-
Bug
-
Resolution: Done
-
Normal
-
None
-
cert-manager-1.15
-
None
-
3
-
False
-
-
False
-
-
-
OAPE Sprint 271, OAPE Sprint 272, OAPE Sprint 273
-
3
-
Important
In IstioCSR feature e2e tests, a timeout error is observed sporadically at: https://github.com/openshift/cert-manager-operator/blob/0431e1878087c139b41051e8add803e06ec72efe/test/e2e/istio_csr_test.go#L118
One major situation is that the IstioCSR object's "type: Ready" condition is missing, although the deployment was successfully created and became ready.
$ oc describe istiocsr/default -n istio-system Name: default Namespace: istio-system Labels: <none> Annotations: operator.openshift.io/istio-csr-processed: true API Version: operator.openshift.io/v1alpha1 Kind: IstioCSR Metadata: Creation Timestamp: 2025-03-18T08:59:59Z Finalizers: istiocsr.openshift.operator.io/cert-manager-istio-csr-controller Generation: 2 Resource Version: 166977 UID: 0a13c3bb-f3ca-4271-b8f9-a9a88e40dd39 Spec: Istio CSR Config: Cert Manager: Issuer Ref: Group: cert-manager.io Kind: Issuer Name: istio-ca Istio: Namespace: istio-system Revisions: default Istiod TLS Config: Certificate Duration: 1h0m0s Certificate Renew Before: 30m0s Max Certificate Duration: 1h0m0s Private Key Size: 2048 Signature Algorithm: RSA Trust Domain: cluster.local Log Format: text Log Level: 1 Resources: Status: Cluster Role: cert-manager-istio-csr-kfqj7 Cluster Role Binding: cert-manager-istio-csr-pg65j Conditions: Last Transition Time: 2025-03-18T09:00:00Z Message: Reason: Ready Status: False Type: Degraded Istio CSRGRPC Endpoint: cert-manager-istio-csr.istio-system.svc:443 Istio CSR Image: registry.redhat.io/cert-manager/cert-manager-istio-csr-rhel9@sha256:9573d74bd2b926ec94af76f813e6358f14c5b2f4e0eedab7c1ff1070b7279a5c Service Account: cert-manager-istio-csr Events: Type Reason Age From Message ---- ------ ---- ---- ------- Normal Reconciled 2m56s cert-manager-istio-csr-controller service resource istio-system/cert-manager-istio-csr created Normal Reconciled 2m56s cert-manager-istio-csr-controller serviceaccount resource istio-system/cert-manager-istio-csr created Warning ResourceAlreadyExists 2m56s cert-manager-istio-csr-controller /cert-manager-istio-csr-kfqj7 clusterrole resource already exists, maybe from previous installation Warning ResourceAlreadyExists 2m56s cert-manager-istio-csr-controller /cert-manager-istio-csr-pg65j clusterrolebinding resource already exists, maybe from previous installation Normal Reconciled 2m56s cert-manager-istio-csr-controller role resource istio-system/cert-manager-istio-csr created Normal Reconciled 2m56s cert-manager-istio-csr-controller rolebinding resource istio-system/cert-manager-istio-csr created Normal Reconciled 2m56s cert-manager-istio-csr-controller role resource istio-system/cert-manager-istio-csr-leases created Normal Reconciled 2m56s cert-manager-istio-csr-controller rolebinding resource istio-system/cert-manager-istio-csr-leases created Normal Reconciled 2m56s cert-manager-istio-csr-controller certificate resource istio-system/istiod created Normal Reconciled 2m56s cert-manager-istio-csr-controller configmap resource istio-system/cert-manager-istio-csr-issuer-ca-copy created Normal Reconciled 2m56s cert-manager-istio-csr-controller deployment resource istio-system/cert-manager-istio-csr created $ oc get deploy -n istio-system NAME READY UP-TO-DATE AVAILABLE AGE cert-manager-istio-csr 1/1 1 1 2m23s
Example test run: https://prow.ci.openshift.org/view/gs/test-platform-results/pr-logs/pull/openshift_cert[…]rator-master-e2e-operator-tech-preview/1902710448948514816
Operator log (level 6): https://gcsweb-ci.apps.ci.l2s4.p1.openshiftapps.com/gcs/test-platform-results/pr-logs/pull/openshi[…]ager-7d877f5bb8-l6qns_cert-manager-operator.log (When searching for "updated updated current istio-csr", the most recent batch corresponds to the failed attempt. ~15:08:07)
—
How to reproduce: https://github.com/openshift/cert-manager-operator/pull/241/commits/658505b2f268a49673aded568353620ee5c9a486
Slack discussion: https://redhat-internal.slack.com/archives/C045Y7FL3A6/p1742469512499459?thread_ts=1741748686.420949&cid=C045Y7FL3A6
- blocks
-
OCPSTRAT-1974 [GA] istio-csr integration for cert-manager
-
- In Progress
-
- is depended on by
-
CM-578 cert-manager-operator 1.17
-
- Closed
-
- links to