Brief Description ------------------------------------------ platform cert migration playbook fails at task mgmt alarms check Severity ------------------------------------------- Provide the severity of the defect. Major Steps to Reproduce ------------------------------------------- 1)Create the following deploy {code:java} --- apiVersion: cert-manager.io/v1alpha2 kind: ClusterIssuer metadata: name: system-selfsigning-issuer spec: selfSigned: {} --- apiVersion: cert-manager.io/v1alpha2 kind: Certificate metadata: name: cloudplatform-rootca-certificate spec: secretName: cloudplatform-rootca-certificate commonName: "cloudplatform-rootca" isCA: true duration: 30681h0m0s renewBefore: 720h0m0s issuerRef: name: system-selfsigning-issuer kind: ClusterIssuer --- apiVersion: cert-manager.io/v1alpha2 kind: Issuer metadata: name: cloudplatform-rootca-issuer spec: ca: secretName: cloudplatform-rootca-certificate --- apiVersion: cert-manager.io/v1alpha2 kind: Certificate metadata: name: cloudplatform-interca-certificate spec: secretName: cloudplatform-interca-certificate commonName: "cloudplatform-interca" isCA: true duration: 30681h0m0s renewBefore: 720h0m0s issuerRef: name: cloudplatform-rootca-issuer kind: Issuer {code} kubectl create -f issuer.yaml 2)once the cert is issued, gather the crt, key data {code:java} sysadmin@controller-0 ~(keystone_admin)]$ echo $(kubectl get secrets cloudplatform-interca-certificate -o jsonpath='{.data.tls\.crt}') base64... [sysadmin@controller-0 ~(keystone_admin)]$ echo $(kubectl get secrets cloudplatform-interca-certificate -o jsonpath='{.data.tls\.key}') base64... {code} 3)Create the following inventory file with the above values {code:java} all: vars: ica_cert: base64 ica_key: base64 children: target_group: vars: dns_domain: mydomain duration: 2160h # 90d renewBefore: 360h # 15d subject_C: Canada subject_ST: Ontario subject_L: Ottawa subject_O: myorganization subject_OU: engineering subject_CN: myorganization.com subject_prefix: starlingx2` # SSH password to connect to all subclouds ansible_ssh_user: sysadmin ansible_ssh_pass: pwd* # Sudo password ansible_become_pass: pwd* {code} 4)Now run the playbook {code:java} [sysadmin@controller-0 ~(keystone_admin)]$ ansible-playbook /usr/share/ansible/stx-ansible/playbooks/migrate-platform-certificates-to-certmanager.yml -i migration-inventory.yml --extra-vars "target_list=localhost mode=update" --ask-vault-pass Vault password: [WARNING]: provided hosts list is empty, only localhost is available. Note that the implicit localhost does not match 'all' PLAY [localhost] *************************************************************************************************************************************************************************************** TASK [Fail if target_list is not defined] ************************************************************************************************************************************************************** Friday 21 January 2022 21:47:14 +0000 (0:00:00.064) 0:00:00.064 ******** skipping: [localhost] TASK [Get online subclouds from dcmanager] ************************************************************************************************************************************************************* Friday 21 January 2022 21:47:14 +0000 (0:00:00.015) 0:00:00.080 ******** skipping: [localhost] TASK [Add host to target_group] ************************************************************************************************************************************************************************ Friday 21 January 2022 21:47:14 +0000 (0:00:00.013) 0:00:00.093 ******** skipping: [localhost] TASK [Get subcloud from extra-vars] ******************************************************************************************************************************************************************** Friday 21 January 2022 21:47:14 +0000 (0:00:00.015) 0:00:00.108 ******** changed: [localhost] => (item=localhost) [WARNING]: A duplicate localhost-like entry was found (localhost). First found localhost was localhost TASK [migrate-platform-certificates-to-certmanager/install-trusted-ca : Save the specified ICA to a file] ********************************************************************************************** Friday 21 January 2022 21:47:14 +0000 (0:00:00.026) 0:00:00.135 ******** changed: [localhost] TASK [migrate-platform-certificates-to-certmanager/install-trusted-ca : Get CA information from certificate] ******************************************************************************************* Friday 21 January 2022 21:47:15 +0000 (0:00:00.402) 0:00:00.538 ******** changed: [localhost] TASK [migrate-platform-certificates-to-certmanager/install-trusted-ca : Fail when ICA certificate is not an actual CA certificate] ********************************************************************* Friday 21 January 2022 21:47:15 +0000 (0:00:00.208) 0:00:00.746 ******** skipping: [localhost] TASK [migrate-platform-certificates-to-certmanager/install-trusted-ca : Get years for ICA duration validation] ***************************************************************************************** Friday 21 January 2022 21:47:15 +0000 (0:00:00.025) 0:00:00.771 ******** ok: [localhost] TASK [migrate-platform-certificates-to-certmanager/install-trusted-ca : Check that ICA certificate remaining duration is longer than 3 years] ********************************************************** Friday 21 January 2022 21:47:15 +0000 (0:00:00.062) 0:00:00.834 ******** changed: [localhost] TASK [migrate-platform-certificates-to-certmanager/install-trusted-ca : Fail when ICA certificate remaining duration is shorter than 3 years] ********************************************************** Friday 21 January 2022 21:47:15 +0000 (0:00:00.211) 0:00:01.045 ******** skipping: [localhost] TASK [migrate-platform-certificates-to-certmanager/install-trusted-ca : Install ICA] ******************************************************************************************************************* Friday 21 January 2022 21:47:15 +0000 (0:00:00.017) 0:00:01.063 ******** changed: [localhost] PLAY [target_group] ************************************************************************************************************************************************************************************ Friday 21 January 2022 21:47:22 +0000 (0:00:07.016) 0:00:08.079 ******** included: /usr/share/ansible/stx-ansible/playbooks/roles/migrate-platform-certificates-to-certmanager/migrate-certificates/tasks/check-for-management-alarms.yml for localhost Friday 21 January 2022 21:47:22 +0000 (0:00:00.034) 0:00:08.114 ******** TASK [migrate-platform-certificates-to-certmanager/migrate-certificates : Check for management affecting alarms] *************************************************************************************** changed: [localhost] Friday 21 January 2022 21:47:25 +0000 (0:00:02.941) 0:00:11.055 ******** TASK [migrate-platform-certificates-to-certmanager/migrate-certificates : Fail when there are management alarms] *************************************************************************************** fatal: [localhost]: FAILED! => changed=false msg: There are management affecting alarms present on the target system. Execution will not continue. No certificates were migrated. After a careful analysis of the alarms, retry this target with extra-var ignore-alarms=yes Friday 21 January 2022 21:47:25 +0000 (0:00:00.048) 0:00:11.104 ******** TASK [migrate-platform-certificates-to-certmanager/migrate-certificates : debug] *********************************************************************************************************************** ok: [localhost] => msg: Failed to migrate platform certificates to cert-manager. Please find backups of the previous certificates in /home/sysadmin/certificates_backup. Friday 21 January 2022 21:47:25 +0000 (0:00:00.044) 0:00:11.149 ******** TASK [migrate-platform-certificates-to-certmanager/migrate-certificates : Show backups of certificates] ************************************************************************************************ fatal: [localhost]: FAILED! => changed=true cmd: - ls - -lR - /home/sysadmin/certificates_backup delta: '0:00:00.002146' end: '2022-01-21 21:47:26.042180' msg: non-zero return code rc: 2 start: '2022-01-21 21:47:26.040034' stderr: 'ls: cannot access /home/sysadmin/certificates_backup: No such file or directory' stderr_lines: - 'ls: cannot access /home/sysadmin/certificates_backup: No such file or directory' stdout: '' stdout_lines: PLAY RECAP ********************************************************************************************************************************************************************************************* localhost : ok=9 changed=6 unreachable=0 failed=2 Friday 21 January 2022 21:47:26 +0000 (0:00:00.288) 0:00:11.437 ******** =============================================================================== migrate-platform-certificates-to-certmanager/install-trusted-ca : Install ICA ------------------------------------------------------------------------------------------------------------------- 7.02s migrate-platform-certificates-to-certmanager/migrate-certificates : Check for management affecting alarms --------------------------------------------------------------------------------------- 2.94s migrate-platform-certificates-to-certmanager/install-trusted-ca : Save the specified ICA to a file ---------------------------------------------------------------------------------------------- 0.40s migrate-platform-certificates-to-certmanager/migrate-certificates : Show backups of certificates ------------------------------------------------------------------------------------------------ 0.29s migrate-platform-certificates-to-certmanager/install-trusted-ca : Check that ICA certificate remaining duration is longer than 3 years ---------------------------------------------------------- 0.21s migrate-platform-certificates-to-certmanager/install-trusted-ca : Get CA information from certificate ------------------------------------------------------------------------------------------- 0.21s migrate-platform-certificates-to-certmanager/install-trusted-ca : Get years for ICA duration validation ----------------------------------------------------------------------------------------- 0.06s migrate-platform-certificates-to-certmanager/migrate-certificates : Fail when there are management alarms --------------------------------------------------------------------------------------- 0.05s migrate-platform-certificates-to-certmanager/migrate-certificates : debug ----------------------------------------------------------------------------------------------------------------------- 0.04s migrate-platform-certificates-to-certmanager/migrate-certificates : Check for management affecting alarms --------------------------------------------------------------------------------------- 0.03s Get subcloud from extra-vars -------------------------------------------------------------------------------------------------------------------------------------------------------------------- 0.03s migrate-platform-certificates-to-certmanager/install-trusted-ca : Fail when ICA certificate is not an actual CA certificate --------------------------------------------------------------------- 0.03s migrate-platform-certificates-to-certmanager/install-trusted-ca : Fail when ICA certificate remaining duration is shorter than 3 years ---------------------------------------------------------- 0.02s Fail if target_list is not defined -------------------------------------------------------------------------------------------------------------------------------------------------------------- 0.02s Add host to target_group ------------------------------------------------------------------------------------------------------------------------------------------------------------------------ 0.02s Get online subclouds from dcmanager ------------------------------------------------------------------------------------------------------------------------------------------------------------- 0.01s {code} playbook fails on alarm check task even though there are no alarms on the system {code:java} [sysadmin@controller-0 ~(keystone_admin)]$ fm alarm-list [sysadmin@controller-0 ~(keystone_admin)]$ {code} Expected Behavior ------------------------------------------- playbook should work fine without any errors Actual Behavior ------------------------------------------- playbook fails Reproducibility ------------------------------------------- 100% System Configuration ------------------------------------------- ipv4 *+Branch/Pull Time/Commit+* {code:java} ### ### Wind River Cloud Platform ### Release 22.02 ### ### Wind River Systems, Inc. ### SW_VERSION="22.02" BUILD_TARGET="Host Installer" BUILD_TYPE="Formal" BUILD_ID="2022-01-20_20-25-15" SRC_BUILD_ID="1151" {code} Last Pass ------------------------------------------- new feature testing Test Activity ------------------------------------------- Feature testing Workaround ------------------------------------------- Run the playbook with extra-var ignore_alarms=yes. Example: ansible-playbook /usr/share/ansible/stx-ansible/playbooks/migrate-platform-certificates-to-certmanager.yml -i inventory.yml --extra-vars "target_list=localhost mode=update ignore_alarms=yes" --ask-vault-pass