Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1622710

Summary: [3.10] RotateKubeletServerCertificate feature gate sometimes can not return current certificate
Product: OpenShift Container Platform Reporter: Scott Dodson <sdodson>
Component: InstallerAssignee: Michael Gugino <mgugino>
Status: CLOSED ERRATA QA Contact: Johnny Liu <jialiu>
Severity: high Docs Contact:
Priority: high    
Version: 3.10.0CC: akostadi, aos-bugs, bleanhar, ccoleman, dma, hongli, jialiu, jiazha, jkaur, jmalde, jokerman, juriarte, mbruzek, mgugino, mifiedle, mmccomas, rbost, sgaikwad, vlaad, wjiang, wmeng, xtian
Target Milestone: ---Keywords: Reopened
Target Release: 3.10.z   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1571515 Environment:
Last Closed: 2018-09-04 07:10:49 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1571515    
Bug Blocks:    

Comment 1 Scott Dodson 2018-08-27 19:53:31 UTC 
3.10 backport https://github.com/openshift/openshift-ansible/pull/9751
Comment 2 Scott Dodson 2018-08-28 17:38:15 UTC 
In openshift-ansible-3.10.36-1+
Comment 3 Matt Bruzek 2018-08-28 21:25:55 UTC 
I got time on the cluster and was able to run the openshift-ansible master branch that had https://github.com/openshift/openshift-ansible/pull/9800 landed.

I did not get any CSR related issues, and watched the CSRs get approved. The install did not complete for other reasons that appear to be unrelated to the CSR issue.

Thanks!
Comment 4 Matt Bruzek 2018-08-28 21:26:05 UTC 
I got time on the cluster and was able to run the openshift-ansible master branch that had https://github.com/openshift/openshift-ansible/pull/9800 landed.

I did not get any CSR related issues, and watched the CSRs get approved. The install did not complete for other reasons that appear to be unrelated to the CSR issue.

Thanks!
Comment 6 Johnny Liu 2018-08-30 02:52:49 UTC 
In recent daily testing, did not hit such issue.

Verified this bug with openshift-ansible-3.10.41-1.git.0.fd15dd7.el7.noarch, and PASS.

3 master + 2 infra nodes + 2 compute nodes

[root@qe-jialiu310z-master-etcd-1 ~]# oc get node
NAME                          STATUS    ROLES     AGE       VERSION
qe-jialiu310z-master-etcd-1   Ready     master    12m       v1.10.0+b81c8f8
qe-jialiu310z-master-etcd-2   Ready     master    12m       v1.10.0+b81c8f8
qe-jialiu310z-master-etcd-3   Ready     master    12m       v1.10.0+b81c8f8
qe-jialiu310z-node-1          Ready     compute   8m        v1.10.0+b81c8f8
qe-jialiu310z-node-2          Ready     compute   8m        v1.10.0+b81c8f8
qe-jialiu310z-node-infra-1    Ready     infra     8m        v1.10.0+b81c8f8
qe-jialiu310z-node-infra-2    Ready     infra     8m        v1.10.0+b81c8f8


[root@qe-jialiu310z-master-etcd-1 ~]# oc get csr
NAME                                                   AGE       REQUESTOR                                                 CONDITION
csr-4l4hg                                              12m       system:admin                                              Approved,Issued
csr-4lstl                                              12m       system:admin                                              Approved,Issued
csr-5txzl                                              8m        system:node:qe-jialiu310z-node-1                          Approved,Issued
csr-5xwds                                              8m        system:node:qe-jialiu310z-node-infra-1                    Approved,Issued
csr-b6pcz                                              12m       system:admin                                              Approved,Issued
csr-d6s9x                                              9m        system:node:qe-jialiu310z-master-etcd-2                   Approved,Issued
csr-g4d85                                              8m        system:node:qe-jialiu310z-master-etcd-3                   Approved,Issued
csr-l8ngc                                              8m        system:node:qe-jialiu310z-node-infra-2                    Approved,Issued
csr-nn4mj                                              9m        system:node:qe-jialiu310z-master-etcd-3                   Approved,Issued
csr-nr74w                                              8m        system:node:qe-jialiu310z-master-etcd-1                   Approved,Issued
csr-nt66h                                              9m        system:node:qe-jialiu310z-master-etcd-1                   Approved,Issued
csr-pvmtv                                              12m       system:admin                                              Approved,Issued
csr-qbjv9                                              8m        system:node:qe-jialiu310z-master-etcd-2                   Approved,Issued
csr-sfxk8                                              12m       system:admin                                              Approved,Issued
csr-tw9nx                                              8m        system:node:qe-jialiu310z-node-2                          Approved,Issued
csr-vpkjz                                              12m       system:admin                                              Approved,Issued
node-csr-AqJ8l3NzCYjVlx7Cr389kIx-DHdMvOmUO0tySt2Hy4k   8m        system:serviceaccount:openshift-infra:node-bootstrapper   Approved,Issued
node-csr-WxMB-aiwjgta9QJFSLzf4xuWnGuoTYtizzSe99yK4uw   8m        system:serviceaccount:openshift-infra:node-bootstrapper   Approved,Issued
node-csr-kZL50Fxsyh2eeXSKyn14LqidM9krUXsIhRZncUcETLM   8m        system:serviceaccount:openshift-infra:node-bootstrapper   Approved,Issued
node-csr-wx62rG28vKVtf-PcteavQlW8hVXr6zMEW70vuNRfUzA   8m        system:serviceaccount:openshift-infra:node-bootstrapper   Approved,Issued

[root@qe-jialiu310z-master-etcd-1 ~]# oc -n kube-system exec master-etcd-qe-jialiu310z-master-etcd-3 -- rpm -q etcd
etcd-3.2.22-1.el7.x86_64
Comment 8 errata-xmlrpc 2018-09-04 07:10:49 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:2578
Comment 9 Robert Bost 2018-09-06 13:17:23 UTC 
*** Bug 1625295 has been marked as a duplicate of this bug. ***