Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1901873

Summary: [OSP] Machine-approver can not approve nodes any more due to SAN not match after add floating ip to the node
Product: OpenShift Container Platform Reporter: weiwei jiang <wjiang>
Component: InstallerAssignee: Martin André <m.andre>
Installer sub component: OpenShift on OpenStack QA Contact: weiwei jiang <wjiang>
Status: CLOSED DUPLICATE Docs Contact:
Severity: high    
Priority: high CC: akrzos, mgugino, pprinett
Version: 4.7   
Target Milestone: ---   
Target Release: 4.7.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-12-15 15:04:11 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description weiwei jiang 2020-11-26 10:29:32 UTC 
Version:
4.7.0-0.nightly-2020-11-25-114114

$ openshift-install version
./openshift-install 4.7.0-0.nightly-2020-11-25-114114
built from commit a9e6c4d8fa0e7d5edb9cf95330689a65261ff09c
release image registry.svc.ci.openshift.org/ocp/release@sha256:bf37e13af0e254d0b744b62ace0dcf5560230374d7877a8fde16cf9134ec7862

Platform:
osp

Please specify:
* IPI 

What happened?
After install a IPI on OSP cluster, add floating IP to master-0 and found there are CSRs for master-0 in pending status, and machine-approver tells:
I1126 08:34:14.414126       1 main.go:147] CSR csr-gvvmx added
I1126 08:34:14.457526       1 csr_check.go:418] retrieving serving cert from wj47ios1126a-tpzrs-master-0 (192.168.0.206:10250)
I1126 08:34:14.459541       1 csr_check.go:163] Found existing serving cert for wj47ios1126a-tpzrs-master-0
W1126 08:34:14.459678       1 csr_check.go:172] Could not use current serving cert for renewal: CSR Subject Alternate Name values do not match current certificate
W1126 08:34:14.459692       1 csr_check.go:173] Current SAN Values: [wj47ios1126a-tpzrs-master-0 192.168.0.206], CSR SAN Values: [wj47ios1126a-tpzrs-master-0 10.0.100.130 192.168.0.206]
I1126 08:34:14.459706       1 csr_check.go:183] Falling back to machine-api authorization for wj47ios1126a-tpzrs-master-0
I1126 08:34:14.459721       1 main.go:182] CSR csr-gvvmx not authorized: IP address '10.0.100.130' not in machine addresses: 192.168.0.206
I1126 08:34:14.459730       1 main.go:218] Error syncing csr csr-gvvmx: IP address '10.0.100.130' not in machine addresses: 192.168.0.206

$ oc get csr
NAME        AGE    SIGNERNAME                      REQUESTOR                                 CONDITION 
csr-gvvmx   118s   kubernetes.io/kubelet-serving   system:node:wj47ios1126a-tpzrs-master-0   Pending 
$ oc get nodes -o wide  
NAME                                STATUS   ROLES    AGE     VERSION           INTERNAL-IP     EXTERNAL-IP    OS-IMAGE                                                       KERNEL-VERSION                CONTAINER-RUNTIME 
wj47ios1126a-tpzrs-master-0         Ready    master   4h48m   v1.19.2+ad738ba   192.168.0.206   10.0.100.130   Red Hat Enterprise Linux CoreOS 47.83.202011250342-0 (Ootpa)   4.18.0-240.1.1.el8_3.x86_64   cri-o://1.20.0-0.rhaos4.7.gitf3390f3.el8.19-dev 
wj47ios1126a-tpzrs-master-1         Ready    master   4h48m   v1.19.2+ad738ba   192.168.0.11    <none>         Red Hat Enterprise Linux CoreOS 47.83.202011250342-0 (Ootpa)   4.18.0-240.1.1.el8_3.x86_64   cri-o://1.20.0-0.rhaos4.7.gitf3390f3.el8.19-dev 
wj47ios1126a-tpzrs-master-2         Ready    master   4h49m   v1.19.2+ad738ba   192.168.1.239   <none>         Red Hat Enterprise Linux CoreOS 47.83.202011250342-0 (Ootpa)   4.18.0-240.1.1.el8_3.x86_64   cri-o://1.20.0-0.rhaos4.7.gitf3390f3.el8.19-dev 
wj47ios1126a-tpzrs-worker-0-2tdwz   Ready    worker   4h37m   v1.19.2+ad738ba   192.168.0.149   <none>         Red Hat Enterprise Linux CoreOS 47.83.202011250342-0 (Ootpa)   4.18.0-240.1.1.el8_3.x86_64   cri-o://1.20.0-0.rhaos4.7.gitf3390f3.el8.19-dev 
wj47ios1126a-tpzrs-worker-0-6wl5d   Ready    worker   4h37m   v1.19.2+ad738ba   192.168.0.25    <none>         Red Hat Enterprise Linux CoreOS 47.83.202011250342-0 (Ootpa)   4.18.0-240.1.1.el8_3.x86_64   cri-o://1.20.0-0.rhaos4.7.gitf3390f3.el8.19-dev 
wj47ios1126a-tpzrs-worker-0-nmxw7   Ready    worker   4h35m   v1.19.2+ad738ba   192.168.2.84    <none>         Red Hat Enterprise Linux CoreOS 47.83.202011250342-0 (Ootpa)   4.18.0-240.1.1.el8_3.x86_64   cri-o://1.20.0-0.rhaos4.7.gitf3390f3.el8.19-dev 



What did you expect to happen?
Machine-approver should still approve the CSRs

How to reproduce it (as minimally and precisely as possible)?
Always

Anything else we need to know?
no
Comment 1 Michael Gugino 2020-12-15 15:04:11 UTC 
Duplicate of: https://bugzilla.redhat.com/show_bug.cgi?id=1860774

*** This bug has been marked as a duplicate of bug 1860774 ***