1696198 – after running redeploy-certificates.yml playbook grafana, prometheus and alertmanager routes are not accessible anymore

Bug 1696198 - after running redeploy-certificates.yml playbook grafana, prometheus and alertmanager routes are not accessible anymore

Summary: after running redeploy-certificates.yml playbook grafana, prometheus and aler...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Installer
Sub Component:
Version:	3.11.0
Hardware:	Unspecified
OS:	Linux
Priority:	unspecified
Severity:	high
Target Milestone:	---
Target Release:	3.11.z
Assignee:	Vadim Rutkovsky
QA Contact:	Junqi Zhao
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1697169
TreeView+	depends on / blocked

Reported:	2019-04-04 10:20 UTC by Joel Rosental R.
Modified:	2021-11-04 18:39 UTC (History)
CC List:	5 users (show)
Fixed In Version:	openshift-ansible-3.11.104-1.git.0.379a011.el7
Doc Type:	Bug Fix
Doc Text:	Cause: monitoring certificates were not updated after cert redeploy Consequence: prometheus, grafana and alertmanager UI were broken Fix: component's TLS secrets and pods are removed during cert redeploy Result: alermanager, prometheus and grafana UI work correctly after cert redeploy
Clone Of:
Environment:
Last Closed:	2019-06-06 02:00:29 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
received an invalid certificate (59.80 KB, image/png) 2019-04-16 08:28 UTC, Junqi Zhao	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Knowledge Base (Solution)	6485251	0	None	None	None	2021-11-04 18:39:39 UTC
Red Hat Product Errata	RHBA-2019:0794	0	None	None	None	2019-06-06 02:00:33 UTC

Description Joel Rosental R. 2019-04-04 10:20:03 UTC

Description of problem:
After running redeploy-certificates.yml playbook the grafana, alertmanager and prometheus routes don't work anymore, I get an "Application is not available" error message.

Workaround: deleting the "*-tls" secrets in openshift-monitoring namespace and restarting the pods solves the issue as the secrets get re-created by the operator.

Version-Release number of the following components:
$ rpm -q openshift-ansible
openshift-ansible-3.11.92-1.git.0.f2fade7.el7.noarch

$ rpm -q ansible
ansible-2.6.15-1.el7ae.noarch

ansible --version
ansible 2.6.15

How reproducible:
Always

Steps to Reproduce:
1. ansible-playbook -i hosts /usr/share/ansible/openshift-ansible/playbooks/redeploy-certificates.yml
2. try accessing
3.

Actual results:
An error message stating "Application is not available" is shown instead of accessing the requested resource.

Expected results:
The redeploy-certificates.yml playbook should take care of this.

Additional info:
N/A

Comment 1 Vadim Rutkovsky 2019-04-08 11:19:59 UTC

Created PR for 3.11 https://github.com/openshift/openshift-ansible/pull/11472 - it removes TLS secrets, deletes pods and waits for pods to come up

Comment 5 Junqi Zhao 2019-04-16 08:28:55 UTC

Created attachment 1555405 [details]
received an invalid certificate

Comment 12 errata-xmlrpc 2019-06-06 02:00:29 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:0794

Note You need to log in before you can comment on or make changes to this bug.