Bug 1820243

Summary: [4.2] node-ca daemonset toleration conflicts with clusterlogging CR
Product: OpenShift Container Platform Reporter: Oleg Bulatov <obulatov>
Component: Image RegistryAssignee: Oleg Bulatov <obulatov>
Status: CLOSED ERRATA QA Contact: Wenjing Zheng <wzheng>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 4.2.zCC: adam.kaplan, aos-bugs, ChetRHosey, ddreggor, hcisneir, wzheng, xiuwang
Target Milestone: ---   
Target Release: 4.2.z   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Cause: the nodeca daemon didn't tolerate the NoExecute taint, but ClusterLogging documentation recommends to use NoExecute Consequence: the nodeca daemon doesn't manage certificates on such nodes Fix: tolerate all taints Result: additionalTrustedCA are synced to all nodes with any taints
 Story Points: ---
Clone Of: 1820242 Environment:
Last Closed: 2020-05-13 11:07:19 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1820242    
Bug Blocks:    

Comment 3 XiuJuan Wang 2020-05-06 06:26:22 UTC 
After add taints to nodes to only run Logging components, the node-ca pods don't be deleted. Verified on 4.2.0-0.nightly-2020-05-05-113123 cluster.

$oc adm taint nodes ip-10-0-159-150.us-east-2.compute.internal logging=true:NoExecute
node/ip-10-0-159-150.us-east-2.compute.internal tainted

$oc get node ip-10-0-159-150.us-east-2.compute.internal  -o yaml | grep taint -A 4
  taints:
  - effect: NoExecute
    key: logging
    value: "true"

$ oc get pods -o wide
NAME                                               READY   STATUS    RESTARTS   AGE    IP            NODE                                         NOMINATED NODE   READINESS GATES
cluster-image-registry-operator-79f9bc487b-blbmg   2/2     Running   0          115m   10.129.0.27   ip-10-0-172-137.us-east-2.compute.internal   <none>           <none>
image-registry-7b77849cf-dngp7                     1/1     Running   0          115m   10.131.0.6    ip-10-0-173-90.us-east-2.compute.internal    <none>           <none>
node-ca-6pmbq                                      1/1     Running   0          115m   10.129.0.30   ip-10-0-172-137.us-east-2.compute.internal   <none>           <none>
node-ca-dcdnp                                      1/1     Running   0          115m   10.130.0.21   ip-10-0-131-9.us-east-2.compute.internal     <none>           <none>
node-ca-llzw6                                      1/1     Running   0          115m   10.129.2.2    ip-10-0-159-150.us-east-2.compute.internal   <none>           <none>
node-ca-rq9xh                                      1/1     Running   0          115m   10.128.0.32   ip-10-0-159-249.us-east-2.compute.internal   <none>           <none>
node-ca-s2k7h                                      1/1     Running   0          115m   10.128.2.2    ip-10-0-129-102.us-east-2.compute.internal   <none>           <none>
node-ca-v2dd2                                      1/1     Running   0          115m   10.131.0.3    ip-10-0-173-90.us-east-2.compute.internal    <none>           <none>
Comment 5 errata-xmlrpc 2020-05-13 11:07:19 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:2023