Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1518020 - etcd v2 to v3 migration updates named_certificates when it shouldn't be
Summary: etcd v2 to v3 migration updates named_certificates when it shouldn't be
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Installer
Version: 3.6.1
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
: 3.6.z
Assignee: Andrew Butcher
QA Contact: liujia
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-11-27 22:34 UTC by Scott Dodson
Modified: 2018-04-12 06:00 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-04-12 05:59:59 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2018:1106 None None None 2018-04-12 06:00:45 UTC

Description Scott Dodson 2017-11-27 22:34:36 UTC
During a v2 to v3 migration we update the named certificates when there's no reason to do so. If the control host had an outdated certificate this could potentially cause problems.

TASK [openshift_named_certificates : Ensure named certificate directory exists] ************************
ok: [oci1]
TASK [openshift_named_certificates : Land named certificates] ******************************************
changed: [oci1] => (item={'keyfile': u'/root/certs/ca.key', 'certfile': u'/root/certs/ca.crt', 'names': [u'console.example.com']})
TASK [openshift_named_certificates : Land named certificate keys] **************************************
changed: [oci1] => (item={'keyfile': u'/root/certs/ca.key', 'certfile': u'/root/certs/ca.crt', 'names': [u'console.example.com']})

Comment 1 Scott Dodson 2018-02-01 19:02:22 UTC
https://github.com/openshift/openshift-ansible/pull/6981 should fix this by removing the call to openshift_master role

Comment 3 liujia 2018-02-14 02:15:00 UTC
Reproduced on openshift-ansible-3.6.173.0.78-1.git.0.b499fd4.el7.noarch.

1,Install ocp v3.5 with named_certificates.
openshift_master_named_certificates=[{"certfile": "/tmp/7397/custom1.crt", "keyfile": "/tmp/7397/custom1.key", "name": "master.custom-cert.com"}]
2,Upgrade ocp v3.5 to v3.6.
3,Migrate v2 to v3.

before migrate:
drwx------. 2 root root   42 Feb 13 06:31 .
drwx------. 3 root root 4096 Feb 13 07:27 ..
-rw-r--r--. 1 root root 3869 Feb 13 06:31 custom1.crt
-rw-------. 1 root root  887 Feb 13 06:31 custom1.key

after migrate:
total 12
drwx------. 2 root root   42 Feb 13 20:54 .
drwx------. 3 root root 4096 Feb 13 21:00 ..
-rw-r--r--. 1 root root 3869 Feb 13 20:54 custom1.crt
-rw-------. 1 root root  887 Feb 13 20:54 custom1.key

checked migrate log
TASK [openshift_named_certificates : Land named certificates] **************************************************************************
changed: [x.x.x.x] => (item={'certfile': u'/tmp/7397/custom1.crt', 'keyfile': u'/tmp/7397/custom1.key', 'name': u'master.custom-cert.com'}) ...
TASK [openshift_named_certificates : Land named certificate keys] **********************************************************************
changed: [x.x.x.x] => (item={'certfile': u'/tmp/7397/custom1.crt', 'keyfile': u'/tmp/7397/custom1.key', 'name': u'master.custom-cert.com'})...

Comment 4 liujia 2018-02-14 02:26:23 UTC
Have added two cases about named certificates, ocp-18064 and ocp-18062.

Comment 5 liujia 2018-02-14 13:32:53 UTC
Verified on openshift-ansible-3.6.173.0.103-1.git.0.dcf417c.el7.noarch.

1,Install ocp v3.5 with named_certificates.
openshift_master_named_certificates=[{"certfile": "/tmp/7397/custom1.crt", "keyfile": "/tmp/7397/custom1.key", "name": "master.custom-cert.com"}]
2,Upgrade ocp v3.5 to v3.6.
3,Migrate v2 to v3.

before migrate:
total 12
drwx------. 2 root root   42 Feb 13 20:47 .
drwx------. 3 root root 4096 Feb 13 21:32 ..
-rw-r--r--. 1 root root 3869 Feb 13 20:47 custom1.crt
-rw-------. 1 root root  887 Feb 13 20:47 custom1.key

after migrate:
total 12
drwx------. 2 root root   42 Feb 13 20:47 .
drwx------. 3 root root 4096 Feb 14 08:29 ..
-rw-r--r--. 1 root root 3869 Feb 13 20:47 custom1.crt
-rw-------. 1 root root  887 Feb 13 20:47 custom1.key

checked migrate log that openshift_named_certificates role was not ran.

Comment 8 errata-xmlrpc 2018-04-12 05:59:59 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:1106


Note You need to log in before you can comment on or make changes to this bug.