Bug 1814451 - Certificate expiration playbooks do not report on aggregator-front-proxy.crt or front-proxy-ca.crt
Summary: Certificate expiration playbooks do not report on aggregator-front-proxy.crt ...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Installer
Version: 3.11.0
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: ---
: 3.11.z
Assignee: Luke Stanton
QA Contact: Gaoyun Pei
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-03-17 22:18 UTC by Luke Stanton
Modified: 2023-10-06 19:26 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-06-17 20:21:27 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift openshift-ansible pull 12172 0 None closed Bug 1814451: Added expiration checks for aggregator-proxy related certs 2021-02-16 17:56:22 UTC
Red Hat Product Errata RHBA-2020:2477 0 None None None 2020-06-17 20:21:37 UTC

Description Luke Stanton 2020-03-17 22:18:58 UTC 
The cert expiration playbooks in the openshift-ansible/playbooks/openshift-checks/certificate_expiry folder do not report on the aggregator-front-proxy.crt or front-proxy-ca.crt certificates. An expired aggregator-front-proxy.crt in particular causes problems with extension api servers like the metrics server and is difficult to diagnose. Having these certificates show up on the expiration report would make this kind of problem much easier to track down.

Version-Release number of the following components:
N/A

How reproducible:
Consistently

Steps to Reproduce:
Run any of the expiration playbooks

Actual results:
Extension api-server proxy certificate details are not included in the expiration reports

Expected results:
Extension api-server proxy certificate details woud be included in the expiration reports

Additional information:

-- Relevant master-config.yaml --
aggregatorConfig:
  proxyClientInfo:
    certFile: aggregator-front-proxy.crt
authConfig:
  requestHeader:
    clientCA: front-proxy-ca.crt
Comment 6 Luke Stanton 2020-05-25 21:54:16 UTC 
https://github.com/openshift/openshift-ansible/pull/12172
Comment 9 Gaoyun Pei 2020-06-10 07:59:19 UTC 
Verify this bug with openshift-ansible-3.11.232-1.git.0.f0f2213.el7.noarch

Check the certificate using playbook:
ansible-playbook -i host /usr/share/ansible/openshift-ansible/playbooks/openshift-checks/certificate_expiry/easy-mode.yaml

we could see aggregator-front-proxy.crt and front-proxy-ca.crt were in the checking list:

          "cert_cn": "CN:aggregator-front-proxy",
          "days_remaining": 730,
          "expiry": "2022-06-10 04:31:13",
          "health": "ok",
          "issuer": "CN=openshift-signer@1591763467 ",
          "path": "/etc/origin/master/aggregator-front-proxy.crt",
          "serial": 8,
          "serial_hex": "0x8"

          "cert_cn": "CN:openshift-signer@1591763467",
          "days_remaining": 1825,
          "expiry": "2025-06-09 04:31:07",
          "health": "ok",
          "issuer": "CN=openshift-signer@1591763467 ",
          "path": "/etc/origin/master/front-proxy-ca.crt",
          "serial": 1,
          "serial_hex": "0x1"
Comment 11 errata-xmlrpc 2020-06-17 20:21:27 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:2477
Note You need to log in before you can comment on or make changes to this bug.