Description of problem: Upgrading from 4.5.16 to 4.6.8, if duplicated sshAuthorizedKeys are present for infra nodes that are already present for worker nodes, MCO is not able to update infra nodes degrading with following error in the Machine Config Pool: ~~~ machineconfiguration.openshift.io/reason: 'can''t reconcile config rendered-infra-9151dbbd7f4d73a6f9963622d9114e14 with rendered-infra-4e01833bf0ec9fe78ccd807b17886b30: parsing old Ignition config failed with error: failed to convert Ignition config spec v2 to v3: unable to convert Ignition spec v2 config to v3: error at $.passwd.users.0.sshAuthorizedKeys.1: duplicate entry defined : unreconcilable' ~~~ Version-Release number of selected component (if applicable): How reproducible: Not sure. Steps to Reproduce: 1. Install 4.5.16 cluster. 2. Create new Machine Config Pool for infra nodes adding a duplicate MC for core sshkey. 3. Update the cluster to 4.6.8 Actual results: Infra nodes are not updated. Expected results: Machine Config Operator should be able to continue the update successfully. Additional info:
Ah, ok the inspect has the info needed. I think the error is a variation of https://bugzilla.redhat.com/show_bug.cgi?id=1880603 that still exists today, where the ignition parser doesn't like the fact that there are two instances of the exact same ssh key. For the time being, there are a few fixes that should work, first I think we should delete the "99-infra-ssh" machineconfig, as the 99-worker-ssh machineconfig has the exact same key and also applies to infra nodes. https://access.redhat.com/solutions/5723941 actually should work for this, but in general we should try not to promote modifying the rendered-config in any way. Try modifying the config as follows: oc edit mc/rendered-infra-9151dbbd7f4d73a6f9963622d9114e14.yaml edit the config such that spec: config: ignition: version: 2.2.0 passwd: users: - name: core sshAuthorizedKeys: - ssh-rsa ... - name: core sshAuthorizedKeys: - ssh-rsa ... becomes spec: config: ignition: version: 2.2.0 passwd: users: - name: core sshAuthorizedKeys: - ssh-rsa ... The MCD should do the rest. I will try to see the feasibility of backporting a fix to 4.6
Setting blocker- but will consider fixing and backporting to 4.6
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Container Platform 4.8.2 bug fix and security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2021:2438