Skip to content

append kube-ca to root-ca for mco config #420

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
openshift-merge-robot merged 1 commit into from
Feb 15, 2019
Merged

append kube-ca to root-ca for mco config #420

openshift-merge-robot merged 1 commit into from
Feb 15, 2019

Conversation

@mrogers950
Copy link

@mrogers950 mrogers950 commented Feb 13, 2019

For openshift/installer#1179 it's necessary to include the now self-signed kube-ca in the /etc/kubernetes/ca.crt file for kubelets, since the PR makes root-ca no longer a valid trust anchor for the API server certs. I think this is the correct spot to modify to change /etc/kubernetes/ca.crt, and I'm opting to append it rather than replace the root CA for now to make sure nothing else breaks. (There might be a different configmap that it would be better to grab kube-ca from.)
/cc @abhinavdahiya @deads2k @openshift/sig-auth

@openshift-ci-robot openshift-ci-robot added the size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. label Feb 13, 2019
abhinavdahiya
abhinavdahiya reviewed Feb 13, 2019
View reviewed changes
Copy link
Contributor

@abhinavdahiya abhinavdahiya left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You need to make sure that the operator/bootstrap.go does the same thing

@openshift-ci-robot openshift-ci-robot added size/M Denotes a PR that changes 30-99 lines, ignoring generated files. and removed size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. labels Feb 13, 2019
@mrogers950
Copy link
Author

mrogers950 commented Feb 13, 2019

@abhinavdahiya thanks, updated.

@mrogers950
Copy link
Author

mrogers950 commented Feb 13, 2019

Got level=fatal msg="failed to initialize the cluster: Cluster operator machine-config is reporting a failure: Failed when progressing towards 3.11.0-623-gddfed948-dirty because: error syncing: timed out waiting for the condition during syncRequiredMachineConfigPools: error pool master is not ready. status: (total: 3, updated: 0, unavailable: 1)"
/retest

@cgwalters
Copy link
Member

cgwalters commented Feb 13, 2019

Got level=fatal msg="failed to initialize the cluster: Cluster operator machine-config is reporting a failure: Failed when progressing towards 3.11.0-623-gddfed948-dirty because: error syncing: timed out waiting for the condition during syncRequiredMachineConfigPools: error pool master is not ready. status: (total: 3, updated: 0, unavailable: 1)"

To debug that you usually want to look at the MCO logs from the pods. In this case looking at the MCC:

I0213 17:56:21.316874       1 render_controller.go:456] Generated machineconfig worker-f294327daacaedeea90cc9974bfc4f49 from 1 configs: [{MachineConfig  00-worker  machineconfiguration.openshift.io/v1  }]
I0213 17:56:21.317364       1 node_controller.go:345] Error syncing machineconfigpool worker: Empty Current MachineConfig
I0213 17:56:22.016392       1 node_controller.go:345] Error syncing machineconfigpool master: Empty Current MachineConfig
I0213 17:56:22.016553       1 render_controller.go:456] Generated machineconfig master-5243f3f3e45c6b04c0aa66b1c7f8ef32 from 2 configs: [{MachineConfig  00-master  machineconfiguration.openshift.io/v1  } {MachineConfig  00-master-ssh  machineconfiguration.openshift.io/v1  }]
I0213 17:56:26.517010       1 render_controller.go:456] Generated machineconfig worker-03ca778b37ae53fefac69033297cf86e from 3 configs: [{MachineConfig  00-worker  machineconfiguration.openshift.io/v1  } {MachineConfig  00-worker-ssh  machineconfiguration.openshift.io/v1  } {MachineConfig  01-worker-kubelet  machineconfiguration.openshift.io/v1  }]
I0213 17:56:27.016572       1 render_controller.go:456] Generated machineconfig master-52aab5b37d42ba01e94273a35d68c09b from 3 configs: [{MachineConfig  00-master  machineconfiguration.openshift.io/v1  } {MachineConfig  00-master-ssh  machineconfiguration.openshift.io/v1  } {MachineConfig  01-master-kubelet  machineconfiguration.openshift.io/v1  }]

Looks like this hit #338

@ashcrow
Copy link
Member

ashcrow commented Feb 13, 2019

/retest

@runcom
Copy link
Member

runcom commented Feb 14, 2019

needs a rebase

@openshift-ci-robot openshift-ci-robot added size/S Denotes a PR that changes 10-29 lines, ignoring generated files. and removed size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Feb 14, 2019
@mrogers950
Copy link
Author

mrogers950 commented Feb 14, 2019

/retest

@cgwalters
Copy link
Member

cgwalters commented Feb 14, 2019

TESTING: set kube-ca default to current kube-ca path

Yes, that's what you need to do for now. Squash that into the previous commit, then land this - then you can update the installer to pass it as an argument, and then finally remove the default here.

We've done this multiple times now for MCO/installer interlocking issues.

@mrogers950
Copy link
Author

mrogers950 commented Feb 14, 2019

@cgwalters I've squashed the commits, and testing looks good. PTAL.

@cgwalters
Copy link
Member

cgwalters commented Feb 14, 2019

/lgtm

@openshift-ci-robot openshift-ci-robot added the lgtm Indicates that a PR is ready to be merged. label Feb 14, 2019
@openshift-ci-robot
Copy link
Contributor

openshift-ci-robot commented Feb 14, 2019

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: cgwalters, mrogers950

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci-robot openshift-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Feb 14, 2019
@runcom
Copy link
Member

runcom commented Feb 15, 2019

/retest

@openshift-bot
Copy link
Contributor

openshift-bot commented Feb 15, 2019

/retest

Please review the full test history for this PR and help us cut down flakes.

1 similar comment
@openshift-bot
Copy link
Contributor

openshift-bot commented Feb 15, 2019

/retest

Please review the full test history for this PR and help us cut down flakes.

@openshift-merge-robot openshift-merge-robot merged commit d937342 into openshift:master Feb 15, 2019
mrogers950 pushed a commit to mrogers950/installer that referenced this pull request Feb 18, 2019
bootkube: pass --kube-ca to MCO
2d62d2b 
Wire in the --kube-ca option after
openshift/machine-config-operator#420.
This was referenced Feb 18, 2019
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@deads2k deads2k Awaiting requested review from deads2k

1 more reviewer

@abhinavdahiya abhinavdahiya abhinavdahiya left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@cgwalters cgwalters

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. lgtm Indicates that a PR is ready to be merged. size/S Denotes a PR that changes 10-29 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

9 participants

@mrogers950 @cgwalters @ashcrow @runcom @openshift-ci-robot @openshift-bot @abhinavdahiya @deads2k @openshift-merge-robot