Description of problem: The cert expiration playbooks in the openshift-ansible/playbooks/openshift-checks/certificate_expiry folder no longer include details about node cert expirations. This functionality appears to have been lost with the release of 3.10 and the advent of node-bootstrapping, and has caused concern for some users who expect to see node cert expiration details in the reports. It would also be helpful since users have to manually approve csr's unless they explicitly enable auto-approval, and currently there isn't a user-friendly way to see the node cert details. Version-Release number of the following components: N/A How reproducible: Consistently Steps to Reproduce: Run any of the expiration playbooks Actual results: Node cert details are not included in the expiration reports Expected results: Node cert details would be include in the expiration reports
Created attachment 1621259 [details] Certificate check
Verify this bug with openshift-ansible-3.11.187-1.git.0.154c878.el7.noarch.rpm kubelet-client-current.pem also would be checked on the node. ok: [ec2-54-236-2-0.compute-1.amazonaws.com] => { "changed": false, "check_results": { "etcd": [], "kubeconfigs": [ { "cert_cn": "O:system:nodes, CN:system:node:ip-172-18-8-236.ec2.internal", "days_remaining": 365, "expiry": "2021-03-09 11:14:00", "health": "ok", "issuer": "CN=openshift-signer@1583752313 ", "path": "/etc/origin/node/certificates/kubelet-client-current.pem", "serial": 455478036503548873119013422819392730190736310737, "serial_hex": "0x4fc8576f1578b9eeef581e36fb1a3b01dd14c1d1L" }, { "cert_cn": "O:system:nodes, CN:system:node:ip-172-18-8-236.ec2.internal", "days_remaining": 365, "expiry": "2021-03-09 11:14:00", "health": "ok", "issuer": "CN=openshift-signer@1583752313 ", "path": "/etc/origin/node/certificates/kubelet-client-current.pem", "serial": 455478036503548873119013422819392730190736310737, "serial_hex": "0x4fc8576f1578b9eeef581e36fb1a3b01dd14c1d1L" } ], "meta": { "checked_at_time": "2020-03-09 09:54:44.874875", "show_all": "True", "warn_before_date": "2021-03-09 09:54:44.874875", "warning_days": 365 }, "ocp_certs": [ { "cert_cn": "CN:openshift-signer@1583752313", "days_remaining": 1825, "expiry": "2025-03-08 11:11:54", "health": "ok", "issuer": "CN=openshift-signer@1583752313 ", "path": "/etc/origin/node/client-ca.crt", "serial": 1, "serial_hex": "0x1" }, { "cert_cn": "CN:openshift-signer@1583752313", "days_remaining": 1825, "expiry": "2025-03-08 11:11:54", "health": "ok", "issuer": "CN=openshift-signer@1583752313 ", "path": "/etc/origin/node/client-ca.crt", "serial": 1, "serial_hex": "0x1" } ], "registry": [], "router": [] }, "invocation": { "module_args": { "config_base": "/etc/origin", "show_all": true, "warning_days": 365 } }, "msg": "Checked 4 total certificates. Expired/Warning/OK: 0/0/4. Warning window: 365 days", "rc": 0 The playbook will fail when the cert got warning(the valid time of the cert is less than openshift_certificate_expiry_warning_days) ok: [ec2-54-160-134-97.compute-1.amazonaws.com] => { "changed": false, "check_results": { "etcd": [], "kubeconfigs": [ { "cert_cn": "O:system:nodes, CN:system:node:ip-172-18-12-32.ec2.internal", "days_remaining": 160, "expiry": "2021-03-10 01:58:00", "health": "warning", "issuer": "CN=openshift-signer@1583805359 ", "path": "/etc/origin/node/certificates/kubelet-client-current.pem", "serial": 142775096935884355427465619168187843708673448761, "serial_hex": "0x190241bbb730ff18a1bca529c4ff3939e845db39L" }, { "cert_cn": "O:system:nodes, CN:system:node:ip-172-18-12-32.ec2.internal", "days_remaining": 160, "expiry": "2021-03-10 01:58:00", "health": "warning", "issuer": "CN=openshift-signer@1583805359 ", "path": "/etc/origin/node/certificates/kubelet-client-current.pem", "serial": 142775096935884355427465619168187843708673448761, "serial_hex": "0x190241bbb730ff18a1bca529c4ff3939e845db39L" } ], "meta": { "checked_at_time": "2020-10-01 00:02:55.098336", "show_all": "True", "warn_before_date": "2021-10-01 00:02:55.098336", "warning_days": 365 }, "ocp_certs": [ { "cert_cn": "CN:openshift-signer@1583805359", "days_remaining": 1620, "expiry": "2025-03-09 01:56:00", "health": "ok", "issuer": "CN=openshift-signer@1583805359 ", "path": "/etc/origin/node/client-ca.crt", "serial": 1, "serial_hex": "0x1" }, { "cert_cn": "CN:openshift-signer@1583805359", "days_remaining": 1620, "expiry": "2025-03-09 01:56:00", "health": "ok", "issuer": "CN=openshift-signer@1583805359 ", "path": "/etc/origin/node/client-ca.crt", "serial": 1, "serial_hex": "0x1" } ], "registry": [], "router": [] }, "invocation": { "module_args": { "config_base": "/etc/origin", "show_all": true, "warning_days": 365 } }, "msg": "Checked 4 total certificates. Expired/Warning/OK: 0/2/2. Warning window: 365 days", "rc": 0, "summary": { "etcd_certificates": 0, "expired": 0, "kubeconfig_certificates": 2, "ok": 2, "registry_certs": 0, "router_certs": 0, "system_certificates": 2, "total": 4, "warning": 2 }, "warn_certs": true } ... TASK [openshift_certificate_expiry : Fail when certs are near or already expired] *** task path: /home/slave6/workspace/Run-Ansible-Playbooks-Nextge/private-openshift-ansible/roles/openshift_certificate_expiry/tasks/main.yml:39 skipping: [ec2-54-224-254-230.compute-1.amazonaws.com] => { "changed": false, "skip_reason": "Conditional result was False" } fatal: [ec2-54-160-134-97.compute-1.amazonaws.com]: FAILED! => { "changed": false, "msg": "Cluster certificates found to be expired or within 365 days of expiring. You may view the report at /home/slave6/cert-expiry-report.20201001T000252.html or /home/slave6/cert-expiry-report.20201001T000252.json.\n" }
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:0793
*** Bug 1785745 has been marked as a duplicate of this bug. ***
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 120 days