Bug 1707839

Summary: cert regeneration command does not fix CSR signer
Product: OpenShift Container Platform Reporter: David Eads <deads>
Component: MasterAssignee: David Eads <deads>
Status: CLOSED ERRATA QA Contact: Xingxing Xia <xxia>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 4.1.0CC: aos-bugs, gblomqui, jokerman, maszulik, mmccomas, tnozicka
Target Milestone: ---   
Target Release: 4.1.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-04 10:48:34 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description David Eads 2019-05-08 14:13:25 UTC
The CSR signer is used to sign for kubelet client-certs.  Without valid kubelet signer certs, the kubelet's signed CSR is not trusted by the kube-apiserver.  Without being trusted by the kube-apiserver, it's not possible for the kubelet to get a list of pods to create.  Without a list of pods to create, the kubelet will never create a new operator pod.  Without a new operator pod, the rest of control-plane recover will not happen.  without the control-plane up, the rest of the cluster never comes back.

Comment 1 David Eads 2019-05-08 14:14:15 UTC
https://github.com/openshift/cluster-kube-apiserver-operator/pull/469 addresses this

Comment 2 Greg Blomquist 2019-05-08 14:24:22 UTC
Disaster Recover Fix.  Making this a 4.1.0 blocker

Comment 5 Xingxing Xia 2019-05-16 06:52:16 UTC
Maciej, I see you reviewed above fix PR. WDYT about above question of the steps to verify this bug? Thank you in advance.

Comment 6 Maciej Szulik 2019-05-16 08:22:23 UTC
I'll defer to Tomas since he worked on the overall recovery tooling.

Comment 10 errata-xmlrpc 2019-06-04 10:48:34 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:0758