Details
-
Bug
-
Resolution: Not a Bug
-
Major
-
None
-
4.13, 4.12, 4.14
-
Important
-
No
-
False
-
Description
Description of problem:
The kubelet-serving CSR not approved by the machine-approver automatically as the current kubelet-serving certificate signed by the expired/old csr-signer CA. The csr-signer rotate every month with default configuration that leaves the kubelet-serving CSR unapproved.
Version-Release number of selected component (if applicable):
4.12
$ oc get secret csr-signer -o yaml | grep "tls.crt" | awk '{print $2}' | base64 -d | openssl x509 -noout -dates
notBefore=Nov 20 00:11:34 2023 GMT
notAfter=Dec 20 00:11:35 2023 GMT
Actual results:
kubelet-serving CSR not getting auto-approved, as a result after the current kubelet-serving certificate expiry, unable to run commands like `oc logs`, `oc rsh`, `oc exec` , `oc debug node` etc.
Expected results:
kubelet-serving CSR should get auto-approved by machine-approver
Additional info:
As per the code[1],the current certificate must be signed by the current CA and not expired, then only the machine-approver will approve the kubelet-serving CSR. The csr-signer CA change causing it to fail.[2] [1] https://github.com/openshift/cluster-machine-approver/blob/f540a2547afb262c8d08c5af7533043a37c59564/pkg/controller/csr_check.go#L290-L306 [2] https://github.com/openshift/cluster-machine-approver/blob/f540a2547afb262c8d08c5af7533043a37c59564/pkg/controller/csr_check.go#L440-L444
