Description of problem: Run redeploy-openshift-ca.yml playbook against an ocp-3.10 cluster, playbook failed as below: TASK [Update node client kubeconfig CA data] ******************************************************************************************************************************** fatal: [ec2-34-207-246-134.compute-1.amazonaws.com]: FAILED! => {"changed": false, "failed": true, "msg": "[Errno 2] No such file or directory: '/etc/origin/node/system:node:ip-172-18-0-157.ec2.internal.kubeconfig'"} fatal: [ec2-52-90-247-129.compute-1.amazonaws.com]: FAILED! => {"changed": false, "failed": true, "msg": "[Errno 2] No such file or directory: '/etc/origin/node/system:node:ip-172-18-11-10.ec2.internal.kubeconfig'"} Version-Release number of the following components: openshift-ansible-3.10.0-0.58.0.git.0.d8f6377.el7.noarch How reproducible: Always Steps to Reproduce: ansible-playbook -i host/310 -v /usr/share/ansible/openshift-ansible/playbooks/openshift-master/redeploy-openshift-ca.yml Actual results: Ansible inventory file and full log with "-v" could be found in attachment. Expected results: Additional info:
Created attachment 1449529 [details] redeploy-openshift-ca.yml -v [agd@folio13 openshift-ansible]$ git describe openshift-ansible-3.10.0-0.63.0-60-g7b4160215 [agd@folio13 openshift-ansible]$ ansible-playbook --version | head -n1 ansible-playbook 2.5.3
Same bug bit me. Blocks updating my learning.redhat.com online class. rpm -qa | grep openshift openshift-ansible-playbooks-3.10.21-1.git.0.6446011.el7.noarch atomic-openshift-clients-3.10.14-1.git.0.ba8ae6d.el7.x86_64 openshift-ansible-roles-3.10.21-1.git.0.6446011.el7.noarch atomic-openshift-3.10.14-1.git.0.ba8ae6d.el7.x86_64 openshift-ansible-3.10.21-1.git.0.6446011.el7.noarch openshift-ansible-docs-3.10.21-1.git.0.6446011.el7.noarch
Fix. https://github.com/openshift/openshift-ansible/pull/9958
The PR 9958 has been merged to penshift-ansible-3.11.0-0.33.0
Waiting for openshift-ansible 3.11.0-0.33.0 build
Tested with openshift-ansible-3.11.0-0.33.0.git.0.9052676. The CA redeployment playbook could run without such error. But I see installer is still doing some outdated steps in https://github.com/newgoliath/openshift-ansible/blob/master/playbooks/openshift-master/private/redeploy-openshift-ca.yml#L230 The CA file used in servingInfo.clientCA is client-ca.crt per node-config.yaml, no {{ openshift.common.config_base }}/node/ca.crt file generated in an ocp-3.10+ fresh installation. So the result is client-ca.crt didn't get updated, but a useless ca.crt was copied to each node. Pls correct me if anything missed. Thanks.
master: https://github.com/openshift/openshift-ansible/pull/10034
https://github.com/openshift/openshift-ansible/pull/10041 release-3.11
openshift-ansible-3.11.2-1
Verify this bug with openshift-ansible-3.11.5-1.git.0.5a01a3c.el7_5.noarch After run openshift CA redeployment playbook On master: /etc/origin/master/ca.crt updated to a new CA cert file, the new CA added into ca-bundle.crt and client-ca-bundle.crt, CA data of admin.kubeconfig and openshift-master.kubeconfig got updated with new ca-bundle.crt content. On nodes: ca-bundle.crt copied to each node as the new /etc/origin/node/client-ca.crt, CA data of node.kubeconfig got updated with new ca-bundle.crt content. Master and node service are all running well and app's creation test passed.
Closing bugs that were verified and targeted for GA but for some reason were not picked up by errata. This bug fix should be present in current 3.11 release content.