-
Bug
-
Resolution: Unresolved
-
Normal
-
4.20
-
Quality / Stability / Reliability
-
False
-
-
3
-
None
-
None
-
None
-
None
-
AUTOSCALE - Sprint 276
-
1
-
None
-
Release Note Not Required
-
None
-
None
-
None
-
None
-
None
Related to https://issues.redhat.com//browse/AUTOSCALE-293
Token rotations no longer drift nodes, UNLESS the EC2NodeClass controller calls Reconcile which only happens if the guest cluster CRDs get modified, since the controller does not watch secrets in the management cluster and cannot react to the token being rotated.
We actually probably want the ec2nodeclass controller to watch secrets (or at least get triggered when it rotates), because if not and the token gets rotated anyways, then whenever a new Karpenter wants to create a new node, it cannot because the token is outdated when sending the ignition payload to the ignition-server pod. This is currently what happens if 5.5 hours pass and the token for the hypershift nodepool that's tied to karpenter gets rotated --> new nodeclaims will fail to bring up new nodes after this.
- is related to
-
AUTOSCALE-293 Token rotation causes drift and rollout
-
- In Progress
-
- relates to
-
AUTOSCALE-322 We might be leaking token secrets when upgrade generate a new one
-
- Closed
-
- links to