Bug 1915114

Summary: [aws-c2s] worker machines are not create during install
Product: OpenShift Container Platform Reporter: Matthew Staebler <mstaeble>
Component: InstallerAssignee: Matthew Staebler <mstaeble>
Installer sub component: openshift-installer QA Contact: Yunfei Jiang <yunjiang>
Status: CLOSED ERRATA Docs Contact:
Severity: urgent    
Priority: urgent Keywords: TestBlocker
Version: 4.7   
Target Milestone: ---   
Target Release: 4.7.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
This is a bug in new functionality.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-02-24 15:51:54 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Matthew Staebler 2021-01-12 01:44:15 UTC 
When installing in the AWS C2S region, the worker machines are not created. The machine API is not using the required certificate for accessing the C2S AWS API.

I0112 01:18:12.306603       1 controller.go:168] mstaeble-vjzs6-worker-us-iso-east-1a-5t2f6: reconciling Machine
I0112 01:18:12.306635       1 actuator.go:100] mstaeble-vjzs6-worker-us-iso-east-1a-5t2f6: actuator checking if machine exists
E0112 01:18:12.694943       1 reconciler.go:236] mstaeble-vjzs6-worker-us-iso-east-1a-5t2f6: error getting existing instances: RequestError: send request failed
caused by: Post "https://ec2.us-iso-east-1.c2s.ic.gov/": x509: certificate signed by unknown authority
E0112 01:18:12.694971       1 controller.go:271] mstaeble-vjzs6-worker-us-iso-east-1a-5t2f6: failed to check if machine exists: RequestError: send request failed
caused by: Post "https://ec2.us-iso-east-1.c2s.ic.gov/": x509: certificate signed by unknown authority
E0112 01:18:12.695022       1 controller.go:267] controller-runtime/manager/controller/machine_controller "msg"="Reconciler error" "error"="RequestError: send request failed\ncaused by: Post \"https://ec2.us-iso-east-1.c2s.ic.gov/\": x509: certificate signed by unknown authority" "name"="mstaeble-vjzs6-worker-us-iso-east-1a-5t2f6" "namespace"="openshift-machine-api"
Comment 4 Yunfei Jiang 2021-01-22 05:53:21 UTC 
verified. PASS.
OCP version: 4.7.0-0.nightly-2021-01-21-090809

> ./oc get node
NAME                           STATUS   ROLES    AGE   VERSION
ip-10-143-1-15.ec2.internal    Ready    worker   18h   v1.20.0+d9c52cc
ip-10-143-1-165.ec2.internal   Ready    worker   19h   v1.20.0+d9c52cc
ip-10-143-1-201.ec2.internal   Ready    master   19h   v1.20.0+d9c52cc
ip-10-143-1-206.ec2.internal   Ready    worker   19h   v1.20.0+d9c52cc
ip-10-143-1-239.ec2.internal   Ready    master   19h   v1.20.0+d9c52cc
ip-10-143-1-4.ec2.internal     Ready    master   19h   v1.20.0+d9c52cc
Comment 7 errata-xmlrpc 2021-02-24 15:51:54 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.7.0 security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:5633