Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1743719

Summary: CSRs on UPI Installed Clusters are not Auto-Approving
Product: OpenShift Container Platform Reporter: rvanderp
Component: Cloud ComputeAssignee: Jan Chaloupka <jchaloup>
Status: CLOSED DUPLICATE QA Contact: Jianwei Hou <jhou>
Severity: medium Docs Contact:
Priority: high    
Version: 4.1.0CC: agarcial, aos-bugs, brad.ison, jmalde, maszulik, mfojtik, rhowe
Target Milestone: ---   
Target Release: 4.2.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-08-27 10:43:44 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description rvanderp 2019-08-20 14:18:02 UTC 
Description of problem:
CSRs on UPI installed clusters are not auto-approving.  This appears to be due to the fact that Machine objects are not created in association with the nodes.  As a result, the auto-approver does not appear to be approving the CSRs.  

In the case of an AWS UPI install, the worker nodes do have machine objects and their CSRs do get auto-approved.  For an AWS UPI install, the master nodes do have associated machine objects and their CSRs do not get auto-approved.

Version-Release number of selected component (if applicable):
4.1.11

How reproducible:
Consistently

Steps to Reproduce:
1. Install new cluster
2. Wait for certificate rotation to occur within first 24 hours

Actual results:
CSRs are not auto-approving

Expected results:
CSRs should be approved

Additional info:

> CSRs from bare metal cluster which is 22hrs old

NAME        AGE     REQUESTOR              CONDITION
csr-2g282   46m     system:node:master-0   Pending
csr-2m8zz   20m     system:node:master-0   Pending
csr-76tsl   8m3s    system:node:master-0   Pending
csr-9knds   4m33s   system:node:worker-0   Pending
csr-dmlql   58m     system:node:worker-0   Pending
csr-gl79c   84m     system:node:master-0   Pending
csr-l6gzh   33m     system:node:master-0   Pending
csr-ms4tl   33m     system:node:worker-0   Pending
csr-mwvjl   59m     system:node:master-0   Pending
csr-ncdl2   163m    system:node:worker-0   Pending
csr-p9fdk   46m     system:node:worker-0   Pending
csr-pf2tx   71m     system:node:worker-0   Pending
csr-r2g59   20m     system:node:worker-0   Pending
csr-r7rgx   151m    system:node:worker-0   Pending
csr-rl5dh   138m    system:node:worker-0   Pending
csr-rrw5d   17m     system:node:worker-0   Approved,Issued
csr-t4mqg   17m     system:node:worker-0   Pending
csr-tswgd   71m     system:node:master-0   Pending
csr-v2pgm   3h33m   system:node:worker-0   Pending
csr-z4d95   84m     system:node:worker-0   Pending
csr-z9989   3h45m   system:node:worker-0   Pending
csr-zwttj   175m    system:node:worker-0   Pending


> machine objects
$ oc get machines -A
No resources found.
Comment 2 Maciej Szulik 2019-08-21 11:13:10 UTC 
This seems similar to https://bugzilla.redhat.com/show_bug.cgi?id=1738568
Comment 3 Ryan Howe 2019-08-21 18:52:14 UTC 
Hi, 

Seems like the fix here would be just to create machine resources for each node when doing a UPI install.
Comment 5 Maciej Szulik 2019-08-23 10:17:35 UTC 
Can you provide me with the full output from oc adm must-gather from your cluster?
Comment 7 Michal Fojtik 2019-08-26 13:54:15 UTC 
The cloud team owns the auto-approver, moving this BZ into right component.
Comment 8 Brad Ison 2019-08-27 10:43:44 UTC 
This is a known limitation on UPI installs. See the docs here:

https://docs.openshift.com/container-platform/4.1/installing/installing_bare_metal/installing-bare-metal.html#installation-approve-csrs_installing-bare-metal

	
"Because the CSRs rotate automatically, approve your CSRs within an hour of adding the machines to the cluster. If you do not approve them within an hour, the certificates will rotate, and more than two certificates will be present for each node. You must approve all of these certificates. After you approve the initial CSRs, the subsequent node client CSRs are automatically approved by the cluster kube-controller-manager. You must implement a method of automatically approving the kubelet serving certificate requests."

We're exploring ways of allowing serving certificate renewals on platforms that may not have machine-api data available.

See: https://bugzilla.redhat.com/show_bug.cgi?id=1737611

*** This bug has been marked as a duplicate of bug 1737611 ***