Bug 1710427 - [DOCS] Clarify number of CSRs which should show before approval
Summary: [DOCS] Clarify number of CSRs which should show before approval
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Documentation
Version: 4.1.0
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
: 4.1.0
Assignee: Kathryn Alexander
QA Contact: Johnny Liu
Vikram Goyal
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-05-15 14:16 UTC by Timothy Rees
Modified: 2019-05-21 17:47 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-05-21 17:47:39 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Timothy Rees 2019-05-15 14:16:53 UTC 
Document URL: 

https://docs.openshift.com/container-platform/4.1/installing/installing_vsphere/installing-vsphere.html

(this would also apply to all UBI installs)

Section Number and Name: 

https://docs.openshift.com/container-platform/4.1/installing/installing_vsphere/installing-vsphere.html#installation-installing-bare-metal_installing-vsphere

Creating cluster, steps 4 & 5

Describe the issue: 

The number of CSRs awaiting approval changes at the end of post-bootstrap.  If the user was to approve per step 5 and all the required CSRs to be signed are not all already available, this may cause an issue.  I do not know the impact.

Here is the output of 'oc get csr' with a time delta of around 50 seconds after the bootstrapping process has already completed.  Note the number of csr entries changes.

[root@int-lb install]# oc get csr
NAME        AGE     REQUESTOR                                                                   CONDITION
csr-dtk9c   9m23s   system:serviceaccount:openshift-machine-config-operator:node-bootstrapper   Approved,Issued                                                                                                       
csr-ggs2s   8m52s   system:serviceaccount:openshift-machine-config-operator:node-bootstrapper   Approved,Issued                                                                                                       
csr-h8cjm   9m23s   system:serviceaccount:openshift-machine-config-operator:node-bootstrapper   Approved,Issued                                                                                                       
csr-lvv5v   8m53s   system:serviceaccount:openshift-machine-config-operator:node-bootstrapper   Approved,Issued                                                                                                       
csr-ssb67   9m      system:node:etcd-1                                                          Pending
csr-vlsnx   9m6s    system:node:etcd-2                                                          Pending
csr-vm4qb   8m45s   system:node:etcd-0                                                          Pending
csr-vrp2j   8m45s   system:node:worker-0                                                        Pending
[root@int-lb install]# oc get csr
NAME        AGE     REQUESTOR                                                                   CONDITION
csr-62mts   3s      system:node:etcd-0                                                          Pending
csr-c7qj8   3s      system:node:etcd-2                                                          Pending
csr-dtk9c   10m     system:serviceaccount:openshift-machine-config-operator:node-bootstrapper   Approved,Issued
csr-ggs2s   9m31s   system:serviceaccount:openshift-machine-config-operator:node-bootstrapper   Approved,Issued
csr-h8cjm   10m     system:serviceaccount:openshift-machine-config-operator:node-bootstrapper   Approved,Issued
csr-kk5mv   3s      system:node:worker-0                                                        Pending
csr-lvv5v   9m32s   system:serviceaccount:openshift-machine-config-operator:node-bootstrapper   Approved,Issued
csr-sqtqk   3s      system:node:etcd-1                                                          Pending
csr-ssb67   9m39s   system:node:etcd-1                                                          Pending
csr-vlsnx   9m45s   system:node:etcd-2                                                          Pending
csr-vm4qb   9m24s   system:node:etcd-0                                                          Pending
csr-vrp2j   9m24s   system:node:worker-0                                                        Pending


Suggestions for improvement: 

Clarify in the docs how many CSR entries is expected to show per node before the user should proceed with approval indicated in step 5.  If possible, show an example output following a consistent example of a 3x masters and 1x worker deployment aligned with other outputs in the document.

Additional information:
Comment 5 Kathryn Alexander 2019-05-16 20:41:19 UTC 
Thank you Eric! I've included additional clarification from Trevor and Abhinav.

PR's here: https://github.com/openshift/openshift-docs/pull/14891

Jianlin, I'm not sure who should confirm this one. Will you PTAL?
Comment 6 Johnny Liu 2019-05-17 12:05:24 UTC 
"When you add machines to a cluster, you must approve two pending certificates signing request (CSRs) for each machine that you added."

I do not think this is accurate enough. Just like there is 4 pending CSRs for bootstrap node in initial report, but not 2. I guess https://github.com/openshift/openshift-docs/pull/14891/files#r284890948 make sense. So I think this PR need more polish.
Comment 7 Kathryn Alexander 2019-05-17 16:48:31 UTC 
I updated the PR based on information from Ryan Phillips.

Jianlin, will you please look again?
Comment 9 Johnny Liu 2019-05-20 11:35:09 UTC 
LGTM
Comment 10 Kathryn Alexander 2019-05-20 12:35:42 UTC 
I've merged the change and am waiting for it to go live.
Comment 11 Kathryn Alexander 2019-05-21 17:47:39 UTC 
This change is live.
Note You need to log in before you can comment on or make changes to this bug.