[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Failure when adding node - Approve node certificates when bootstrapping



If there are no pending CSRs, then either the kubelet did not start on
the node, or the node does not have network access to the master to
request a CSR.

When the kubelet first starts, it requests a CSR for it's client cert.
That cert needs to be approved before the node can join the cluster.
After the node joins the cluster, it will issue a CSR for it's
server-side cert.  This cert is necessary for connecting to the node
for reading logs from pods.  This second CSR may report as failed if
the master is not able to successfully verify it can read the node's
server port.

On Wed, Jun 26, 2019 at 9:51 AM Robert Dahlem <robert dahlem gmx net> wrote:
>
> Dan,
>
> On 26.06.2019 14:51, Dan Pungă wrote:
>
> > I've recently run the scaleup procedeure on a 3.11 OKD cluster with the
> > same result(failure) from the ansible run.
>
> Thank you for jumping in.
>
> > However, when checking for node status and extra info I've found that
> > the node was successfully added to the cluster and in "Ready" state.
>
> > oc get nodes -o wide -> gives the status of the nodes, their role,
> > internal IP etc;
>
> # oc get nodes
> shows only the nodes I had before the scaleup.
>
> > I had a similar CSR problem when initially installing the cluster and
> > posted a question in here some weeks ago. My problem was DNS related,
> > but, while searching for a solution, I found that subsequent runs of the
> > node playbook would generate OKD csr-s that would not be approved, but
> > in pending state.
> > You can see if there are any and what state they're in with:
>
> > oc get csr
>
> Unfortunately I see:
> # oc get csr
> No resources found.
>
> This might very well be the root of my problem.
>
> > What I did was to enable automatic certificate issue from the master
> > with using the variable
> >
> > openshift_master_bootstrap_auto_approve=true
>
> I tried that, but ran into the same error.
>
> Kind regards,
> Robert
>
> _______________________________________________
> users mailing list
> users lists openshift redhat com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users



-- 
Michael Gugino
Senior Software Engineer - OpenShift
mgugino redhat com
540-846-0304


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]