Description of problem: CSRs on UPI installed clusters are not auto-approving. This appears to be due to the fact that Machine objects are not created in association with the nodes. As a result, the auto-approver does not appear to be approving the CSRs. In the case of an AWS UPI install, the worker nodes do have machine objects and their CSRs do get auto-approved. For an AWS UPI install, the master nodes do have associated machine objects and their CSRs do not get auto-approved. Version-Release number of selected component (if applicable): 4.1.11 How reproducible: Consistently Steps to Reproduce: 1. Install new cluster 2. Wait for certificate rotation to occur within first 24 hours Actual results: CSRs are not auto-approving Expected results: CSRs should be approved Additional info: > CSRs from bare metal cluster which is 22hrs old NAME AGE REQUESTOR CONDITION csr-2g282 46m system:node:master-0 Pending csr-2m8zz 20m system:node:master-0 Pending csr-76tsl 8m3s system:node:master-0 Pending csr-9knds 4m33s system:node:worker-0 Pending csr-dmlql 58m system:node:worker-0 Pending csr-gl79c 84m system:node:master-0 Pending csr-l6gzh 33m system:node:master-0 Pending csr-ms4tl 33m system:node:worker-0 Pending csr-mwvjl 59m system:node:master-0 Pending csr-ncdl2 163m system:node:worker-0 Pending csr-p9fdk 46m system:node:worker-0 Pending csr-pf2tx 71m system:node:worker-0 Pending csr-r2g59 20m system:node:worker-0 Pending csr-r7rgx 151m system:node:worker-0 Pending csr-rl5dh 138m system:node:worker-0 Pending csr-rrw5d 17m system:node:worker-0 Approved,Issued csr-t4mqg 17m system:node:worker-0 Pending csr-tswgd 71m system:node:master-0 Pending csr-v2pgm 3h33m system:node:worker-0 Pending csr-z4d95 84m system:node:worker-0 Pending csr-z9989 3h45m system:node:worker-0 Pending csr-zwttj 175m system:node:worker-0 Pending > machine objects $ oc get machines -A No resources found.
This seems similar to https://bugzilla.redhat.com/show_bug.cgi?id=1738568
Hi, Seems like the fix here would be just to create machine resources for each node when doing a UPI install.
Can you provide me with the full output from oc adm must-gather from your cluster?
The cloud team owns the auto-approver, moving this BZ into right component.
This is a known limitation on UPI installs. See the docs here: https://docs.openshift.com/container-platform/4.1/installing/installing_bare_metal/installing-bare-metal.html#installation-approve-csrs_installing-bare-metal "Because the CSRs rotate automatically, approve your CSRs within an hour of adding the machines to the cluster. If you do not approve them within an hour, the certificates will rotate, and more than two certificates will be present for each node. You must approve all of these certificates. After you approve the initial CSRs, the subsequent node client CSRs are automatically approved by the cluster kube-controller-manager. You must implement a method of automatically approving the kubelet serving certificate requests." We're exploring ways of allowing serving certificate renewals on platforms that may not have machine-api data available. See: https://bugzilla.redhat.com/show_bug.cgi?id=1737611 *** This bug has been marked as a duplicate of bug 1737611 ***