Bug 1820243 - [4.2] node-ca daemonset toleration conflicts with clusterlogging CR
Summary: [4.2] node-ca daemonset toleration conflicts with clusterlogging CR
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Image Registry
Version: 4.2.z
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
: 4.2.z
Assignee: Oleg Bulatov
QA Contact: Wenjing Zheng
Depends On: 1820242
TreeView+ depends on / blocked
Reported: 2020-04-02 15:10 UTC by Oleg Bulatov
Modified: 2020-05-13 11:07 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Cause: the nodeca daemon didn't tolerate the NoExecute taint, but ClusterLogging documentation recommends to use NoExecute Consequence: the nodeca daemon doesn't manage certificates on such nodes Fix: tolerate all taints Result: additionalTrustedCA are synced to all nodes with any taints
Clone Of: 1820242
Last Closed: 2020-05-13 11:07:19 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Priority Status Summary Last Updated
Github openshift cluster-image-registry-operator pull 538 None closed [release-4.2] Bug 1820243: nodeca daemon should tolerate all taints 2020-05-06 02:29:11 UTC
Red Hat Product Errata RHBA-2020:2023 None None None 2020-05-13 11:07:40 UTC

Comment 3 XiuJuan Wang 2020-05-06 06:26:22 UTC
After add taints to nodes to only run Logging components, the node-ca pods don't be deleted. Verified on 4.2.0-0.nightly-2020-05-05-113123 cluster.

$oc adm taint nodes ip-10-0-159-150.us-east-2.compute.internal logging=true:NoExecute
node/ip-10-0-159-150.us-east-2.compute.internal tainted

$oc get node ip-10-0-159-150.us-east-2.compute.internal  -o yaml | grep taint -A 4
  - effect: NoExecute
    key: logging
    value: "true"

$ oc get pods -o wide
NAME                                               READY   STATUS    RESTARTS   AGE    IP            NODE                                         NOMINATED NODE   READINESS GATES
cluster-image-registry-operator-79f9bc487b-blbmg   2/2     Running   0          115m   ip-10-0-172-137.us-east-2.compute.internal   <none>           <none>
image-registry-7b77849cf-dngp7                     1/1     Running   0          115m    ip-10-0-173-90.us-east-2.compute.internal    <none>           <none>
node-ca-6pmbq                                      1/1     Running   0          115m   ip-10-0-172-137.us-east-2.compute.internal   <none>           <none>
node-ca-dcdnp                                      1/1     Running   0          115m   ip-10-0-131-9.us-east-2.compute.internal     <none>           <none>
node-ca-llzw6                                      1/1     Running   0          115m    ip-10-0-159-150.us-east-2.compute.internal   <none>           <none>
node-ca-rq9xh                                      1/1     Running   0          115m   ip-10-0-159-249.us-east-2.compute.internal   <none>           <none>
node-ca-s2k7h                                      1/1     Running   0          115m    ip-10-0-129-102.us-east-2.compute.internal   <none>           <none>
node-ca-v2dd2                                      1/1     Running   0          115m    ip-10-0-173-90.us-east-2.compute.internal    <none>           <none>

Comment 5 errata-xmlrpc 2020-05-13 11:07:19 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.