Bug 1915114 - [aws-c2s] worker machines are not create during install
Summary: [aws-c2s] worker machines are not create during install
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Installer
Version: 4.7
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
: 4.7.0
Assignee: Matthew Staebler
QA Contact: Yunfei Jiang
Depends On:
TreeView+ depends on / blocked
Reported: 2021-01-12 01:44 UTC by Matthew Staebler
Modified: 2021-02-24 15:52 UTC (History)
0 users

Fixed In Version:
Doc Type: No Doc Update
Doc Text:
This is a bug in new functionality.
Clone Of:
Last Closed: 2021-02-24 15:51:54 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Github openshift cluster-api-provider-aws pull 382 0 None closed Bug 1915114: use separate client for accessing openshift-config-managed namespace 2021-02-18 09:29:19 UTC
Github openshift machine-api-operator pull 787 0 None closed Bug 1915114: allow machine-api-controllers to access configmaps in openshift-config-managed 2021-02-18 09:29:18 UTC
Red Hat Product Errata RHSA-2020:5633 0 None None None 2021-02-24 15:52:26 UTC

Description Matthew Staebler 2021-01-12 01:44:15 UTC
When installing in the AWS C2S region, the worker machines are not created. The machine API is not using the required certificate for accessing the C2S AWS API.

I0112 01:18:12.306603       1 controller.go:168] mstaeble-vjzs6-worker-us-iso-east-1a-5t2f6: reconciling Machine
I0112 01:18:12.306635       1 actuator.go:100] mstaeble-vjzs6-worker-us-iso-east-1a-5t2f6: actuator checking if machine exists
E0112 01:18:12.694943       1 reconciler.go:236] mstaeble-vjzs6-worker-us-iso-east-1a-5t2f6: error getting existing instances: RequestError: send request failed
caused by: Post "https://ec2.us-iso-east-1.c2s.ic.gov/": x509: certificate signed by unknown authority
E0112 01:18:12.694971       1 controller.go:271] mstaeble-vjzs6-worker-us-iso-east-1a-5t2f6: failed to check if machine exists: RequestError: send request failed
caused by: Post "https://ec2.us-iso-east-1.c2s.ic.gov/": x509: certificate signed by unknown authority
E0112 01:18:12.695022       1 controller.go:267] controller-runtime/manager/controller/machine_controller "msg"="Reconciler error" "error"="RequestError: send request failed\ncaused by: Post \"https://ec2.us-iso-east-1.c2s.ic.gov/\": x509: certificate signed by unknown authority" "name"="mstaeble-vjzs6-worker-us-iso-east-1a-5t2f6" "namespace"="openshift-machine-api"

Comment 4 Yunfei Jiang 2021-01-22 05:53:21 UTC
verified. PASS.
OCP version: 4.7.0-0.nightly-2021-01-21-090809

> ./oc get node
NAME                           STATUS   ROLES    AGE   VERSION
ip-10-143-1-15.ec2.internal    Ready    worker   18h   v1.20.0+d9c52cc
ip-10-143-1-165.ec2.internal   Ready    worker   19h   v1.20.0+d9c52cc
ip-10-143-1-201.ec2.internal   Ready    master   19h   v1.20.0+d9c52cc
ip-10-143-1-206.ec2.internal   Ready    worker   19h   v1.20.0+d9c52cc
ip-10-143-1-239.ec2.internal   Ready    master   19h   v1.20.0+d9c52cc
ip-10-143-1-4.ec2.internal     Ready    master   19h   v1.20.0+d9c52cc

Comment 7 errata-xmlrpc 2021-02-24 15:51:54 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.7.0 security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.