Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-59978

ARO clusters cannot scale on upgrade to 4.19

XMLWordPrintable

    • Quality / Stability / Reliability
    • False
    • Hide

      None

      Show
      None
    • 1
    • None
    • None
    • None
    • None
    • MCO Sprint 274
    • 1
    • Done
    • Bug Fix
    • Hide
      *Cause*: The ARO platform uses a hostname that is not available in Infrastructure object.
      *Consequence*: On upgrading to 4.19, the MCO rotates a TLS cert without the required hostname in the SAN IP list. This renders nodes unable to join the cluster while scaling up.
      *Fix*: The MCO vendors a custom ARO resource to determine the required SAN IP and injects it into the TLS cert that is being rotated.
      *Result*: Nodes are able to successfully join the cluster while scaling up.
      Show
      *Cause*: The ARO platform uses a hostname that is not available in Infrastructure object. *Consequence*: On upgrading to 4.19, the MCO rotates a TLS cert without the required hostname in the SAN IP list. This renders nodes unable to join the cluster while scaling up. *Fix*: The MCO vendors a custom ARO resource to determine the required SAN IP and injects it into the TLS cert that is being rotated. *Result*: Nodes are able to successfully join the cluster while scaling up.
    • None
    • None
    • None
    • None

      This is a clone of issue OCPBUGS-59780. The following is the description of the original issue:

      Currently, the MCO uses the infrastructure status to infer the hostnames during cert management. In ARO, those fields don't exist, so when the MCO's cert reconcile loop runs on upgrade to 4.19, it refreshes the cert without the required SAN IPs.

      The certcontroller in the MCO is vendored from library-go, which uses annotations on the secret to determine if the certs are due for rotation. Clusters in <4.18 do not have these annotations; and hence will have an immediate rotation when upgraded. 4.19 installer creates the secret with these annotations; so we will not see an immediate rotation when the MCO comes up during 4.19 installation and 

      See https://issues.redhat.com/browse/ARO-20086 for some more context. 

              djoshy David Joshy
              djoshy David Joshy
              None
              None
              Sergio Regidor de la Rosa Sergio Regidor de la Rosa
              None
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

                Created:
                Updated:
                Resolved: