The token secret might expire, this PR makes sure that the secret is rotated every 30 minutes.
Validated on - 4.11.0-0.nightly-2022-05-25-193227 Steps : 1. Enabled featuregate using below - oc edit featuregate cluster . . . spec: featureSet: TechPreviewNoUpgrade . . 2. Waited for some time (30 mins or so) monitored logs from capi-operator [miyadav@miyadav ~]$ oc project Using project "openshift-cluster-api" on server "https://api.miyadav-2605.qe.devcluster.openshift.com:6443". [miyadav@miyadav ~]$ oc logs cluster-capi-operator-6bd5b85df9-wnljd | less Additional info: Moved to verified. Expected and Actual I0526 06:08:16.580713 1 kubeconfig.go:112] controller/secret "msg"="Waiting for token secret to be created" "name"="cluster-capi-operator-secret" "namespace"="openshift-cluster-api" "reconciler group"="" "reconciler kind"="Secret" I0526 06:09:16.581399 1 kubeconfig.go:87] controller/secret/KubeconfigController "msg"="Reconciling kubeconfig secret" "name"="cluster-capi-operator-secret" "namespace"="openshift-cluster-api" "reconciler group"="" "reconciler kind"="Secret" I0526 06:09:16.581463 1 kubeconfig.go:112] controller/secret "msg"="Waiting for token secret to be created" "name"="cluster-capi-operator-secret" "namespace"="openshift-cluster-api" "reconciler group"="" "reconciler kind"="Secret" I0526 06:09:20.269218 1 kubeconfig.go:87] controller/secret/KubeconfigController "msg"="Reconciling kubeconfig secret" "name"="cluster-capi-operator-secret" "namespace"="openshift-cluster-api" "reconciler group"="" "reconciler kind"="Secret" E0526 06:09:20.269264 1 kubeconfig.go:91] controller/secret/KubeconfigController "msg"="Error reconciling kubeconfig" "error"="error generating kubeconfig: token can't be empty" "name"="cluster-capi-operator-secret" "namespace"="openshift-cluster-api" "reconciler group"="" "reconciler kind"="Secret" I0526 06:09:20.279175 1 clusteroperator_controller.go:49] controller/clusteroperator/ClusterOperatorController "msg"="reconciling Cluster API components for technical preview cluster" "name"="cluster-api" "namespace"="" "reconciler group"="config.openshift.io" "reconciler kind"="ClusterOperator" I0526 06:09:20.279310 1 clusteroperator_controller.go:109] controller/clusteroperator "msg"="reconciling Core CAPI components" "name"="cluster-api" "namespace"="" "reconciler group"="config.openshift.io" "reconciler kind"="ClusterOperator" I0526 06:09:20.280404 1 clusteroperator_controller.go:131] controller/clusteroperator "msg"="reconciling Infrastructure CAPI components" "name"="cluster-api" "namespace"="" "reconciler group"="config.openshift.io" "reconciler kind"="ClusterOperator" E0526 06:09:20.282158 1 controller.go:317] controller/secret "msg"="Reconciler error" "error"="error generating kubeconfig: token can't be empty" "name"="cluster-capi-operator-secret" "namespace"="openshift-cluster-api" "reconciler group"="" "reconciler kind"="Secret" I0526 06:09:20.287670 1 kubeconfig.go:87] controller/secret/KubeconfigController "msg"="Reconciling kubeconfig secret" "name"="cluster-capi-operator-secret" "namespace"="openshift-cluster-api" "reconciler group"="" "reconciler kind"="Secret" E0526 06:09:20.287729 1 kubeconfig.go:91] controller/secret/KubeconfigController "msg"="Error reconciling kubeconfig" "error"="error generating kubeconfig: token can't be empty" "name"="cluster-capi-operator-secret" "namespace"="openshift-cluster-api" "reconciler group"="" "reconciler kind"="Secret" E0526 06:09:20.287797 1 controller.go:317] controller/secret "msg"="Reconciler error" "error"="error generating kubeconfig: token can't be empty" "name"="cluster-capi-operator-secret" "namespace"="openshift-cluster-api" "reconciler group"="" "reconciler kind"="Secret" I0526 06:09:20.292888 1 clusteroperator_controller.go:49] controller/clusteroperator/ClusterOperatorController "msg"="reconciling Cluster API components for technical preview cluster" "name"="cluster-api" "namespace"="" "reconciler group"="config.openshift.io" "reconciler kind"="ClusterOperator" I0526 06:09:20.292948 1 clusteroperator_controller.go:109] controller/clusteroperator "msg"="reconciling Core CAPI components" "name"="cluster-api" "namespace"="" "reconciler group"="config.openshift.io" "reconciler kind"="ClusterOperator" I0526 06:09:20.294162 1 clusteroperator_controller.go:131] controller/clusteroperator "msg"="reconciling Infrastructure CAPI components" "name"="cluster-api" "namespace"="" "reconciler group"="config.openshift.io" "reconciler kind"="ClusterOperator" I0526 06:09:20.297587 1 kubeconfig.go:87] controller/secret/KubeconfigController "msg"="Reconciling kubeconfig secret" "name"="cluster-capi-operator-secret" "namespace"="openshift-cluster-api" "reconciler group"="" "reconciler kind"="Secret" I0526 06:09:20.303847 1 kubeconfig.go:87] controller/secret/KubeconfigController "msg"="Reconciling kubeconfig secret" "name"="cluster-capi-operator-secret" "namespace"="openshift-cluster-api" "reconciler group"="" "reconciler kind"="Secret" I0526 06:10:11.098522 1 secret_sync_controller.go:42] controller/secret/SecretSyncController "msg"="reconciling worker user data secret" "name"="worker-user-data" "namespace"="openshift-machine-api" "reconciler group"="" "reconciler kind"="Secret" I0526 06:10:11.098613 1 secret_sync_controller.go:72] controller/secret/SecretSyncController "msg"="source and target secrets are equal, no sync needed" "name"="worker-user-data" "namespace"="openshift-machine-api" "reconciler group"="" "reconciler kind"="Secret"
*** Bug 2087149 has been marked as a duplicate of this bug. ***
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Important: OpenShift Container Platform 4.11.0 bug fix and security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2022:5069