Loading...

XML

Word

Printable

Type: Bug
Resolution: Unresolved
Priority: Critical
Fix Version/s: None
Affects Version/s: 4.19, 4.20
Component/s: Cloud Compute / KubeVirt Provider
Labels:

Activity Type:
None
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Story Points:
None
Severity:
None
Regression:
None

Target Backport Versions:
None
Target Version:

4.20
Release Blocker:
None
Sprint:
None

Customer Impact:

Customer Escalated
RH Private Keywords:

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

PX Impact Score:

Release Note Status:
None
Release Note Type:
None
Release Note Text:
None

Escape Reason:
None
Escape Impact:
None
Corrective Measures:
None
SDLC stage when should've been found:
None

Description of problem:

Machine objects in a HCP cluster with kubevirt and dual-stack deployment only shows the IPv4 as they are limited to share only one IP from the kubevirtmachine object:

https://github.com/openshift/cluster-api-provider-kubevirt/blob/6bc63fc9424fa6509063519042882828a9e141dc/pkg/kubevirt/machine.go#L229

Also it seems like te kubevirtmachine can only handle one internal IP addresses:
https://github.com/openshift/cluster-api-provider-kubevirt/blob/6bc63fc9424fa6509063519042882828a9e141dc/controllers/kubevirtmachine_controller.go#L326

This is probably the cause preventing csr auto approval on HCP cluster.

Version-Release number of selected component (if applicable):

Openshift 4.20.10

How reproducible:

Always

Steps to Reproduce:

    1. Create a HCP cluster dual-stack 
    2.
    3.

Actual results:

"machine-approver" container is showing these errors when new machines appears:

I0115 15:11:57.723924       1 controller.go:165] Reconciling CSR: csr-j9jmt
E0115 15:11:57.742178       1 controller.go:307] failed to get kubelet CA: ConfigMap "csr-controller-ca" not found
E0115 15:11:57.742205       1 controller.go:281] failed to get kubelet CA
I0115 15:11:57.742211       1 csr_check.go:173] csr-j9jmt: CSR does not appear to be client csr
I0115 15:11:57.742216       1 csr_check.go:218] Falling back to machine-api authorization for temp--standard-fk69z
E0115 15:11:57.742224       1 csr_check.go:438] csr-j9jmt: IP address '2001:x:x:x:x:x:x:x' not in machine addresses: 10.x.x.x 10.x.x.x
I0115 15:11:57.742229       1 csr_check.go:221] Could not use Machine for serving cert authorization: IP address '2001:x:x:x:x:x:x:x' not in machine addresses: 10.x.x.x 10.x.x.x
I0115 15:11:57.743321       1 controller.go:286] csr-j9jmt: CSR not authorized
E0115 15:11:57.743352       1 controller.go:353] "Reconciler error" err="could not reconcile CSR: could not authorize CSR: exhausted all authorization methods: IP address '2001:x:x:x:x:x:x:x' not in machine addresses: 10.x.x.x 10.x.x.x" controller="certificatesigningrequest" controllerGroup="certificates.k8s.io" controllerKind="CertificateSigningRequest" CertificateSigningRequest="csr-j9jmt" namespace="" name="csr-j9jmt" reconcileID="xxxx"

Expected results:

machine correctly represents in the status the two ip addresses and as a consequence automatically approve the new CSR

Additional info:

is related to

OCPBUGS-74100 [OCP 419] HCP node CSR not approved in dual stack configuration

links to

Fix

Assignee:: Felix Enrique Llorente Pastora

Reporter:: Mario Abajo Duran

Need Info From:: None

Contributors:: None

QA Contact:: Yu Li

Doc Contact:: None

Votes:: 1 Vote for this issue

Watchers:: 7 Start watching this issue

Created:: 2026/01/22 8:22 PM

Updated:: 2026/01/24 12:35 AM

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates