controller-manager/scheduler: switch to secure ports

[s-urbaniak]

Recently, the control plane switched to secure ports in [1] and [2].
This aligns them in the installer.

[1]
openshift/cluster-kube-scheduler-operator#88
[2]
openshift/cluster-kube-controller-manager-operator#207

/cc @brancz @sttts

[s-urbaniak]

/test e2e-aws

[brancz]

/lgtm

[abhinavdahiya]

/lgtm

[wking]

Can we just cut over? I'd have expected keeping both ports open during the transition. I guess we'll see how e2e-aws goes...

[brancz]

The insecure port has already been disabled on the components, so I'd be surprised if e2e-aws only turned red now. We (as in monitoring) would have appreciated a transition though instead of a hard break, as this is currently blocking all our PRs as our CI is failing because of these not being available. Now we've almost completed all of the transition though so more for next time 🙂 .

[wking]

e2e-aws:

Flaky tests:

[sig-cli] Kubectl client [k8s.io] Simple pod should contain last line of the log [Suite:openshift/conformance/parallel] [Suite:k8s]

Failing tests:

[Feature:Prometheus][Conformance] Prometheus when installed on the cluster should start and expose a secured proxy and unsecured metrics [Suite:openshift/conformance/parallel/minimal]

/retest

[wking]

We (as in monitoring) would have appreciated a transition though instead of a hard break, as this is currently blocking all our PRs as our CI is failing because of these not being available.

Sounds like you need to add a stronger monitoring check to the e2e-aws suite, so future changes are gated on not breaking you?

[brancz]

Sounds like you need to add a stronger monitoring check to the e2e-aws suite, so future changes are gated on not breaking you?

We had these, but they were disabled for migration purposes 🙃 (without us being informed).

[brancz]

The OpenShift API never became available in the test failure, seems unrelated.

/retest

[brancz]

That seems like another failure in bringing up the cluster, I'm seeing:

                    {
                        "lastTransitionTime": "2019-04-10T15:19:36Z",
                        "message": "StaticPodsFailing: pods \"kube-apiserver-ip-10-0-130-161.ec2.internal\" not found\nStaticPodsFailing: pods \"kube-apiserver-ip-10-0-168-57.ec2.internal\" not found\nStaticPodsFailing: pods \"kube-apiserver-ip-10-0-148-58.ec2.internal\" not found",
                        "reason": "StaticPodsFailingError",
                        "status": "True",
                        "type": "Failing"
                    },

And

                    {
                        "lastTransitionTime": "2019-04-10T15:19:37Z",
                        "message": "StaticPodsFailing: pods \"kube-controller-manager-ip-10-0-130-161.ec2.internal\" not found\nStaticPodsFailing: pods \"kube-controller-manager-ip-10-0-168-57.ec2.internal\" not found\nStaticPodsFailing: pods \"kube-controller-manager-ip-10-0-148-58.ec2.internal\" not found",
                        "reason": "StaticPodsFailingError",
                        "status": "True",
                        "type": "Failing"
                    },

Among other components. I'm not entirely convinced this is due to this change though as apiserver and openshift-apiserver are failing as well.

Could installer folks have a deeper look? For now restarting, we might just have been unlucky.

/retest

[brancz]

Looked into the failure, this time "only" compute nodes and apiserver seem to have failed, but I can't find further logs to find out more.

/retest

[openshift-bot]

/retest

Please review the full test history for this PR and help us cut down flakes.

[brancz]

failed to create listener: failed to listen on 0.0.0.0:10257: listen tcp 0.0.0.0:10257: bind: address already in use

Seems like a flake as this PRs isn't the one switching this behavior.

/retest

[s-urbaniak]

/retest

[s-urbaniak]

/retest

[s-urbaniak]

At last verified locally this branch successfully and confirmed the control plane is reachable on 10257/10259.

The flakes are addressed in openshift/origin#22543.

[s-urbaniak]

/retest

flake PR merge, let's see how this goes

[s-urbaniak]

/test e2e-aws

[s-urbaniak]

/test e2e-aws

[paulfantom]

/retest

[s-urbaniak]

/test e2e-aws

[s-urbaniak]

@abhinavdahiya this is a chicken/egg problem, as prometheus still tries to scrape insecure ports, this is resolved in openshift/cluster-monitoring-operator#316, but the latter cannot land without this. We temporarily disabled this very e2e test and will reenable once this and the referenced PR land.

[s-urbaniak]

side note: openshift/origin#22574 got merged just 6 hours ago due to flakes, so let's observe the current builds.

[abhinavdahiya]

e2e-aws is still failing:

[Feature:Prometheus][Conformance] Prometheus when installed on the cluster should start and expose a secured proxy and unsecured metrics [Suite:openshift/conformance/parallel/minimal]

[abhinavdahiya]

/test e2e-metal

[s-urbaniak]

hmm .. it's still e2e'ing the scheduler metrics 🤔

Apr 16 21:35:17.877: INFO: missing some targets: [no match for map[job:scheduler] with health up and scrape URL ^(http|https)://.*/metrics$]

@paulfantom do you mind to have a look why this is the case?

[s-urbaniak]

/retest

[s-urbaniak]

/retest

[s-urbaniak]

@abhinavdahiya PTAL, aws is green again, I have not enough context about the baremetal failure but it seems unrelated.

[abhinavdahiya]

/retest

[abhinavdahiya]

/test e2e-aws

[brancz]

/retest

[s-urbaniak]

fwiw openshift/cluster-monitoring-operator#316 just got merged, so once this lands, we can reenable the metrics e2e tests for the control plane.

[brancz]

/retest

[brancz]

/retest

[brancz]

/retest

[abhinavdahiya]

/lgtm

e2e-metal is optional

[openshift-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: abhinavdahiya, brancz, s-urbaniak

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [abhinavdahiya]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[brancz]

/retest

[brancz]

/retest

[trown]

/test e2e-openstack

[openshift-bot]

/retest

Please review the full test history for this PR and help us cut down flakes.

[openshift-bot]

/retest

Please review the full test history for this PR and help us cut down flakes.

[openshift-ci-robot]

@s-urbaniak: The following test failed, say /retest to rerun them all:

Test name	Commit	Details	Rerun command
ci/prow/e2e-metal	36bb700	link	/test e2e-metal

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.