Loading...

XML

Word

Printable

Type: Bug
Resolution: Done-Errata
Priority: Normal
Fix Version/s: None
Affects Version/s: 4.16
Component/s: Machine Config Operator
Labels:
- mco-triaged
- pre-merge-tested

Severity:
Moderate
Regression:
None
Epic Link:
Admin defined node disruption GA
Sprint:
MCO Sprint 256, MCO Sprint 257
sprint_count:
2
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Release Note Text:
N/A
Release Note Type:
Release Note Not Required
Release Note Status:
Done
Target Version:

4.17.0

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Description of problem:

When a new user-ca certificate is added MCO creates a MC with the new /etc/pki/ca-trust/source/anchors/openshift-config-user-ca-bundle.crt file content.

If we use techpreview, when this configuration is applied to the nodes, the nodes are rebooted. ( No need to restart crio because the reboot will do it, and no need to execute update-ca-trust because coreos will launch the update-ca-trust service).

The certificate is properly added, but the behaviour is not the same as when techpreview is disabled.

Version-Release number of selected component (if applicable):

IPI on CGP

Version:
registry.ci.openshift.org/ocp/release:4.16.0-0.nightly-2024-06-11-104727

How reproducible:

Always

Steps to Reproduce:

1. Create a MC to deploy a new user-ca certificate

(We are using here a random certificate here)

    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    metadata:
      labels:
        machineconfiguration.openshift.io/role: worker
      name: mco-tc-71991-nb6hudw5
    spec:
      config:
        ignition:
          version: 3.4.0
        storage:
          files:
            - contents:
                source: data:text/plain;charset=utf-8;base64,LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUZMekNDQXhlZ0F3SUJBZ0lVRElDQ09FTnRtNnd6c1hFdGdFenNTN2RFZmIwd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0p6RVBNQTBHQTFVRUN3d0dUVU5QSUZGRk1SUXdFZ1lEVlFRRERBdGxlR0Z0Y0d4bExtTnZiVEFlRncweQpOREEyTVRFeE1EVTFOVEphRncwek5EQTBNakF4TURVMU5USmFNQ2N4RHpBTkJnTlZCQXNNQmsxRFR5QlJSVEVVCk1CSUdBMVVFQXd3TFpYaGhiWEJzWlM1amIyMHdnZ0lpTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElDRHdBd2dnSUsKQW9JQ0FRRHJzU1h4MkdzTVROcDBQYSszMkV6cHlQOUhxWlhpWUFpeGpjc29UeFJ6QWdSNjduQXAyZG8wNkhnMQpsdXlGS1ZGdmVNUVQ4RzE1a05sRS9QcWtxRTU2bFl3bjYwb3FlQk9lVXZTOUI3U2VndGVqN1J2UjMwUW8vdnMxCnQ5cTVCNldxVEpNcS81c1NvbXNoVXpPaE8ydzYxYzU3YUhsS2xEVlFTQVVsUUdQa2RsNElxU1Exd3pSTVliZnQKTVZDU1FNY1JkdmdjTG40QXV2emdiclgwcFpZSExoTFprN2Q2TWN5RW9GU0xHOGY0eFVDd3RocnFwUzd6TVYvZgpjWHdFMW83LzN0R0Q5QnBOY0hMOEtOQXpiSnhFbDRHTElQdkkxZFpqYXJoWXZveTIrb3dUcXBEOFRDZE9UQndqCkJvdDgyNDlRNFhnck5ZZ09XTUh2Mm9NbjFQanp5aFAzSUZ2SEFvNnlYRDh4NjhaRWFMM1JVZzkyT29yWU13SUgKenhmRlVzczVDY0MyQVRkU2U5dEJ1cEtRT2FDSXIyOEUrVENTOThqUUMyUGtDcVpCNjZSaFhtZXNkM3V6dXRTRQpqa3FxMUNCVEVZMjFKOVhnOUx2TlcyT2VSc1RtY09hUW1UbHNDVDBGSmV0eEZXaXd2MkxFK1hvbDZyM2JWcFJ5CklvME0wLzNPc20vWDZRY3NNYTQyOGRsWXZUWU9ucXlXZ25HNEQ0YndqRlQwWE8yWTJkaHkvVlFlTEJPaHg4Tk0KWUNoc050T3RocDZFVnNCQ2ZQUlNWQkcwNEJvQ2ducmRTdTBmcHA2K2g4SExxb2pxalUwK2pLTmxPdU8ydWhBQgpXM2pwM3NpZVcvYUVEYVdkc1pMTXBQZkN1b242Rk1ENkNzYkZRcmpQUnY3OHZuRG9Fd0lEQVFBQm8xTXdVVEFkCkJnTlZIUTRFRmdRVVpyWEtYdmwxQnQrSit4TG82My9hdXhqdXlCNHdId1lEVlIwakJCZ3dGb0FVWnJYS1h2bDEKQnQrSit4TG82My9hdXhqdXlCNHdEd1lEVlIwVEFRSC9CQVV3QXdFQi96QU5CZ2txaGtpRzl3MEJBUXNGQUFPQwpBZ0VBeEozS0w3SGJqcDBQUlpVN2dVT2lvckhadFZaemplMVpBZSs3TVZWd1IyRUp5S3dnKzFCb1dqWFFyemQ4Ckc4TkRIUG5BSUQ3UDZsdC9WREtuVUZhaUEvUTFnMWpUQzIzdG82RnhDMVFDYnp5enFVUEpZTnZKQUh4ODVpTU4Kc0daamtjMFpLSkxKZXJBaEFIR2YyWHVmbzliZFZ5ZjB5SWNFVU1vaXBJclgxODlZRDQ5eFpJK0JhaFRVMWtrTQpiM2RrOFlQNkhCZnlqTkM1MFhVaW9aTmVnbVlDRVFZdTQyS3dzWG83TXJXMzY1YUxkWjFqRTRPeFN5Q2VCZWI4ClAvUUhWY2tqYnpCOVZFVE9uME5UMWdoZ1lRQVRjNWVsRUlFZ0JYWHQ0TmlCZ3FIRmowZFhuK0VVVGo0V0lSS28KOWNwdW9lNVJlT2k3WXY2Q3ZNVytrajRKdWljdFZPcFhaRmRrc1FtWWU0RXJyaHhvcit4YmVRQlNXeGhlVC8yNwpFZmM4aWhqWnRnVDRjQllZZ0RrcHhUT1Z5ZlVZYWdsamhIQ1dwc3hnUmc5ZkxEbWJHODZpOUNpanp3OFJCMDhuCitRYU1YejJONlFkZ0JYSG1nRXkrd1JoWlo2NUdZNnR3cGc1VW56bTFUZ3FjOGJIZHlJSmwwQWF4Zjh6NmpVNE0KSlhnUXlEM3k5SDZRbDhHVCtLTEdNek1GWnp2bmFXSHZ4enNYOCs2TlZhNENlUU9QYmZZOVRMQ0hzbHcyZ2FBTQpLZkVWc2JDZ0JWM09PKy9EalBvNGdkSlBJZWZLSDhKMHFORytzZzMrU0luQ0dUcVo3d2ZYczVLaEpvZTBXUzMyCnp6RU1zV1hQSmQzYnlQMVRQc1ROcFQ1cXFoT05KdkJxbHhNL2VJUjVTQ3ZrVW9ZPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
              mode: 420
              path: /etc/pki/ca-trust/source/anchors/openshift-config-user-ca-bundle.crt

Actual results:

The nodes are rebooted

Expected results:


The behviour should be the same that we see when techpreview is not enabled.

Additional info:


We can get  the same behaviour that we get when techpreview is not eanbled by adding this machineconfiguration


  apiVersion: operator.openshift.io/v1
  kind: MachineConfiguration
  metadata:
    creationTimestamp: "2024-06-11T09:03:41Z"
    generation: 5
    name: cluster
    resourceVersion: "192544"
    uid: 78fd4b8c-7787-4485-891d-ac9034467d35
  spec:
    logLevel: Normal
    managementState: Managed
    nodeDisruptionPolicy:
      files:
      - actions:
        - restart:
            serviceName: coreos-update-ca-trust.service
          type: Restart
        - restart:
            serviceName: crio.service
          type: Restart
        path: /etc/pki/ca-trust/source/anchors/openshift-config-user-ca-bundle.crt
    operatorLogLevel: Normal

links to

MCO-1125: OCPBUGS-35277: Allow paths to be defined for non-disruptive updates

RHEA-2024:3718 OpenShift Container Platform 4.17.z bug fix update

Assignee:: David Joshy

Reporter:: Sergio Regidor de la Rosa

QA Contact:: Sergio Regidor de la Rosa

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Created:: 2024/06/11 11:51 AM

Updated:: 2024/10/01 5:39 PM

Resolved:: 2024/10/01 5:39 PM

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates