Bug 2181223 - deployments should delete kcache before deployment to make sure credentials are not expired
Summary: deployments should delete kcache before deployment to make sure credentials a...
Keywords:
Status: NEW
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: ansible-tripleo-ipa
Version: 16.2 (Train)
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: z7
: ---
Assignee: Ade Lee
QA Contact: Jeremy Agee
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2023-03-23 10:41 UTC by Ade Lee
Modified: 2023-04-12 12:08 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker OSP-23603 0 None None None 2023-03-23 10:43:44 UTC

Description Ade Lee 2023-03-23 10:41:01 UTC 
Description of problem:

Customer ran into an issue where puppet/puppet-certmonger used the credentials in old ccache files when trying to issue a certificate, rather than looking at the keytab.  This resulted in expired creds being used and a failure to issue a certificate.

The solution to this was to remove the ccache files prior to the deployment.
The ccache was cleared with `kdestroy -A` and it was ran on all our compute nodes, however, The networkers and controllers had a valid ccache at the time so we didn't clear the ccache there but it would have also broken the deployment at some point for sure. KRB5CCNAME was not set so this was the default ccache that was being set/listed.

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
Note You need to log in before you can comment on or make changes to this bug.