Bug 1510546 – ASB fails to install after recent etcd cert changes

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 1510546 - ASB fails to install after recent etcd cert changes

Summary:	ASB fails to install after recent etcd cert changes

Status:	CLOSED CURRENTRELEASE

Aliases:	None

Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Service Broker (Show other bugs)
Sub Component:
Version:	3.7.0
Hardware:	Unspecified Unspecified

Priority	unspecified Severity unspecified
Target Milestone:	---
Target Release:	3.7.0
Assigned To:	Fabian von Feilitzsch
QA Contact:	Zhang Cheng
Docs Contact:

URL:
Whiteboard:
Keywords:

Depends On:	1507617
Blocks:
	Show dependency tree / graph

Reported:	2017-11-07 11:19 EST by Scott Dodson
Modified:	2017-11-28 03:28 EST (History)
CC List:	3 users (show)

See Also:
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2017-11-10 16:00:44 EST
Type:	Bug
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2017:3188	normal	SHIPPED_LIVE	Moderate: Red Hat OpenShift Container Platform 3.7 security, bug, and enhancement update	2017-11-28 21:34:54 EST

Groups: None (edit)

Description Scott Dodson 2017-11-07 11:19:53 EST

As observed here https://openshift-gce-devel.appspot.com/build/origin-ci-test/pr-logs/pull/openshift_openshift-ansible/6020/test_pull_request_openshift_ansible_logging/2989/


TASK [ansible_service_broker : Create ansible-service-broker cert directory] ***
task path: /usr/share/ansible/openshift-ansible/roles/ansible_service_broker/tasks/generate_certs.yml:5
changed: [localhost] => {
    "changed": true, 
    "generated_timestamp": "2017-11-07 01:25:35.652120", 
    "gid": 0, 
    "group": "root", 
    "mode": "0755", 
    "owner": "root", 
    "path": "/etc/origin/ansible-service-broker", 
    "secontext": "unconfined_u:object_r:etc_t:s0", 
    "size": 6, 
    "state": "directory", 
    "uid": 0
}

TASK [ansible_service_broker : set_fact] ***************************************
task path: /usr/share/ansible/openshift-ansible/roles/ansible_service_broker/tasks/generate_certs.yml:12
ok: [localhost] => {
    "ansible_facts": {
        "ansible_service_broker_certs_dir": "/etc/origin/ansible-service-broker"
    }, 
    "changed": false, 
    "generated_timestamp": "2017-11-07 01:25:35.715983"
}

TASK [ansible_service_broker : Create self signing ca cert] ********************
task path: /usr/share/ansible/openshift-ansible/roles/ansible_service_broker/tasks/generate_certs.yml:15
skipping: [localhost] => {
    "changed": false, 
    "generated_timestamp": "2017-11-07 01:25:35.757315", 
    "skip_reason": "Conditional result was False", 
    "skipped": true
}

TASK [ansible_service_broker : Create self signed client cert] *****************
task path: /usr/share/ansible/openshift-ansible/roles/ansible_service_broker/tasks/generate_certs.yml:20
skipping: [localhost] => (item={u'creates': u'/etc/origin/ansible-service-broker/client.key', u'cmd': u'openssl genrsa -out /etc/origin/ansible-service-broker/client.key 2048'})  => {
    "changed": false, 
    "generated_timestamp": "2017-11-07 01:25:35.820102", 
    "item": {
        "cmd": "openssl genrsa -out /etc/origin/ansible-service-broker/client.key 2048", 
        "creates": "/etc/origin/ansible-service-broker/client.key"
    }, 
    "skip_reason": "Conditional result was False", 
    "skipped": true
}
skipping: [localhost] => (item={u'creates': u'/etc/origin/ansible-service-broker/client.csr', u'cmd': u'openssl req -new -key /etc/origin/ansible-service-broker/client.key -out /etc/origin/ansible-service-broker/client.csr -subj "/CN=client"'})  => {
    "changed": false, 
    "generated_timestamp": "2017-11-07 01:25:35.849113", 
    "item": {
        "cmd": "openssl req -new -key /etc/origin/ansible-service-broker/client.key -out /etc/origin/ansible-service-broker/client.csr -subj \"/CN=client\"", 
        "creates": "/etc/origin/ansible-service-broker/client.csr"
    }, 
    "skip_reason": "Conditional result was False", 
    "skipped": true
}
skipping: [localhost] => (item={u'creates': u'/etc/origin/ansible-service-broker/client.pem', u'cmd': u'openssl x509 -req -in /etc/origin/ansible-service-broker/client.csr -CA /etc/origin/ansible-service-broker/cert.pem -CAkey /etc/origin/ansible-service-broker/key.pem -CAcreateserial -out /etc/origin/ansible-service-broker/client.pem -days 1024'})  => {
    "changed": false, 
    "generated_timestamp": "2017-11-07 01:25:35.862847", 
    "item": {
        "cmd": "openssl x509 -req -in /etc/origin/ansible-service-broker/client.csr -CA /etc/origin/ansible-service-broker/cert.pem -CAkey /etc/origin/ansible-service-broker/key.pem -CAcreateserial -out /etc/origin/ansible-service-broker/client.pem -days 1024", 
        "creates": "/etc/origin/ansible-service-broker/client.pem"
    }, 
    "skip_reason": "Conditional result was False", 
    "skipped": true
}

TASK [ansible_service_broker : set_fact] ***************************************
task path: /usr/share/ansible/openshift-ansible/roles/ansible_service_broker/tasks/generate_certs.yml:32
 [WARNING]: Unable to find '/etc/origin/ansible-service-broker/client.pem' in
expected paths.
fatal: [localhost]: FAILED! => {
    "failed": true, 
    "generated_timestamp": "2017-11-07 01:25:35.904435", 
    "msg": "An unhandled exception occurred while running the lookup plugin 'file'. Error was a <class 'ansible.errors.AnsibleError'>, original message: could not locate file in lookup: /etc/origin/ansible-service-broker/client.pem"
}
 [WARNING]: Could not create retry file '/usr/share/ansible/openshift-
ansible/playbooks/byo/config.retry'.         [Errno 13] Permission denied:
u'/usr/share/ansible/openshift-ansible/playbooks/byo/config.retry'

PLAY RECAP *********************************************************************
localhost                  : ok=579  changed=214  unreachable=0    failed=1   


INSTALLER STATUS ***************************************************************
Initialization             : Complete
Health Check               : Complete
etcd Install               : Complete
Master Install             : Complete
Master Additional Install  : Complete
Node Install               : Complete
Hosted Install             : Complete
Service Catalog Install    : In Progress
	This phase can be restarted by running: playbooks/byo/openshift-cluster/service-catalog.yml

Comment 1 Fabian von Feilitzsch 2017-11-07 11:30:22 EST

https://github.com/openshift/openshift-ansible/pull/6044

Comment 2 openshift-github-bot 2017-11-07 15:05:42 EST

Commits pushed to master at https://github.com/openshift/openshift-ansible

https://github.com/openshift/openshift-ansible/commit/9b68df39eb020eb771abe645f48a324de6c8708b
Bug 1510546- Fix previous fix, task was indented one level too deep

https://github.com/openshift/openshift-ansible/commit/80fdf0d5a4215ad57388dfec9634685502d581af
Merge pull request #6048 from fabianvf/1510546-asb-fix-cert-indent

Bug 1510546- Fix previous fix, task was indented one level too deep

Comment 4 Zhang Cheng 2017-11-08 01:59:40 EST

ansible-service-broker deploy failed while using openshift-ansible with latest build openshift-ansible-3.7.0-0.197.0

Refer to bug: https://bugzilla.redhat.com/show_bug.cgi?id=1507617

Comment 5 Zhang Cheng 2017-11-08 21:45:13 EST

Retested and verified with openshift-ansible-3.7.4-1
svc-catalog and asb can be deployed succeed.

Note You need to log in before you can comment on or make changes to this bug.