Description of problem: While running "/usr/share/ansible/openshift-ansible/playbooks/redeploy-certificates.yml", service signer CA is recreated even if CA is not (this is currently expected behavior). However, heapster-certs secret at openshift-infra namespace is not regenerated, so the one signed by old CA is still there. This causes issues with both heapster and hawkular-metrics until the secret is deleted manually, so that it is regenerated. Version-Release number of the following components: rpm -q openshift-ansible openshift-ansible-3.11.129-1.git.0.11838de.el7.noarch rpm -q ansible ansible-2.6.16-1.el7ae.noarch ansible --version ansible 2.6.16 config file = /root/ansible.cfg configured module search path = [u'/root/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules'] ansible python module location = /usr/lib/python2.7/site-packages/ansible executable location = /usr/bin/ansible python version = 2.7.5 (default, Jun 11 2019, 12:19:05) [GCC 4.8.5 20150623 (Red Hat 4.8.5-36)] How reproducible: Always if hawkular metrics stack is installed Steps to Reproduce: 1. Redeploy certificates Actual results: heapster-certs secret at openshift-infra namespace is not regenerated Expected results: heapster-certs secret at openshift-infra namespace to be regenerated Additional info: I am going to attach full log just in case, but it is not actually relevant for this concrete bug.
*** Bug 1733327 has been marked as a duplicate of this bug. ***
Thank you for continuing to use Red Hat OpenShift. As part of a wider bug review, this bug has been evaluated and we have determined that at this time we do not plan to progress it. As such, we will be closing this bug. If you have need for continued assistance on this issue, please reopen the bug with additional context on why it needs to be reconsidered.