Bug 1667063 - After running redeploy-certificates.yml playbook in OCP 3.11 webconsole stop working
Summary: After running redeploy-certificates.yml playbook in OCP 3.11 webconsole stop ...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Installer
Version: 3.11.0
Hardware: x86_64
OS: Linux
medium
medium
Target Milestone: ---
: 3.11.z
Assignee: Vadim Rutkovsky
QA Contact: Yanping Zhang
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-01-17 11:03 UTC by Manikandan Somasundaram
Modified: 2019-08-23 15:54 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Cause: playbook which redeployed master certificates didn't update webconsole secrets Consequence: webconsole failed to start when master certs were redeployed Fix: webconsole secrets are recreated during master cewrt redeploy playbook Result: webconsole works correctly after master cert redeploy
Clone Of:
Environment:
Last Closed: 2019-06-26 09:07:54 UTC
Target Upstream Version:


Attachments (Terms of Use)
consolepodlog (19.49 KB, text/plain)
2019-03-07 10:25 UTC, Yanping Zhang
no flags Details
ansibleplaybooklog (707.80 KB, text/plain)
2019-03-07 10:27 UTC, Yanping Zhang
no flags Details


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2019:1605 None None None 2019-06-26 09:08:02 UTC

Comment 10 Yanping Zhang 2019-03-07 10:25:10 UTC
OCP cluster version:
openshift v3.11.92
kubernetes v1.11.0+d4cacc0
openshift-ansible version:
openshift-ansible-3.11.92-1.git.0.f2fade7.el7.noarch
Run playbook: ansible-playbook -i /path/to/inventory /usr/share/ansible/openshift-ansible/playbooks/openshift-master/redeploy-certificates.yml
After finished, web console can be accessed, secret webconsole-serving-cert and web console pod are newly created.
Check admin console project, no new pod/secret are created. Try to login to console, it could be accessed at first, but after a while, it failed to open console url.
The console pod log shows failed info, pls refer to attachment.

Comment 11 Yanping Zhang 2019-03-07 10:25:45 UTC
Created attachment 1541801 [details]
consolepodlog

Comment 12 Yanping Zhang 2019-03-07 10:27:06 UTC
Created attachment 1541802 [details]
ansibleplaybooklog

Comment 13 Vadim Rutkovsky 2019-03-12 10:54:41 UTC
Right, admin console certs are not being redeployed.

Created https://github.com/openshift/openshift-ansible/pull/11341 to fix this

Comment 14 Vadim Rutkovsky 2019-03-15 10:18:03 UTC
Fix is available in openshift-ansible-3.11.95-1

Comment 15 Yanping Zhang 2019-03-19 08:57:50 UTC
ansible version:
openshift-ansible-3.11.97-1.git.0.5bb60b0.el7.noarch.rpm
ocp cluster version: openshift v3.11.97

Run below playbooks separately: 
ansible-playbook -i /path/to/inventory /usr/share/ansible/openshift-ansible/playbooks/openshift-master/redeploy-certificates.yml
ansible-playbook -i /path/to/inventory /usr/share/ansible/openshift-ansible/playbooks/redeploy-certificates.yml
After finished, web console can be accessed, secret webconsole-serving-cert and web console pod are newly created. And console can be accessed, secret console-serving-cert and console pod are newly created.

The bug is fixed, so move it to Verified.

Comment 17 errata-xmlrpc 2019-06-26 09:07:54 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:1605


Note You need to log in before you can comment on or make changes to this bug.