Description of problem: When running the playbook "openshift-ansible/playbooks/redeploy-certificates.yml" there is task to create backup on one master, but remove all certs on all masters: https://github.com/openshift/openshift-ansible/blob/release-3.11/playbooks/openshift-master/private/certificates-backup.yml If the playbook fails, the next run will fail on task: TASK [openshift_certificate_expiry : Check cert expirys on host] Because the certs are missing. To fix it, the certs should be restored, however, without backup from other masters it is not possible. Version-Release number of the following components: openshift ansible 3.11.117 How reproducible: - running the playbook mutliple times before it finishes will cause the issue. Steps to Reproduce: 1. 2. 3. Actual results: Please include the entire output from the last TASK line through the end of output if an error is generated it always fails on missing certs like - service-signer.crt, master.server.crt, etc. Expected results: Additional info: Please attach logs from ansible-playbook with the -vvv flag
*** Bug 1751194 has been marked as a duplicate of this bug. ***
Gaoyun, If the redeploy-certificates.yml playbook fails between removing and recreating certificates, the deleted certificates must be manually restored from the backup file created. The changes made were to address the issue of not being able to recover files that were not backed up. To change the code to handle failures of this type would require a significant amount of refactoring over several components.
Thanks for the heads up, Russell! Move this bug to verified based on Comment 4 and Comment 5, now the master certificates and configs backup would be created on all masters during playbooks/redeploy-certificates.yml.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2019:3817