-
Bug
-
Resolution: Done
-
Critical
-
None
-
4.13
-
None
-
Critical
-
None
-
Proposed
-
False
-
-
-
Bug Fix
-
Done
Description of problem:
With "secureBoot" enabled, after deleting control-plane machine, the new machine is created with "enableSecureBoot" being False unexpectedly.
Version-Release number of selected component (if applicable):
$ ./openshift-install version ./openshift-install 4.13.0-0.nightly-2023-02-07-064924 built from commit 34104392aaeaf2fab8bff49baeaf71e61025ad29 release image registry.ci.openshift.org/ocp/release@sha256:b99727eca2876d821ac8524ca8d6a33dd33d2af226f3cd22e0846eb558d18d4e release architecture amd64
How reproducible:
Always
Steps to Reproduce:
1. "create install-config" and then edit "install-config.yaml" to set "secureBoot: Enabled" for both controlPlane and compute 2. "create cluster" and make sure it succeeds 3. delete a control-plane machine, and then check if the new control-plane machine is created with "enableSecureBoot" being True
Actual results:
The new control-plane machine is created with "enableSecureBoot" being False.
Expected results:
The new control-plane machine should be created with "enableSecureBoot" being True.
Additional info:
$ ./openshift-install version
./openshift-install 4.13.0-0.nightly-2023-02-07-064924
built from commit 34104392aaeaf2fab8bff49baeaf71e61025ad29
release image registry.ci.openshift.org/ocp/release@sha256:b99727eca2876d821ac8524ca8d6a33dd33d2af226f3cd22e0846eb558d18d4e
release architecture amd64
$ yq-3.3.0 r test1/install-config.yaml compute
- architecture: amd64
hyperthreading: Enabled
name: worker
platform:
gcp:
secureBoot: Enabled
tags:
- jiwei-0208a-compute
replicas: 2
$ yq-3.3.0 r test1/install-config.yaml controlPlane
architecture: amd64
hyperthreading: Enabled
name: master
platform:
gcp:
secureBoot: Enabled
tags:
- jiwei-0208a-control-plane
replicas: 3
$ yq-3.3.0 r test1/install-config.yaml platform
gcp:
projectID: openshift-qe
region: us-central1
$
$ ./openshift-install create cluster --dir test1
INFO Credentials loaded from file "/home/fedora/.gcp/osServiceAccount.json"
INFO Consuming Install Config from target directory
INFO Creating infrastructure resources...
INFO Waiting up to 20m0s (until 11:10AM) for the Kubernetes API at https://api.jiwei-0208a.qe.gcp.devcluster.openshift.com:6443...
INFO API v1.26.0+9eb81c2 up
INFO Waiting up to 30m0s (until 11:21AM) for bootstrapping to complete...
INFO Destroying the bootstrap resources...
INFO Waiting up to 40m0s (until 11:45AM) for the cluster at https://api.jiwei-0208a.qe.gcp.devcluster.openshift.com:6443 to initialize...
INFO Checking to see if there is a route at openshift-console/console...
INFO Install complete!
INFO To access the cluster as the system:admin user when using 'oc', run 'export KUBECONFIG=/home/fedora/ocp413/test1/auth/kubeconfig'
INFO Access the OpenShift web-console here: https://console-openshift-console.apps.jiwei-0208a.qe.gcp.devcluster.openshift.com
INFO Login to the console with user: "kubeadmin", and password: "bXeCA-Eo8RF-VA9tW-VQCTE"
INFO Time elapsed: 28m57s
$ export KUBECONFIG=/home/fedora/ocp413/test1/auth/kubeconfig
$ ./oc get clusterversion
NAME VERSION AVAILABLE PROGRESSING SINCE STATUS
version 4.13.0-0.nightly-2023-02-07-064924 True False 12m Cluster version is 4.13.0-0.nightly-2023-02-07-064924
$ ./oc get nodes
NAME STATUS ROLES AGE VERSION
jiwei-0208a-cfgzb-master-0.c.openshift-qe.internal Ready control-plane,master 32m v1.26.0+9eb81c2
jiwei-0208a-cfgzb-master-1.c.openshift-qe.internal Ready control-plane,master 32m v1.26.0+9eb81c2
jiwei-0208a-cfgzb-master-2.c.openshift-qe.internal Ready control-plane,master 32m v1.26.0+9eb81c2
jiwei-0208a-cfgzb-worker-a-nr2vt.c.openshift-qe.internal Ready worker 22m v1.26.0+9eb81c2
jiwei-0208a-cfgzb-worker-b-rr7cs.c.openshift-qe.internal Ready worker 22m v1.26.0+9eb81c2
$ gcloud compute instances list --format="table(name,zone,machineType,status,shieldedInstanceConfig)" --filter="name~jiwei"
NAME ZONE MACHINE_TYPE STATUS SHIELDED_INSTANCE_CONFIG
jiwei-0208a-cfgzb-master-0 us-central1-a n2-standard-4 RUNNING {'enableSecureBoot': True, 'enableVtpm': True, 'enableIntegrityMonitoring': True}
jiwei-0208a-cfgzb-worker-a-nr2vt us-central1-a n2-standard-4 RUNNING {'enableSecureBoot': True, 'enableVtpm': True, 'enableIntegrityMonitoring': True}
jiwei-0208a-cfgzb-master-1 us-central1-b n2-standard-4 RUNNING {'enableSecureBoot': True, 'enableVtpm': True, 'enableIntegrityMonitoring': True}
jiwei-0208a-cfgzb-worker-b-rr7cs us-central1-b n2-standard-4 RUNNING {'enableSecureBoot': True, 'enableVtpm': True, 'enableIntegrityMonitoring': True}
jiwei-0208a-cfgzb-master-2 us-central1-c n2-standard-4 RUNNING {'enableSecureBoot': True, 'enableVtpm': True, 'enableIntegrityMonitoring': True}
$ ./oc get machines -n openshift-machine-api
NAME PHASE TYPE REGION ZONE AGE
jiwei-0208a-cfgzb-master-0 Running n2-standard-4 us-central1 us-central1-a 41m
jiwei-0208a-cfgzb-master-1 Running n2-standard-4 us-central1 us-central1-b 41m
jiwei-0208a-cfgzb-master-2 Running n2-standard-4 us-central1 us-central1-c 41m
jiwei-0208a-cfgzb-worker-a-nr2vt Running n2-standard-4 us-central1 us-central1-a 34m
jiwei-0208a-cfgzb-worker-b-rr7cs Running n2-standard-4 us-central1 us-central1-b 34m
$ ./oc get controlplanemachinesets -n openshift-machine-api
NAME DESIRED CURRENT READY UPDATED UNAVAILABLE STATE AGE
cluster 3 3 3 3 Active 41m
$ ./oc delete machines jiwei-0208a-cfgzb-master-0 -n openshift-machine-api
machine.machine.openshift.io "jiwei-0208a-cfgzb-master-0" deleted
$ ./oc get machines -n openshift-machine-api
NAME PHASE TYPE REGION ZONE AGE
jiwei-0208a-cfgzb-master-1 Running n2-standard-4 us-central1 us-central1-b 50m
jiwei-0208a-cfgzb-master-2 Running n2-standard-4 us-central1 us-central1-c 50m
jiwei-0208a-cfgzb-master-qggjg-0 Running n2-standard-4 us-central1 us-central1-a 8m12s
jiwei-0208a-cfgzb-worker-a-nr2vt Running n2-standard-4 us-central1 us-central1-a 43m
jiwei-0208a-cfgzb-worker-b-rr7cs Running n2-standard-4 us-central1 us-central1-b 43m
$ gcloud compute instances list --format="table(name,zone,machineType,status,shieldedInstanceConfig)" --filter="name~jiwei"
NAME ZONE MACHINE_TYPE STATUS SHIELDED_INSTANCE_CONFIG
jiwei-0208a-cfgzb-master-qggjg-0 us-central1-a n2-standard-4 RUNNING {'enableSecureBoot': False, 'enableVtpm': True, 'enableIntegrityMonitoring': True}
jiwei-0208a-cfgzb-worker-a-nr2vt us-central1-a n2-standard-4 RUNNING {'enableSecureBoot': True, 'enableVtpm': True, 'enableIntegrityMonitoring': True}
jiwei-0208a-cfgzb-master-1 us-central1-b n2-standard-4 RUNNING {'enableSecureBoot': True, 'enableVtpm': True, 'enableIntegrityMonitoring': True}
jiwei-0208a-cfgzb-worker-b-rr7cs us-central1-b n2-standard-4 RUNNING {'enableSecureBoot': True, 'enableVtpm': True, 'enableIntegrityMonitoring': True}
jiwei-0208a-cfgzb-master-2 us-central1-c n2-standard-4 RUNNING {'enableSecureBoot': True, 'enableVtpm': True, 'enableIntegrityMonitoring': True}
$
FYI
1. After worker machineset scaleup or deleting a worker machine, the new worker machine does be created with "enableSecureBoot" being True.
2. As for controlplanemachinesets, see https://issues.redhat.com/browse/CORS-1988.
- is related to
-
CORS-2504 Post-merge Testing
-
- Closed
-
-
-
- Closed
-
- links to
