1655183 – Certificate expiry checks fail when `openshift_is_atomic` is undefined

Bug 1655183 - Certificate expiry checks fail when `openshift_is_atomic` is undefined

Summary: Certificate expiry checks fail when `openshift_is_atomic` is undefined

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Installer
Sub Component:
Version:	3.11.0
Hardware:	Unspecified
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Target Release:	3.11.z
Assignee:	Scott Dodson
QA Contact:	Gaoyun Pei
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	1662992 (view as bug list)
Depends On:
Blocks:	1662730
TreeView+	depends on / blocked

Reported:	2018-11-30 21:37 UTC by Pavel Anni
Modified:	2022-03-13 16:17 UTC (History)
CC List:	19 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:	Certain certificate expiry check playbooks did not call properly initialization functions resulting in an error. Those playbooks have been updated to avoid this problem.
Clone Of:
Environment:
Last Closed:	2019-02-20 14:11:02 UTC
Target Upstream Version:

Attachments	(Terms of Use)
openshift-ansible log (7.32 KB, text/plain) 2018-11-30 21:37 UTC, Pavel Anni	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2019:0326	0	None	None	None	2019-02-20 14:11:09 UTC

Internal Links: 1667618

Description Pavel Anni 2018-11-30 21:37:06 UTC

Created attachment 1510275 [details]
openshift-ansible log

Description of problem:

`openshift-checks/certificate_expiry/easy-mode.yaml` playbook and others from `certificate_expiry` fail when `openshift_is_atomic` is undefined. The error message is:
fatal: [master1.c49d.internal]: FAILED! => {"msg": "The conditional check 'not openshift_is_atomic | bool' failed. The error was: error while evaluating conditional (not openshift_is_atomic | bool): 'openshift_is_atomic' is undefined\n\nThe error appears to have been in '/usr/share/ansible/openshift-ansible/roles/openshift_certificate_expiry/tasks/main.yml': line 2, column 3, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n---\n- name: Ensure python dateutil library is present\n  ^ here\n"}

for all cluster nodes. The error disappears when I set openshift_is_atomic=true in the inventory file.

Version-Release number of the following components:
rpm -q openshift-ansible
openshift-ansible-3.11.43-1.git.0.fa69a02.el7.noarch
rpm -q ansible
ansible-2.6.7-1.el7ae.noarch
ansible --version
ansible 2.6.7
  config file = /usr/share/ansible/openshift-ansible/ansible.cfg
  configured module search path = [u'/root/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python2.7/site-packages/ansible
  executable location = /bin/ansible
  python version = 2.7.5 (default, Sep 12 2018, 05:31:16) [GCC 4.8.5 20150623 (Red Hat 4.8.5-36)]

How reproducible:

Steps to Reproduce:
1. On the Ansible host (bastion in my case): 
cd /usr/share/ansible/openshift-ansible
2. ansible-playbook playbooks/openshift-checks/certificate_expiry/easy-mode.yaml


Actual results:
Please include the entire output from the last TASK line through the end of output if an error is generated

Error messages (repeated for the number of cluster nodes):
fatal: [master1.c49d.internal]: FAILED! => {"msg": "The conditional check 'not openshift_is_atomic | bool' failed. The error was: error while evaluating conditional (not openshift_is_atomic | bool): 'openshift_is_atomic' is undefined\n\nThe error appears to have been in '/usr/share/ansible/openshift-ansible/roles/openshift_certificate_expiry/tasks/main.yml': line 2, column 3, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n---\n- name: Ensure python dateutil library is present\n  ^ here\n"}

The report is not generated.

Expected results:

Certificate expiry report is generated.

Additional info:
Please attach logs from ansible-playbook with the -vvv flag

Comment 4 Scott Dodson 2019-01-03 14:42:55 UTC

*** Bug 1662730 has been marked as a duplicate of this bug. ***

Comment 5 Scott Dodson 2019-01-03 14:43:55 UTC

*** Bug 1662992 has been marked as a duplicate of this bug. ***

Comment 6 Greg Rodriguez II 2019-01-07 18:35:19 UTC

Customer in 3.11 hitting same issue.  They have the following update indicating workaround:

~~~

I should also mention that when I define 'openshift_is_atomic' (set to false) to my (dynamic) ansible inventory I am able to execute the playbook successfully, so for the meantime I have a feasible workaround.

~~~

Comment 7 Daein Park 2019-01-21 02:34:27 UTC

Hi, I've opened the PR which related with this BZ here: https://github.com/openshift/openshift-ansible/pull/11033

Comment 9 Gene Siepka 2019-01-22 15:18:23 UTC

Seeing the same in 3.10. Able to bypass by setting adding "-e openshift_is_atomic=true" on the cmdline of the playbook run.


# rpm -q openshift-ansible
openshift-ansible-3.10.83-1.git.0.12699eb.el7.noarch

# rpm -q ansible
ansible-2.4.6.0-1.el7ae.noarch

Comment 10 Scott Dodson 2019-01-22 15:55:47 UTC

PR Merged, thanks.

Comment 12 Gaoyun Pei 2019-02-11 06:40:26 UTC

Could reproduce this bug with openshift-ansible-3.11.59-1.git.0.ba8e948.el7.noarch.rpm


Fixed in openshift-ansible-3.11.82-1.git.0.f29227a.el7.noarch.rpm

playbooks/openshift-checks/certificate_expiry/easy-mode.yaml could run successfully.

Comment 17 errata-xmlrpc 2019-02-20 14:11:02 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:0326

Comment 18 Sascha Tanke 2020-02-13 07:06:28 UTC

Issue seems to appear again at least with openshift-ansible-3.11.157-1.git.0.10b76ed.

Note You need to log in before you can comment on or make changes to this bug.