Bug 1813937

Summary: recovery is stuck on kube-system::extension-apiserver-authentication::requestheader-client-ca-file configmap
Product: OpenShift Container Platform Reporter: Tomáš Nožička <tnozicka>
Component: kube-controller-managerAssignee: Tomáš Nožička <tnozicka>
Status: CLOSED ERRATA QA Contact: zhou ying <yinzhou>
Severity: urgent Docs Contact:
Priority: urgent    
Version: 4.4CC: aos-bugs, maszulik, mfojtik
Target Milestone: ---   
Target Release: 4.5.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of:
: 1813938 1813947 (view as bug list) Environment:
Last Closed: 2020-07-13 17:20:18 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1813938, 1813947    

Description Tomáš Nožička 2020-03-16 14:22:25 UTC 
Server Version: 4.4.0-0.nightly-2020-03-12-152413
Kubernetes Version: v1.17.1

kube-controller-manager-recovery-controller container logs:

E0316 14:12:33.320759       1 configmap_cafile_content.go:246] key failed with : missing content for CA bundle "client-ca::kube-system::extension-apiserver-authentication::requestheader-client-ca-file"
E0316 14:13:24.063412       1 configmap_cafile_content.go:246] kube-system/extension-apiserver-authentication failed with : missing content for CA bundle "client-ca::kube-system::extension-apiserver-authentication::requestheader-client-ca-file"



it blocks the recovery controller from starting
Comment 3 zhou ying 2020-03-18 06:48:25 UTC 
Confirmed with payload: 4.5.0-0.nightly-2020-03-18-022051, can't reproduce the issue now after certificate recovery:
[root@dhcp-140-138 ~]# oc logs -f po/kube-controller-manager-ip-xxxxx -c kube-controller-manager-recovery-controller
W0318 06:22:35.423538       1 cmd.go:200] Using insecure, self-signed certificates
I0318 06:22:35.423917       1 crypto.go:580] Generating new CA for cert-recovery-controller-signer@1584512555 cert, and key in /tmp/serving-cert-915852097/serving-signer.crt, /tmp/serving-cert-915852097/serving-signer.key
I0318 06:22:35.925252       1 observer_polling.go:155] Starting file observer
I0318 06:22:35.950329       1 leaderelection.go:242] attempting to acquire leader lease  openshift-kube-controller-manager/cert-recovery-controller-lock...
Comment 5 errata-xmlrpc 2020-07-13 17:20:18 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:2409