From a431245b1458f9cc34a4a229de3caa6c8f37adbd Mon Sep 17 00:00:00 2001 From: Andrew Bays Date: Thu, 2 Jul 2026 11:42:49 +0000 Subject: [PATCH] [reproducer] Enable CSR auto-approval when waiting for OCP stability MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit When reusing an existing OpenShift cluster (e.g. after `reproducer-clean.yml` without `--tags deepscrub`), the reproducer calls `openshift_adm` with `op: stable` to wait for the cluster to come back. The `wait_for_cluster.yml` task file already contains a block that auto-approves pending certificate signing requests via the `cifmw.general.approve_csr` module, but that block is gated by `_openshift_adm_check_cert_approve`, which defaults to `false`. The `devscripts` role sets this flag during its own golden-image verification flow, but the reproducer role calls `openshift_adm` directly — bypassing that path entirely. As a result, CSRs that appear after a cluster restart (kubelet client/server certs) are never approved, causing the MachineConfigPool wait to hang indefinitely. Pass `_openshift_adm_check_cert_approve: true` from both reproducer entry points (`main.yml` and `reuse_main.yaml`) so that pending CSRs are automatically approved during the cluster stability wait. Co-authored-by: Cursor Signed-off-by: Andrew Bays --- roles/reproducer/tasks/main.yml | 1 + roles/reproducer/tasks/reuse_main.yaml | 1 + 2 files changed, 2 insertions(+) diff --git a/roles/reproducer/tasks/main.yml b/roles/reproducer/tasks/main.yml index f16a6abbf..30c181830 100644 --- a/roles/reproducer/tasks/main.yml +++ b/roles/reproducer/tasks/main.yml @@ -474,6 +474,7 @@ cifmw_openshift_adm_op: "stable" cifmw_openshift_kubeconfig: >- {{ (_auth_path, 'kubeconfig') | ansible.builtin.path_join }} + _openshift_adm_check_cert_approve: true ansible.builtin.include_role: name: openshift_adm diff --git a/roles/reproducer/tasks/reuse_main.yaml b/roles/reproducer/tasks/reuse_main.yaml index cd99f20a2..c780d2597 100644 --- a/roles/reproducer/tasks/reuse_main.yaml +++ b/roles/reproducer/tasks/reuse_main.yaml @@ -179,6 +179,7 @@ cifmw_openshift_adm_op: "stable" cifmw_openshift_kubeconfig: >- {{ (_auth_path, 'kubeconfig') | ansible.builtin.path_join }} + _openshift_adm_check_cert_approve: true ansible.builtin.include_role: name: openshift_adm