Bug 1747183

Summary: machine-approver cannot rebootstrap on a cluster with expired kubelet client credentials
Product: OpenShift Container Platform Reporter: David Eads <deads>
Component: Cloud ComputeAssignee: Jan Chaloupka <jchaloup>
Status: CLOSED DUPLICATE QA Contact: Jianwei Hou <jhou>
Severity: medium Docs Contact:
Priority: medium    
Version: 4.2.0CC: agarcial, gblomqui, mpatel
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-09-04 10:25:31 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description David Eads 2019-08-29 20:15:35 UTC 
I'm looking for the cloud team which I think picked up the machine-approver. It is not owned by auth.

Even with a valid bootstrap credential (see https://bugzilla.redhat.com/show_bug.cgi?id=1735180 and https://github.com/openshift/machine-config-operator/pull/1027), the CSR is never approved unless the machine-approver is already running.  This isn't always the case, consider resuming a cluster's VMs.

The current workaround is to manually approve. I find this to be a reasonable short-term workaround, but it probably needs to be documented.
Comment 1 David Eads 2019-08-29 20:22:59 UTC 
this is the command I used. `oc get csr -oname | xargs oc adm certificate approve`
Comment 2 Alberto 2019-09-04 10:25:31 UTC 

*** This bug has been marked as a duplicate of bug 1737611 ***