[reproducer] Enable CSR auto-approval when waiting for OCP stability#4027
Open
abays wants to merge 1 commit into
Open
[reproducer] Enable CSR auto-approval when waiting for OCP stability#4027abays wants to merge 1 commit into
abays wants to merge 1 commit into
Conversation
When reusing an existing OpenShift cluster (e.g. after `reproducer-clean.yml` without `--tags deepscrub`), the reproducer calls `openshift_adm` with `op: stable` to wait for the cluster to come back. The `wait_for_cluster.yml` task file already contains a block that auto-approves pending certificate signing requests via the `cifmw.general.approve_csr` module, but that block is gated by `_openshift_adm_check_cert_approve`, which defaults to `false`. The `devscripts` role sets this flag during its own golden-image verification flow, but the reproducer role calls `openshift_adm` directly — bypassing that path entirely. As a result, CSRs that appear after a cluster restart (kubelet client/server certs) are never approved, causing the MachineConfigPool wait to hang indefinitely. Pass `_openshift_adm_check_cert_approve: true` from both reproducer entry points (`main.yml` and `reuse_main.yaml`) so that pending CSRs are automatically approved during the cluster stability wait. Co-authored-by: Cursor <cursoragent@cursor.com> Signed-off-by: Andrew Bays <abays@redhat.com>
Contributor
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
When reusing an existing OpenShift cluster (e.g. after
reproducer-clean.ymlwithout--tags deepscrub), the reproducer callsopenshift_admwithop: stableto wait for the cluster to come back. Thewait_for_cluster.ymltask file already contains a block that auto-approves pending certificate signing requests via thecifmw.general.approve_csrmodule, but that block is gated by_openshift_adm_check_cert_approve, which defaults tofalse.The
devscriptsrole sets this flag during its own golden-image verification flow, but the reproducer role callsopenshift_admdirectly — bypassing that path entirely. As a result, CSRs that appear after a cluster restart (kubelet client/server certs) are never approved, causing the MachineConfigPool wait to hang indefinitely.Pass
_openshift_adm_check_cert_approve: truefrom both reproducer entry points (main.ymlandreuse_main.yaml) so that pending CSRs are automatically approved during the cluster stability wait.Co-authored-by: Cursor cursoragent@cursor.com
Signed-off-by: Andrew Bays abays@redhat.com