Skip to content

[reproducer] Enable CSR auto-approval when waiting for OCP stability#4027

Open
abays wants to merge 1 commit into
openstack-k8s-operators:mainfrom
abays:fix/reproducer-approve-pending-csrs
Open

[reproducer] Enable CSR auto-approval when waiting for OCP stability#4027
abays wants to merge 1 commit into
openstack-k8s-operators:mainfrom
abays:fix/reproducer-approve-pending-csrs

Conversation

@abays

@abays abays commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

When reusing an existing OpenShift cluster (e.g. after reproducer-clean.yml without --tags deepscrub), the reproducer calls openshift_adm with op: stable to wait for the cluster to come back. The wait_for_cluster.yml task file already contains a block that auto-approves pending certificate signing requests via the cifmw.general.approve_csr module, but that block is gated by _openshift_adm_check_cert_approve, which defaults to false.

The devscripts role sets this flag during its own golden-image verification flow, but the reproducer role calls openshift_adm directly — bypassing that path entirely. As a result, CSRs that appear after a cluster restart (kubelet client/server certs) are never approved, causing the MachineConfigPool wait to hang indefinitely.

Pass _openshift_adm_check_cert_approve: true from both reproducer entry points (main.yml and reuse_main.yaml) so that pending CSRs are automatically approved during the cluster stability wait.

Co-authored-by: Cursor cursoragent@cursor.com
Signed-off-by: Andrew Bays abays@redhat.com

When reusing an existing OpenShift cluster (e.g. after
`reproducer-clean.yml` without `--tags deepscrub`), the reproducer
calls `openshift_adm` with `op: stable` to wait for the cluster to
come back.  The `wait_for_cluster.yml` task file already contains a
block that auto-approves pending certificate signing requests via the
`cifmw.general.approve_csr` module, but that block is gated by
`_openshift_adm_check_cert_approve`, which defaults to `false`.

The `devscripts` role sets this flag during its own golden-image
verification flow, but the reproducer role calls `openshift_adm`
directly — bypassing that path entirely.  As a result, CSRs that
appear after a cluster restart (kubelet client/server certs) are never
approved, causing the MachineConfigPool wait to hang indefinitely.

Pass `_openshift_adm_check_cert_approve: true` from both reproducer
entry points (`main.yml` and `reuse_main.yaml`) so that pending CSRs
are automatically approved during the cluster stability wait.

Co-authored-by: Cursor <cursoragent@cursor.com>
Signed-off-by: Andrew Bays <abays@redhat.com>
@openshift-ci

openshift-ci Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign valkyrie00 for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant