce-devel.appspot.com/build/origin-ci-test/pr-logs/pull/openshift_openshift-ansible/6020/test_pull_request_openshift_ansible_logging/2989/


TASK [ansible_service_broker : Create ansible-service-broker cert directory] ***
task path: /usr/share/ansible/openshift-ansible/roles/ansible_service_broker/tasks/generate_certs.yml:5
changed: [localhost] => {
    "changed": true, 
    "generated_timestamp": "2017-11-07 01:25:35.652120", 
    "gid": 0, 
    "group": "root", 
    "mode": "0755", 
    "owner": "root", 
    "path": "/etc/origin/ansible-service-broker", 
    "secontext": "unconfined_u:object_r:etc_t:s0", 
    "size": 6, 
    "state": "directory", 
    "uid": 0
}

TASK [ansible_service_broker : set_fact] ***************************************
task path: /usr/share/ansible/openshift-ansible/roles/ansible_service_broker/tasks/generate_certs.yml:12
ok: [localhost] => {
    "ansible_facts": {
        "ansible_service_broker_certs_dir": "/etc/origin/ansible-service-broker"
    }, 
    "changed": false, 
    "generated_timestamp": "2017-11-07 01:25:35.715983"
}

TASK [ansible_service_broker : Create self signing ca cert] ********************
task path: /usr/share/ansible/openshift-ansible/roles/ansible_service_broker/tasks/generate_certs.yml:15
skipping: [localhost] => {
    "changed": false, 
    "generated_timestamp": "2017-11-07 01:25:35.757315", 
    "skip_reason": "Conditional result was False", 
    "skipped": true
}

TASK [ansible_service_broker : Create self signed client cert] *****************
task path: /usr/share/ansible/openshift-ansible/roles/ansible_service_broker/tasks/generate_certs.yml:20
skipping: [localhost] => (item={u'creates': u'/etc/origin/ansible-service-broker/client.key', u'cmd': u'openssl genrsa -out /etc/origin/ansible-service-broker/client.key 2048'})  => {
    "changed": false, 
    "generated_timestamp": "2017-11-07 01:25:35.820102", 
    "item": {
        "cmd": "openssl genrsa -out /etc/origin/ansible-service-broker/client.key 2048", 
        "creates": "/etc/origin/ansible-service-broker/client.key"
    }, 
    "skip_reason": "Conditional result was False", 
    "skipped": true
}
skipping: [localhost] => (item={u'creates': u'/etc/origin/ansible-service-broker/client.csr', u'cmd': u'openssl req -new -key /etc/origin/ansible-service-broker/client.key -out /etc/origin/ansible-service-broker/client.csr -subj "/CN=client"'})  => {
    "changed": false, 
    "generated_timestamp": "2017-11-07 01:25:35.849113", 
    "item": {
        "cmd": "openssl req -new -key /etc/origin/ansible-service-broker/client.key -out /etc/origin/ansible-service-broker/client.csr -subj \"/CN=client\"", 
        "creates": "/etc/origin/ansible-service-broker/client.csr"
    }, 
    "skip_reason": "Conditional result was False", 
    "skipped": true
}
skipping: [localhost] => (item={u'creates': u'/etc/origin/ansible-service-broker/client.pem', u'cmd': u'openssl x509 -req -in /etc/origin/ansible-service-broker/client.csr -CA /etc/origin/ansible-service-broker/cert.pem -CAkey /etc/origin/ansible-service-broker/key.pem -CAcreateserial -out /etc/origin/ansible-service-broker/client.pem -days 1024'})  => {
    "changed": false, 
    "generated_timestamp": "2017-11-07 01:25:35.862847", 
    "item": {
        "cmd": "openssl x509 -req -in /etc/origin/ansible-service-broker/client.csr -CA /etc/origin/ansible-service-broker/cert.pem -CAkey /etc/origin/ansible-service-broker/key.pem -CAcreateserial -out /etc/origin/ansible-service-broker/client.pem -days 1024", 
        "creates": "/etc/origin/ansible-service-broker/client.pem"
    }, 
    "skip_reason": "Conditional result was False", 
    "skipped": true
}

TASK [ansible_service_broker : set_fact] ***************************************
task path: /usr/share/ansible/openshift-ansible/roles/ansible_service_broker/tasks/generate_certs.yml:32
 [WARNING]: Unable to find '/etc/origin/ansible-service-broker/client.pem' in
expected paths.
fatal: [localhost]: FAILED! => {
    "failed": true, 
    "generated_timestamp": "2017-11-07 01:25:35.904435", 
    "msg": "An unhandled exception occurred while running the lookup plugin 'file'. Error was a <class 'ansible.errors.AnsibleError'>, original message: could not locate file in lookup: /etc/origin/ansible-service-broker/client.pem"
}
 [WARNING]: Could not create retry file '/usr/share/ansible/openshift-
ansible/playbooks/byo/config.retry'.         [Errno 13] Permission denied:
u'/usr/share/ansible/openshift-ansible/playbooks/byo/config.retry'

PLAY RECAP *********************************************************************
localhost                  : ok=579  changed=214  unreachable=0    failed=1   


INSTALLER STATUS ***************************************************************
Initialization             : Complete
Health Check               : Complete
etcd Install               : Complete
Master Install             : Complete
Master Additional Install  : Complete
Node Install               : Complete
Hosted Install             : Complete
Service Catalog Install    : In Progress
	This phase can be restarted by running: playbooks/byo/openshift-cluster/service-catalog.yml

Comment 1 Fabian von Feilitzsch 2017-11-07 16:30:22 UTC
https://github.com/openshift/openshift-ansible/pull/6044

Comment 2 openshift-github-bot 2017-11-07 20:05:42 UTC
Commits pushed to master at https://github.com/openshift/openshift-ansible

https://github.com/openshift/openshift-ansible/commit/9b68df39eb020eb771abe645f48a324de6c8708b
Bug 1510546- Fix previous fix, task was indented one level too deep

https://github.com/openshift/openshift-ansible/commit/80fdf0d5a4215ad57388dfec9634685502d581af
Merge pull request #6048 from fabianvf/1510546-asb-fix-cert-indent

Bug 1510546- Fix previous fix, task was indented one level too deep

Comment 4 Zhang Cheng 2017-11-08 06:59:40 UTC
ansible-service-broker deploy failed while using openshift-ansible with latest build openshift-ansible-3.7.0-0.197.0

Refer to bug: https://bugzilla.redhat.com/show_bug.cgi?id=1507617

Comment 5 Zhang Cheng 2017-11-09 02:45:13 UTC
Retested and verified with openshift-ansible-3.7.4-1
svc-catalog and asb can be deployed succeed.


Note You need to log in before you can comment on or make changes to this bug.