Loading...

XML

Word

Printable

Type: Bug
Resolution: Unresolved
Priority: Major
Fix Version/s: None
Affects Version/s: 4.14.z, 4.15.0, 4.16.0
Component/s: Networking / ovn-kubernetes
Labels:
None

Regression:
No
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Target Version:

4.18.0
Target Backport Versions:

4.17.z, 4.16.z

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Description of problem:

ovnkube-controller can't create CSR when node is suspended for 30 days in AWS provider

This is similar to https://issues.redhat.com/browse/OCPBUGS-28735, but only applies to the cloud setups (AWS) - UPI deployment on baremetal was not affected

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:

    1. Setup an AWS cluster on machine
    2. Setup a bastion host
    3. Disable chronyd on all nodes
    4. Suspend nodes
    5. Change time on host 30 days forward
    6. Resume nodes
    7. Wait for API server to come up
    8. Wait for all operators to become ready

Actual results:

ovnkube-controller can't create CSRs:

igning request: Unauthorized\nI1015 00:56:11.127945   19420 certificate_manager.go:356] kubernetes.io/kube-apiserver-client: Rotating certificates\nE1015 00:56:11.135570   19420 certificate_manager.go:562] kubernetes.io/kube-apiserver-client: Failed while requesting a signed certificate from the control plane: cannot create certificate signing request: Unauthorized\nI1015 00:56:28.301468   19420 certificate_manager.go:356] kubernetes.io/kube-apiserver-client: Rotating certificates\nE1015 00:56:28.307212   19420 certificate_manager.go:562] kubernetes.io/kube-apiserver-client: Failed while requesting a signed certificate from the control plane: cannot create certificate signing request: Unauthorized\nE1015 00:56:28.307234   19420 certificate_manager.go:440] kubernetes.io/kube-apiserver-client: Reached backoff limit, still unable to rotate certs: timed out waiting for the condition\nI1015 00:57:00.309234   19420 certificate_manager.go:356] kubernetes.io/kube-apiserver-client: Rotating certificates\nE1015 00:57:00.315334   19420 certificate_manager.go:562] kubernetes.io/kube-apiserver-client: Failed while requesting a signed certificate from the control plane: cannot create certificate signing request: Unauthorized\nI1015 00:57:32.308867   19420 certificate_manager.go:356] kubernetes.io/kube-apiserver-client: Rotating certificates\nI1015 00:57:32.314494

Expected results:

CSRs are created and new certs are being issued.

Workaround:
* oc --request-timeout=5s -n openshift-multus delete pod -l app=multus --force --grace-period=0

Additional info:

CI job: https://prow.ci.openshift.org/view/gs/test-platform-results/logs/periodic-ci-openshift-release-master-nightly-4.18-e2e-aws-ovn-ha-cert-rotation-suspend-30d/1835106989529632768

clones

OCPBUGS-28735 Multus doesn't refresh certificates after node was suspended for 30 days

Closed

depends on

OCPBUGS-27429 Handle kubeconfig changes like CA rotation

Closed

is duplicated by

OCPBUGS-30237 Handle kubeconfig changes like CA rotation

Closed

relates to

OCPBUGS-27429 Handle kubeconfig changes like CA rotation

Closed

Assignee:: Patryk Diak

Reporter:: Vadim Rutkovsky

QA Contact:: Ke Wang

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Created:: 2024/09/16 1:08 PM

Updated:: 2024/09/23 10:44 AM

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates