Description of problem:
When running the playbook "openshift-ansible/playbooks/redeploy-certificates.yml" there is task to create backup on one master, but remove all certs on all masters:
If the playbook fails, the next run will fail on task:
TASK [openshift_certificate_expiry : Check cert expirys on host]
Because the certs are missing.
To fix it, the certs should be restored, however, without backup from other masters it is not possible.
Version-Release number of the following components:
openshift ansible 3.11.117
- running the playbook mutliple times before it finishes will cause the issue.
Steps to Reproduce:
Please include the entire output from the last TASK line through the end of output if an error is generated
it always fails on missing certs like - service-signer.crt, master.server.crt, etc.
Please attach logs from ansible-playbook with the -vvv flag
*** Bug 1751194 has been marked as a duplicate of this bug. ***
If the redeploy-certificates.yml playbook fails between removing and recreating certificates, the deleted certificates must be manually restored from the backup file created. The changes made were to address the issue of not being able to recover files that were not backed up. To change the code to handle failures of this type would require a significant amount of refactoring over several components.
Thanks for the heads up, Russell!
Move this bug to verified based on Comment 4 and Comment 5, now the master certificates and configs backup would be created on all masters during playbooks/redeploy-certificates.yml.
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.