Bug 1754081 - Certificate expiration playbooks no longer include node certificate details
Summary: Certificate expiration playbooks no longer include node certificate details
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Installer
Version: 3.11.0
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: ---
: 3.11.z
Assignee: Joseph Callen
QA Contact: Gaoyun Pei
URL:
Whiteboard:
: 1785745 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-09-20 19:30 UTC by Luke Stanton
Modified: 2024-02-04 04:25 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-03-20 00:12:40 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)
Certificate check (50.95 KB, text/html)
2019-09-30 19:50 UTC, Joseph Callen
no flags Details


Links
System ID Private Priority Status Summary Last Updated
Github openshift openshift-ansible pull 11967 0 'None' closed Bug 1754081: Certificate expiration misses node certificates 2021-02-15 19:27:55 UTC
Red Hat Product Errata RHBA-2020:0793 0 None None None 2020-03-20 00:12:54 UTC

Description Luke Stanton 2019-09-20 19:30:09 UTC
Description of problem:

The cert expiration playbooks in the openshift-ansible/playbooks/openshift-checks/certificate_expiry folder no longer include details about node cert expirations. This functionality appears to have been lost with the release of 3.10 and the advent of node-bootstrapping, and has caused concern for some users who expect to see node cert expiration details in the reports. It would also be helpful since users have to manually approve csr's unless they explicitly enable auto-approval, and currently there isn't a user-friendly way to see the node cert details.

Version-Release number of the following components:
N/A

How reproducible:
Consistently

Steps to Reproduce:
Run any of the expiration playbooks

Actual results:
Node cert details are not included in the expiration reports

Expected results:
Node cert details would be include in the expiration reports

Comment 2 Joseph Callen 2019-09-30 19:50:12 UTC
Created attachment 1621259 [details]
Certificate check

Comment 14 Gaoyun Pei 2020-03-10 03:30:32 UTC
Verify this bug with openshift-ansible-3.11.187-1.git.0.154c878.el7.noarch.rpm

kubelet-client-current.pem also would be checked on the node.

ok: [ec2-54-236-2-0.compute-1.amazonaws.com] => {
    "changed": false, 
    "check_results": {
        "etcd": [], 
        "kubeconfigs": [
            {
                "cert_cn": "O:system:nodes, CN:system:node:ip-172-18-8-236.ec2.internal", 
                "days_remaining": 365, 
                "expiry": "2021-03-09 11:14:00", 
                "health": "ok", 
                "issuer": "CN=openshift-signer@1583752313 ", 
                "path": "/etc/origin/node/certificates/kubelet-client-current.pem", 
                "serial": 455478036503548873119013422819392730190736310737, 
                "serial_hex": "0x4fc8576f1578b9eeef581e36fb1a3b01dd14c1d1L"
            }, 
            {
                "cert_cn": "O:system:nodes, CN:system:node:ip-172-18-8-236.ec2.internal", 
                "days_remaining": 365, 
                "expiry": "2021-03-09 11:14:00", 
                "health": "ok", 
                "issuer": "CN=openshift-signer@1583752313 ", 
                "path": "/etc/origin/node/certificates/kubelet-client-current.pem", 
                "serial": 455478036503548873119013422819392730190736310737, 
                "serial_hex": "0x4fc8576f1578b9eeef581e36fb1a3b01dd14c1d1L"
            }
        ], 
        "meta": {
            "checked_at_time": "2020-03-09 09:54:44.874875", 
            "show_all": "True", 
            "warn_before_date": "2021-03-09 09:54:44.874875", 
            "warning_days": 365
        }, 
        "ocp_certs": [
            {
                "cert_cn": "CN:openshift-signer@1583752313", 
                "days_remaining": 1825, 
                "expiry": "2025-03-08 11:11:54", 
                "health": "ok", 
                "issuer": "CN=openshift-signer@1583752313 ", 
                "path": "/etc/origin/node/client-ca.crt", 
                "serial": 1, 
                "serial_hex": "0x1"
            }, 
            {
                "cert_cn": "CN:openshift-signer@1583752313", 
                "days_remaining": 1825, 
                "expiry": "2025-03-08 11:11:54", 
                "health": "ok", 
                "issuer": "CN=openshift-signer@1583752313 ", 
                "path": "/etc/origin/node/client-ca.crt", 
                "serial": 1, 
                "serial_hex": "0x1"
            }
        ], 
        "registry": [], 
        "router": []
    }, 
    "invocation": {
        "module_args": {
            "config_base": "/etc/origin", 
            "show_all": true, 
            "warning_days": 365
        }
    }, 
    "msg": "Checked 4 total certificates. Expired/Warning/OK: 0/0/4. Warning window: 365 days", 
    "rc": 0



The playbook will fail when the cert got warning(the valid time of the cert is less than openshift_certificate_expiry_warning_days)

ok: [ec2-54-160-134-97.compute-1.amazonaws.com] => {
    "changed": false, 
    "check_results": {
        "etcd": [], 
        "kubeconfigs": [
            {
                "cert_cn": "O:system:nodes, CN:system:node:ip-172-18-12-32.ec2.internal", 
                "days_remaining": 160, 
                "expiry": "2021-03-10 01:58:00", 
                "health": "warning", 
                "issuer": "CN=openshift-signer@1583805359 ", 
                "path": "/etc/origin/node/certificates/kubelet-client-current.pem", 
                "serial": 142775096935884355427465619168187843708673448761, 
                "serial_hex": "0x190241bbb730ff18a1bca529c4ff3939e845db39L"
            }, 
            {
                "cert_cn": "O:system:nodes, CN:system:node:ip-172-18-12-32.ec2.internal", 
                "days_remaining": 160, 
                "expiry": "2021-03-10 01:58:00", 
                "health": "warning", 
                "issuer": "CN=openshift-signer@1583805359 ", 
                "path": "/etc/origin/node/certificates/kubelet-client-current.pem", 
                "serial": 142775096935884355427465619168187843708673448761, 
                "serial_hex": "0x190241bbb730ff18a1bca529c4ff3939e845db39L"
            }
        ], 
        "meta": {
            "checked_at_time": "2020-10-01 00:02:55.098336", 
            "show_all": "True", 
            "warn_before_date": "2021-10-01 00:02:55.098336", 
            "warning_days": 365
        }, 
        "ocp_certs": [
            {
                "cert_cn": "CN:openshift-signer@1583805359", 
                "days_remaining": 1620, 
                "expiry": "2025-03-09 01:56:00", 
                "health": "ok", 
                "issuer": "CN=openshift-signer@1583805359 ", 
                "path": "/etc/origin/node/client-ca.crt", 
                "serial": 1, 
                "serial_hex": "0x1"
            }, 
            {
                "cert_cn": "CN:openshift-signer@1583805359", 
                "days_remaining": 1620, 
                "expiry": "2025-03-09 01:56:00", 
                "health": "ok", 
                "issuer": "CN=openshift-signer@1583805359 ", 
                "path": "/etc/origin/node/client-ca.crt", 
                "serial": 1, 
                "serial_hex": "0x1"
            }
        ], 
        "registry": [], 
        "router": []
    }, 
    "invocation": {
        "module_args": {
            "config_base": "/etc/origin", 
            "show_all": true, 
            "warning_days": 365
        }
    }, 
    "msg": "Checked 4 total certificates. Expired/Warning/OK: 0/2/2. Warning window: 365 days", 
    "rc": 0, 
    "summary": {
        "etcd_certificates": 0, 
        "expired": 0, 
        "kubeconfig_certificates": 2, 
        "ok": 2, 
        "registry_certs": 0, 
        "router_certs": 0, 
        "system_certificates": 2, 
        "total": 4, 
        "warning": 2
    }, 
    "warn_certs": true
}
...


TASK [openshift_certificate_expiry : Fail when certs are near or already expired] ***
task path: /home/slave6/workspace/Run-Ansible-Playbooks-Nextge/private-openshift-ansible/roles/openshift_certificate_expiry/tasks/main.yml:39
skipping: [ec2-54-224-254-230.compute-1.amazonaws.com] => {
    "changed": false, 
    "skip_reason": "Conditional result was False"
}
fatal: [ec2-54-160-134-97.compute-1.amazonaws.com]: FAILED! => {
    "changed": false, 
    "msg": "Cluster certificates found to be expired or within 365 days of expiring. You may view the report at /home/slave6/cert-expiry-report.20201001T000252.html or /home/slave6/cert-expiry-report.20201001T000252.json.\n"
}

Comment 16 errata-xmlrpc 2020-03-20 00:12:40 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:0793

Comment 17 Scott Dodson 2020-04-06 18:15:07 UTC
*** Bug 1785745 has been marked as a duplicate of this bug. ***

Comment 18 Red Hat Bugzilla 2024-02-04 04:25:23 UTC
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 120 days


Note You need to log in before you can comment on or make changes to this bug.