Description of problem: when running /usr/share/ansible/openshift-ansible/playbooks/redeploy-certificates.yml, it redeploys also the service signer certificate, which is used to sign the internal services. This causes that internal services stop working due certificate is invalid. Only manual intervention fixes the issue. The secrets are not reconfigured, admin must delete them to recreate them. Version-Release number of the following components: openshift 3.10 playbooks How reproducible: execute the playbook and check the service signer Steps to Reproduce: 1. 2. 3. Actual results: the internal service will stop working Expected results: service signer should not be redeployed by default only should be redeployed when new CA is deployed. Additional info:
Verify this bug with openshift-ansible-3.10.175-1.git.0.19fd261.el7.noarch.rpm openshift-ansible/playbooks/redeploy-certificates.yml wont't update service-signer certificates by default. TASK [Remove service signer certificates] ************************************** skipping: [ci-vm-10-0-151-92.hosted.upshift.rdu2.redhat.com] => (item=service-signer.crt) => {"changed": false, "item": "service-signer.crt", "skip_reason": "Conditional result was False", "skipped": true} skipping: [ci-vm-10-0-151-92.hosted.upshift.rdu2.redhat.com] => (item=service-signer.key) => {"changed": false, "item": "service-signer.key", "skip_reason": "Conditional result was False", "skipped": true} With openshift_redeploy_openshift_ca=true set in inventory file, the service-signer certificates will be removed and regenerated. TASK [Remove service signer certificates] ************************************** changed: [ci-vm-10-0-151-92.hosted.upshift.rdu2.redhat.com] => (item=service-signer.crt) => {"changed": true, "failed": false, "item": "service-signer.crt", "path": "/etc/origin/master/service-signer.crt", "state": "absent"} changed: [ci-vm-10-0-151-92.hosted.upshift.rdu2.redhat.com] => (item=service-signer.key) => {"changed": true, "failed": false, "item": "service-signer.key", "path": "/etc/origin/master/service-signer.key", "state": "absent"}
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2019:2987
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 1000 days