DescriptionOpenShift BugZilla Robot
2020-05-08 13:59:41 UTC
This is a clone of Bug #1822200. This is the description of that bug:
Description of problem:
We deployed a cluster into an existing AWS VPC (eu-central).
The VPC is enabled with enableDnsSupport, enableDnsHostnames and DHCP options are set to domain-name = aws.example.com; domain-name-servers = AmazonProvidedDNS;
After the deployment is ready the CSRs are not approved my the machine-approver.
Version-Release number of selected component (if applicable):
4.4 rc.6
How reproducible:
After the deployment is ready check CSRs
Steps to Reproduce:
1. Create VPC with all requirements https://docs.openshift.com/container-platform/4.3/installing/installing_aws/installing-aws-vpc.html#installation-custom-aws-vpc-requirements_installing-aws-vpc
2. Enable options enableDnsSupport and enableDnsHostnames for the VPC
3. Setup DHCP options to domain-name = aws.example.com; domain-name-servers = AmazonProvidedDNS;
4. Create a Route53 private zone aws.example.com and attach it to the VPC
5. Deploy the cluster into the existing VPC
Actual results:
CSRs are pending
Expected results:
CSRs are approved
Additional info:
We tracked down the issue to https://github.com/openshift/cluster-api-provider-aws/blob/release-4.4/pkg/actuators/machine/utils.go#L404-L408
The EC2 instance PrivateDNS points to ip-xx-xx-xx-xx.eu-central-1.compute.internal but the kubelet reads the hostname from the meta-data service (http://169.254.169.254/latest/meta-data/hostname ) that will result in ip-xx-xx-xx-xx.eu-central-1.aws.example.com.
The problem is that the Machine object has different addresses than the Node object and this causes the machine approver to reject the CSR