1901873 – [OSP] Machine-approver can not approve nodes any more due to SAN not match after add floating ip to the node

Bug 1901873 - [OSP] Machine-approver can not approve nodes any more due to SAN not match after add floating ip to the node

Summary: [OSP] Machine-approver can not approve nodes any more due to SAN not match af...

Keywords:
Status:	CLOSED DUPLICATE of bug 1860774
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Installer
Sub Component:
Version:	4.7
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	---
Target Release:	4.7.0
Assignee:	Martin André
QA Contact:	weiwei jiang
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2020-11-26 10:29 UTC by weiwei jiang
Modified:	2020-12-15 15:04 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2020-12-15 15:04:11 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description weiwei jiang 2020-11-26 10:29:32 UTC

Version:
4.7.0-0.nightly-2020-11-25-114114

$ openshift-install version
./openshift-install 4.7.0-0.nightly-2020-11-25-114114
built from commit a9e6c4d8fa0e7d5edb9cf95330689a65261ff09c
release image registry.svc.ci.openshift.org/ocp/release@sha256:bf37e13af0e254d0b744b62ace0dcf5560230374d7877a8fde16cf9134ec7862

Platform:
osp

Please specify:
* IPI 

What happened?
After install a IPI on OSP cluster, add floating IP to master-0 and found there are CSRs for master-0 in pending status, and machine-approver tells:
I1126 08:34:14.414126       1 main.go:147] CSR csr-gvvmx added
I1126 08:34:14.457526       1 csr_check.go:418] retrieving serving cert from wj47ios1126a-tpzrs-master-0 (192.168.0.206:10250)
I1126 08:34:14.459541       1 csr_check.go:163] Found existing serving cert for wj47ios1126a-tpzrs-master-0
W1126 08:34:14.459678       1 csr_check.go:172] Could not use current serving cert for renewal: CSR Subject Alternate Name values do not match current certificate
W1126 08:34:14.459692       1 csr_check.go:173] Current SAN Values: [wj47ios1126a-tpzrs-master-0 192.168.0.206], CSR SAN Values: [wj47ios1126a-tpzrs-master-0 10.0.100.130 192.168.0.206]
I1126 08:34:14.459706       1 csr_check.go:183] Falling back to machine-api authorization for wj47ios1126a-tpzrs-master-0
I1126 08:34:14.459721       1 main.go:182] CSR csr-gvvmx not authorized: IP address '10.0.100.130' not in machine addresses: 192.168.0.206
I1126 08:34:14.459730       1 main.go:218] Error syncing csr csr-gvvmx: IP address '10.0.100.130' not in machine addresses: 192.168.0.206

$ oc get csr
NAME        AGE    SIGNERNAME                      REQUESTOR                                 CONDITION 
csr-gvvmx   118s   kubernetes.io/kubelet-serving   system:node:wj47ios1126a-tpzrs-master-0   Pending 
$ oc get nodes -o wide  
NAME                                STATUS   ROLES    AGE     VERSION           INTERNAL-IP     EXTERNAL-IP    OS-IMAGE                                                       KERNEL-VERSION                CONTAINER-RUNTIME 
wj47ios1126a-tpzrs-master-0         Ready    master   4h48m   v1.19.2+ad738ba   192.168.0.206   10.0.100.130   Red Hat Enterprise Linux CoreOS 47.83.202011250342-0 (Ootpa)   4.18.0-240.1.1.el8_3.x86_64   cri-o://1.20.0-0.rhaos4.7.gitf3390f3.el8.19-dev 
wj47ios1126a-tpzrs-master-1         Ready    master   4h48m   v1.19.2+ad738ba   192.168.0.11    <none>         Red Hat Enterprise Linux CoreOS 47.83.202011250342-0 (Ootpa)   4.18.0-240.1.1.el8_3.x86_64   cri-o://1.20.0-0.rhaos4.7.gitf3390f3.el8.19-dev 
wj47ios1126a-tpzrs-master-2         Ready    master   4h49m   v1.19.2+ad738ba   192.168.1.239   <none>         Red Hat Enterprise Linux CoreOS 47.83.202011250342-0 (Ootpa)   4.18.0-240.1.1.el8_3.x86_64   cri-o://1.20.0-0.rhaos4.7.gitf3390f3.el8.19-dev 
wj47ios1126a-tpzrs-worker-0-2tdwz   Ready    worker   4h37m   v1.19.2+ad738ba   192.168.0.149   <none>         Red Hat Enterprise Linux CoreOS 47.83.202011250342-0 (Ootpa)   4.18.0-240.1.1.el8_3.x86_64   cri-o://1.20.0-0.rhaos4.7.gitf3390f3.el8.19-dev 
wj47ios1126a-tpzrs-worker-0-6wl5d   Ready    worker   4h37m   v1.19.2+ad738ba   192.168.0.25    <none>         Red Hat Enterprise Linux CoreOS 47.83.202011250342-0 (Ootpa)   4.18.0-240.1.1.el8_3.x86_64   cri-o://1.20.0-0.rhaos4.7.gitf3390f3.el8.19-dev 
wj47ios1126a-tpzrs-worker-0-nmxw7   Ready    worker   4h35m   v1.19.2+ad738ba   192.168.2.84    <none>         Red Hat Enterprise Linux CoreOS 47.83.202011250342-0 (Ootpa)   4.18.0-240.1.1.el8_3.x86_64   cri-o://1.20.0-0.rhaos4.7.gitf3390f3.el8.19-dev 



What did you expect to happen?
Machine-approver should still approve the CSRs

How to reproduce it (as minimally and precisely as possible)?
Always

Anything else we need to know?
no

Comment 1 Michael Gugino 2020-12-15 15:04:11 UTC

Duplicate of: https://bugzilla.redhat.com/show_bug.cgi?id=1860774

*** This bug has been marked as a duplicate of bug 1860774 ***

Note You need to log in before you can comment on or make changes to this bug.