Bug 1707839 - cert regeneration command does not fix CSR signer
Summary: cert regeneration command does not fix CSR signer
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Master
Version: 4.1.0
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
: 4.1.0
Assignee: David Eads
QA Contact: Xingxing Xia
Depends On:
TreeView+ depends on / blocked
Reported: 2019-05-08 14:13 UTC by David Eads
Modified: 2019-06-04 10:48 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2019-06-04 10:48:34 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2019:0758 0 None None None 2019-06-04 10:48:41 UTC

Description David Eads 2019-05-08 14:13:25 UTC
The CSR signer is used to sign for kubelet client-certs.  Without valid kubelet signer certs, the kubelet's signed CSR is not trusted by the kube-apiserver.  Without being trusted by the kube-apiserver, it's not possible for the kubelet to get a list of pods to create.  Without a list of pods to create, the kubelet will never create a new operator pod.  Without a new operator pod, the rest of control-plane recover will not happen.  without the control-plane up, the rest of the cluster never comes back.

Comment 1 David Eads 2019-05-08 14:14:15 UTC
https://github.com/openshift/cluster-kube-apiserver-operator/pull/469 addresses this

Comment 2 Greg Blomquist 2019-05-08 14:24:22 UTC
Disaster Recover Fix.  Making this a 4.1.0 blocker

Comment 5 Xingxing Xia 2019-05-16 06:52:16 UTC
Maciej, I see you reviewed above fix PR. WDYT about above question of the steps to verify this bug? Thank you in advance.

Comment 6 Maciej Szulik 2019-05-16 08:22:23 UTC
I'll defer to Tomas since he worked on the overall recovery tooling.

Comment 10 errata-xmlrpc 2019-06-04 10:48:34 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.