Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1655183

Summary: Certificate expiry checks fail when `openshift_is_atomic` is undefined
Product: OpenShift Container Platform Reporter: Pavel Anni <panni>
Component: InstallerAssignee: Scott Dodson <sdodson>
Installer sub component: openshift-ansible QA Contact: Gaoyun Pei <gpei>
Status: CLOSED ERRATA Docs Contact:
Severity: high    
Priority: high CC: adeshpan, aos-bugs, arghosh, brandon.williams, dapark, emahoney, gene_siepka, gpei, grodrigu, jokerman, kristian.ejvind, mmccomas, nchavan, rekhan, rkshirsa, sascha.tanke, sdodson, sparpate, steven.barre
Version: 3.11.0   
Target Milestone: ---   
Target Release: 3.11.z   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Certain certificate expiry check playbooks did not call properly initialization functions resulting in an error. Those playbooks have been updated to avoid this problem.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-02-20 14:11:02 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1662730    
Attachments:
Description Flags
openshift-ansible log none

Description Pavel Anni 2018-11-30 21:37:06 UTC 
Created attachment 1510275 [details]
openshift-ansible log

Description of problem:

`openshift-checks/certificate_expiry/easy-mode.yaml` playbook and others from `certificate_expiry` fail when `openshift_is_atomic` is undefined. The error message is:
fatal: [master1.c49d.internal]: FAILED! => {"msg": "The conditional check 'not openshift_is_atomic | bool' failed. The error was: error while evaluating conditional (not openshift_is_atomic | bool): 'openshift_is_atomic' is undefined\n\nThe error appears to have been in '/usr/share/ansible/openshift-ansible/roles/openshift_certificate_expiry/tasks/main.yml': line 2, column 3, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n---\n- name: Ensure python dateutil library is present\n  ^ here\n"}

for all cluster nodes. The error disappears when I set openshift_is_atomic=true in the inventory file.

Version-Release number of the following components:
rpm -q openshift-ansible
openshift-ansible-3.11.43-1.git.0.fa69a02.el7.noarch
rpm -q ansible
ansible-2.6.7-1.el7ae.noarch
ansible --version
ansible 2.6.7
  config file = /usr/share/ansible/openshift-ansible/ansible.cfg
  configured module search path = [u'/root/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python2.7/site-packages/ansible
  executable location = /bin/ansible
  python version = 2.7.5 (default, Sep 12 2018, 05:31:16) [GCC 4.8.5 20150623 (Red Hat 4.8.5-36)]

How reproducible:

Steps to Reproduce:
1. On the Ansible host (bastion in my case): 
cd /usr/share/ansible/openshift-ansible
2. ansible-playbook playbooks/openshift-checks/certificate_expiry/easy-mode.yaml


Actual results:
Please include the entire output from the last TASK line through the end of output if an error is generated

Error messages (repeated for the number of cluster nodes):
fatal: [master1.c49d.internal]: FAILED! => {"msg": "The conditional check 'not openshift_is_atomic | bool' failed. The error was: error while evaluating conditional (not openshift_is_atomic | bool): 'openshift_is_atomic' is undefined\n\nThe error appears to have been in '/usr/share/ansible/openshift-ansible/roles/openshift_certificate_expiry/tasks/main.yml': line 2, column 3, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n---\n- name: Ensure python dateutil library is present\n  ^ here\n"}

The report is not generated.

Expected results:

Certificate expiry report is generated.

Additional info:
Please attach logs from ansible-playbook with the -vvv flag
Comment 4 Scott Dodson 2019-01-03 14:42:55 UTC 
*** Bug 1662730 has been marked as a duplicate of this bug. ***
Comment 5 Scott Dodson 2019-01-03 14:43:55 UTC 
*** Bug 1662992 has been marked as a duplicate of this bug. ***
Comment 6 Greg Rodriguez II 2019-01-07 18:35:19 UTC 
Customer in 3.11 hitting same issue.  They have the following update indicating workaround:

~~~

I should also mention that when I define 'openshift_is_atomic' (set to false) to my (dynamic) ansible inventory I am able to execute the playbook successfully, so for the meantime I have a feasible workaround.

~~~
Comment 7 Daein Park 2019-01-21 02:34:27 UTC 
Hi, I've opened the PR which related with this BZ here: https://github.com/openshift/openshift-ansible/pull/11033
Comment 9 Gene Siepka 2019-01-22 15:18:23 UTC 
Seeing the same in 3.10. Able to bypass by setting adding "-e openshift_is_atomic=true" on the cmdline of the playbook run.


# rpm -q openshift-ansible
openshift-ansible-3.10.83-1.git.0.12699eb.el7.noarch

# rpm -q ansible
ansible-2.4.6.0-1.el7ae.noarch
Comment 10 Scott Dodson 2019-01-22 15:55:47 UTC 
PR Merged, thanks.
Comment 12 Gaoyun Pei 2019-02-11 06:40:26 UTC 
Could reproduce this bug with openshift-ansible-3.11.59-1.git.0.ba8e948.el7.noarch.rpm


Fixed in openshift-ansible-3.11.82-1.git.0.f29227a.el7.noarch.rpm

playbooks/openshift-checks/certificate_expiry/easy-mode.yaml could run successfully.
Comment 17 errata-xmlrpc 2019-02-20 14:11:02 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:0326
Comment 18 Sascha Tanke 2020-02-13 07:06:28 UTC 
Issue seems to appear again at least with openshift-ansible-3.11.157-1.git.0.10b76ed.