Migrate to Ignition config spec v3.1 and bump RHCOS by LorbusChris · Pull Request #3871 · openshift/installer

LorbusChris · 2020-07-09T21:19:56Z

The installer now generates spec v3.1 ignition config,
instead of v2.2 (and v2.4 for openstack) as before.

The v3.1 ignition config specification can be found at [1].
A detailed overview of the differences between specs v2 and v3 can be found at [2].

Notable differences are:

the Filesystem identifier on ignition file configs no longer exists
Overwrite now defaults to false (was true in spec v2), which is why
it is now set explicitly to keep the same behaviour.
duplicate file configs are now prohibited, i.e. all contents and
all appendices must be defined in a single config.
duplicate systemd unit configs are now prohibited, i.e. the content
and all dropins must be defined in a single config.

This commit:

Bumps ignition to v2.3.0 with support for config spec v3.1.
Bumps terraform-provider-ignition to v2.1.0.
Also adds downloading of the provider binary to images/installer/Dockerfile.upi.ci
which is necessary because the ignition v2/spec3 version from the
community-terraform-providers/terraform-ignition-provider fork is not
present in the provider registry that is maintained by Hashicorp and can
therefore not be pulled in automatically by terraform.
is not present in the
Bumps machine-config-operator to b3b074ee9156
(latest commit at the time of this writing).
Adds "github.com/clarketm/json" dependency for marshaling Ignition configs.
This is a dropin replacement for "encoding/json" that supports zero values of
structs with omittempty annotations when marshaling.
In effect, this will exclude empty pointer struct fields from the
marshaled data instead of inserting nil values into them, which do not
pass openAPI validation on fields that are supposed to contain e.g. strings.
The same library is used by machine-config-operator and ignition itself.
Updates the vendor dir to make commit idempotent.

[1] https://github.com/coreos/ignition/blob/master/doc/configuration-v3_1.md
[2] https://github.com/coreos/ignition/blob/master/doc/migrating-configs.md#from-version-230-to-300

Co-authored-by: Vadim Rutkovsky vrutkovs@redhat.com

LorbusChris · 2020-07-09T21:35:33Z

/retest

LorbusChris · 2020-07-09T21:40:54Z

/cc @travier @vrutkovs

LorbusChris · 2020-07-09T22:11:47Z

Note: All e2e tests except AWS are expected to fail at this point (and it requires e2e-aws to run in the us-east-1 region)

LorbusChris · 2020-07-09T22:39:59Z

@travier e2e ran in us-east-2 this time, so no wonder it didn't work. I'm not sure whether they always do that or how one could determine where they'd run. To be on the safe side, can you replicate the AMI to all regions? (or build anew with is_production: true, and repl)

travier · 2020-07-10T08:11:23Z

I restarted an RHCOS build that will upload to all the US regions.
Edit: Restarted again.

miabbott · 2020-07-10T11:00:49Z

@travier The pipeline should grant access to the CI account automatically - https://gitlab.cee.redhat.com/coreos/redhat-coreos/-/blob/master/scripts/upload-ami#L13

Looking at your most recent pipeline run, it looks like it should have been successfully granted to the CI account

+ ore --log-level INFO aws upload --region us-east-1 --bucket s3://rhcos-ci/testing-travier/amis --ami-name rhcos-46.82.202007100955-0 --name rhcos-46.82.202007100955-0 --ami-description "OpenShift 4 46.82.202007100955-0" --file builds/46.82.202007100955-0/x86_64/rhcos-46.82.202007100955-0-aws.x86_64.vmdk --disk-size-inspect --delete-object --grant-user 460538899914 --grant-user 269733383066

miabbott · 2020-07-10T11:01:26Z

/test e2e-aws

travier · 2020-07-10T12:33:25Z

rhcos.json needs to be updated with the following new AMIs:
us-east-1 ami-070cdabec74569572
us-east-2 ami-0b7dd156ccbd25423
us-west-1 ami-02fe039340ef18fa2
us-west-2 ami-0a42581bd5b7526cf

LorbusChris · 2020-07-10T15:38:36Z

/test e2e-aws
/test e2e-aws-fips

yuqi-zhang · 2020-07-10T20:47:27Z

edit: nvm I think when I overrode the payload it was using the wrong ami

LorbusChris · 2020-07-10T22:06:35Z

@yuqi-zhang there does seem to be a problem though, as bootstrap's API never comes up. Will investigate further next week.

LorbusChris · 2020-07-13T12:25:08Z

/retest

LorbusChris · 2020-07-13T12:44:13Z

/retest

LorbusChris · 2020-07-13T14:04:49Z

/test e2e-aws-upgrade
/test e2e-aws-fips

LorbusChris · 2020-07-13T15:34:12Z

e2e-aws passed 🎉

cgwalters · 2020-07-13T15:49:05Z

The MCS logs look right, I see the v3 user agent.

One thing to keep in mind here is...since we're overriding just the bootimage but not the machine-os-content, we do use Ignition spec 3 at boot time...but the installed cluster in this PR pivoted into an OS with an older Ignition, see e.g. in the MCD logs:
I0713 13:21:05.143260 1790 daemon.go:227] Installed Ignition binary version: 0.35.1

Which is totally fine - Ignition only runs in the initramfs on the first boot. I can't think of a reason this would break or fail. But, let's just keep it in mind in case we hit anything strange.

yuqi-zhang · 2020-07-13T20:58:44Z

Was able to get a full spec 3 cluster from this PR 🎉

cgwalters · 2020-07-29T15:28:18Z

I think we should get e2e-aws-upi to pass. I don't think retesting is going to do that, it doesn't seem like a flake. We already found out that the CloudFormation templates were broken by this, there is probably something else.

I filed #3974 to use as a reference point.

One interesting thing here is this ignition-exporter log - there's a whole lot of requests for / and exactly one request for bootstrap.ign. That seems suspicious. EDIT: Hmm, maybe not - maybe the requests for / are health checks.

I'm wondering if the default e2e-aws-upi is entangled with the proxy stuff in openshift/release#10534 - it doesn't look like it should be, but maybe it is.

runcom · 2020-07-29T15:53:05Z

It seems that the failure in aws-upi is directly related to the fact that workers don't go up - and thus operators like monitoring fails to rollout properly and we get the failure. As noticed in my previous comment, it seems this was already happening prior to this PR but sure it's worth understanding how this could impact that as well @cgwalters

cgwalters · 2020-07-29T15:55:03Z

As noticed in my previous comment, it seems this was already happening prior to this PR but sure it's worth understanding how this could impact that as well @cgwalters

I don't see e2e-aws-upi having run in https://prow.ci.openshift.org/pr-history/?org=openshift&repo=installer&pr=3821
You're right e2e-vsphere-upi did, and I'd believe you if you said they had the same symptoms. But at least e2e-aws-upi isn't entangled with vSphere reliability issues.

runcom · 2020-07-29T15:58:13Z

I don't see e2e-aws-upi having run in https://prow.ci.openshift.org/pr-history/?org=openshift&repo=installer&pr=3821

Right, I missed on that, but I found https://prow.ci.openshift.org/view/gs/origin-ci-test/pr-logs/pull/openshift_installer/3626/pull-ci-openshift-installer-master-e2e-aws-upi/1287951297437241344 (related to PR https://prow.ci.openshift.org/pr-history/?org=openshift&repo=installer&pr=3626)

...
worker: "all 0 nodes are at latest configuration rendered-worker-06a743b67e0a25c007e96fba9b3c79a2"

Which is another PR showing the very same symptom (also, I'm agreeing it needs investigation anyway :))

cgwalters · 2020-07-29T16:35:16Z

Which is another PR showing the very same symptom (also, I'm agreeing it needs investigation anyway :))

OK yeah, e2e-aws-upi fails in exactly the same way on the dummy test PR: https://prow.ci.openshift.org/view/gs/origin-ci-test/pr-logs/pull/openshift_installer/3974/pull-ci-openshift-installer-master-e2e-aws-upi/1288496223979835392

So I'm back in the "land and iterate on these jobs after" camp:
/lgtm

cgwalters · 2020-07-29T16:43:18Z

Filed https://bugzilla.redhat.com/show_bug.cgi?id=1861828 to track this.

LorbusChris · 2020-07-29T17:51:46Z

/test e2e-aws-fips
/test e2e-gcp-upi

abhinavdahiya · 2020-07-29T18:13:43Z

/test e2e-aws-upi

abhinavdahiya · 2020-07-29T18:28:05Z

https://prow.ci.openshift.org/view/gs/origin-ci-test/pr-logs/pull/openshift_installer/3871/pull-ci-openshift-installer-master-e2e-vsphere-upi/1288495552496930816

https://prow.ci.openshift.org/view/gs/origin-ci-test/pr-logs/pull/openshift_installer/3871/pull-ci-openshift-installer-master-e2e-vsphere-upi/1288495552496930816#1:build-log.txt%3A433

error: no kind "CertificateSigningRequest" is registered for version "certificates.k8s.io/v1" in scheme "k8s.io/kubernetes/pkg/kubectl/scheme/scheme.go:28"

$ for i in $(curl -s https://storage.googleapis.com/origin-ci-test/pr-logs/pull/openshift_installer/3871/pull-ci-openshift-installer-master-e2e-vsphere-upi/1288495552496930816/artifacts/e2e-vsphere-upi/gather-extra/csr.json | jq -r '.items[] | select(.status == {}) | .spec.request'); do echo "$i" | base64 -d | openssl req -noout -text; done
Certificate Request:
    Data:
        Version: 1 (0x0)
        Subject: O = system:nodes, CN = system:node:compute-2
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (256 bit)
                pub:
                    04:64:d3:40:ff:64:9e:de:dd:ff:01:37:00:f3:fb:
                    18:d9:3e:48:e7:f0:2e:cd:aa:86:e4:a6:53:23:fd:
                    ee:d3:a1:aa:32:a3:0f:79:4a:ab:a3:52:0d:c4:33:
                    ca:64:97:52:e7:1b:a6:a3:16:4d:0b:8d:c5:99:de:
                    fc:07:39:1f:37
                ASN1 OID: prime256v1
                NIST CURVE: P-256
        Attributes:
            a0:00
    Signature Algorithm: ecdsa-with-SHA256
         30:46:02:21:00:fe:76:8d:f3:7d:2f:9a:21:65:da:b5:aa:2a:
         aa:f3:82:52:e8:15:d1:a4:6c:f6:b5:ac:ce:2b:25:75:6e:19:
         8b:02:21:00:f3:d0:cf:4f:04:7b:b0:59:29:37:e7:a4:f5:75:
         bc:92:03:c7:94:ce:ae:3b:2a:5d:bb:52:6c:09:6e:2e:a7:74
Certificate Request:
    Data:
        Version: 1 (0x0)
        Subject: O = system:nodes, CN = system:node:compute-0
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (256 bit)
                pub:
                    04:8a:c7:5a:3a:80:30:a7:b7:75:14:87:1e:78:18:
                    c3:83:1d:48:19:8d:5b:b5:10:cb:de:f9:46:9b:35:
                    a9:76:38:93:df:f1:42:87:06:18:04:d0:1f:e9:ed:
                    8d:ec:56:c9:47:f7:71:74:64:44:29:ae:db:dd:e4:
                    ae:f7:30:25:97
                ASN1 OID: prime256v1
                NIST CURVE: P-256
        Attributes:
            a0:00
    Signature Algorithm: ecdsa-with-SHA256
         30:44:02:20:02:60:a1:4b:e4:fe:2d:02:f6:ea:9a:91:af:92:
         aa:a6:f7:4c:9b:a0:f1:a8:6c:bc:ee:90:ea:c0:de:25:98:e7:
         02:20:6f:dd:9c:e2:61:9d:b8:90:cc:25:77:45:9f:6b:f8:69:
         6f:6c:b9:9a:75:27:67:66:12:49:76:4a:8c:a7:03:55
Certificate Request:
    Data:
        Version: 1 (0x0)
        Subject: O = system:nodes, CN = system:node:compute-2
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (256 bit)
                pub:
                    04:4d:e1:91:6c:ba:ac:e8:35:d6:c4:be:d8:78:05:
                    cc:39:cf:24:1e:49:52:39:9e:49:6d:da:d3:d8:b0:
                    1f:93:ce:a9:1d:20:74:77:3f:30:71:d2:3b:4e:aa:
                    29:c0:58:98:a5:1d:cd:42:dc:ab:5e:e8:7c:ce:fd:
                    09:e6:30:d5:b1
                ASN1 OID: prime256v1
                NIST CURVE: P-256
        Attributes:
            a0:00
    Signature Algorithm: ecdsa-with-SHA256
         30:44:02:20:12:db:78:a8:76:59:0e:c7:b7:c3:7b:e3:27:f2:
         68:09:34:c8:df:4e:7e:f6:fc:cc:9d:7a:66:b2:4d:27:34:73:
         02:20:76:77:b2:8a:83:82:7d:6e:30:a0:61:9a:ef:70:25:40:
         42:f6:71:e1:12:4b:30:0a:e8:36:21:ea:5a:39:1f:41
Certificate Request:
    Data:
        Version: 1 (0x0)
        Subject: O = system:nodes, CN = system:node:compute-2
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (256 bit)
                pub:
                    04:f1:15:34:b9:ad:eb:ad:53:14:ef:46:40:4b:04:
                    22:72:91:c0:aa:5e:0a:7a:91:35:a5:71:a2:32:bb:
                    6d:02:03:df:12:93:c6:4e:5e:27:9a:f3:3f:5c:aa:
                    b0:0e:88:bf:2b:a7:e5:24:cb:2b:fd:3f:81:59:27:
                    48:a0:bd:b6:89
                ASN1 OID: prime256v1
                NIST CURVE: P-256
        Attributes:
            a0:00
    Signature Algorithm: ecdsa-with-SHA256
         30:44:02:20:7a:04:64:33:a8:04:33:f1:0e:b8:c2:64:17:a1:
         fa:a6:a0:de:c6:01:82:0a:f0:fd:e8:f0:08:71:7f:0b:79:31:
         02:20:35:2f:c1:d4:ba:4b:26:6c:e2:8f:89:61:e2:f5:d6:92:
         a0:c5:66:cd:a9:33:96:4e:cf:2a:11:5a:75:1b:c4:66
Certificate Request:
    Data:
        Version: 1 (0x0)
        Subject: O = system:nodes, CN = system:node:compute-1
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (256 bit)
                pub:
                    04:e9:ea:91:90:ff:bb:bd:26:86:67:a4:3b:db:d4:
                    12:3f:61:bf:66:89:ce:29:81:a0:3f:b0:1f:7b:58:
                    14:36:ef:13:db:d0:a4:1e:08:07:bf:3c:2e:41:6f:
                    f6:6d:11:4b:7e:18:b4:91:c5:43:ec:43:e2:25:56:
                    59:c6:09:ef:a3
                ASN1 OID: prime256v1
                NIST CURVE: P-256
        Attributes:
            a0:00
    Signature Algorithm: ecdsa-with-SHA256
         30:46:02:21:00:f4:5f:2a:ca:a0:d5:f2:bf:c6:25:f9:13:0b:
         b9:3b:a8:01:3f:5d:70:3d:1d:68:1f:a2:4a:29:fa:f4:b5:7a:
         ac:02:21:00:a7:83:6b:95:65:29:b2:b6:5f:b6:85:9c:b4:8f:
         b3:ed:87:26:53:47:40:f4:4d:88:d5:3c:b5:ec:c5:9b:a7:2b
Certificate Request:
    Data:
        Version: 1 (0x0)
        Subject: O = system:nodes, CN = system:node:compute-1
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (256 bit)
                pub:
                    04:a8:30:c4:1e:b5:45:62:18:77:e1:61:4d:8b:75:
                    00:d2:cb:e8:62:9b:97:1a:27:ee:0f:95:b2:5a:b9:
                    75:2a:a5:7e:b0:5f:11:4f:42:3a:ac:a3:42:87:95:
                    9d:c9:b5:97:79:56:4e:65:fe:e7:8b:d0:d3:56:b5:
                    16:28:0b:9e:2e
                ASN1 OID: prime256v1
                NIST CURVE: P-256
        Attributes:
            a0:00
    Signature Algorithm: ecdsa-with-SHA256
         30:45:02:20:4e:e1:3b:5f:81:09:b0:ae:26:fc:9e:fc:42:d1:
         a1:46:f6:1b:fe:8f:0d:84:88:b8:cc:43:3f:c7:46:4e:42:95:
         02:21:00:a2:9b:be:dc:c7:7e:c1:e1:a9:32:b4:be:a0:38:95:
         a6:4d:95:e8:10:b9:99:ae:47:b9:3c:70:40:51:3e:8f:ad
Certificate Request:
    Data:
        Version: 1 (0x0)
        Subject: O = system:nodes, CN = system:node:compute-0
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (256 bit)
                pub:
                    04:b7:c6:31:cb:6d:50:1e:43:d1:d9:32:22:d1:82:
                    0e:6b:6b:76:0d:8c:ae:db:1f:27:6c:c3:1d:03:00:
                    a4:7e:e1:e2:81:13:54:d7:b0:ec:f9:2b:f8:f9:8e:
                    69:38:82:fc:a7:08:b1:5b:4f:03:cf:f1:53:7a:40:
                    ac:50:ab:d7:7c
                ASN1 OID: prime256v1
                NIST CURVE: P-256
        Attributes:
            a0:00
    Signature Algorithm: ecdsa-with-SHA256
         30:44:02:20:78:0c:ff:6e:99:4c:21:e2:b1:c8:e7:23:6f:7c:
         7b:21:df:ca:6f:6c:88:ee:6c:64:11:75:5e:eb:51:43:77:41:
         02:20:4c:c8:1d:3b:08:19:bc:cb:4f:d9:39:4f:dc:fe:73:10:
         79:9f:24:d6:86:7d:7f:7a:44:8b:ac:d9:1c:31:a4:81
Certificate Request:
    Data:
        Version: 1 (0x0)
        Subject: O = system:nodes, CN = system:node:compute-1
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (256 bit)
                pub:
                    04:7b:c6:06:15:7b:af:09:51:a3:11:75:92:c6:7b:
                    ec:ed:04:24:dd:d5:5d:29:d8:a7:7b:70:80:2c:13:
                    a0:26:8c:d1:7b:e4:29:ca:08:e8:4e:7a:5d:e4:29:
                    93:8d:c8:b1:89:c0:79:51:93:5e:ae:a8:37:a4:3c:
                    50:30:1c:14:c7
                ASN1 OID: prime256v1
                NIST CURVE: P-256
        Attributes:
            a0:00
    Signature Algorithm: ecdsa-with-SHA256
         30:46:02:21:00:a9:00:69:33:07:60:78:78:87:16:c3:22:e1:
         b9:64:a5:0b:d6:fb:83:6b:d3:50:b5:58:ad:60:e8:43:65:6b:
         a5:02:21:00:ed:3f:7d:40:ef:a1:2c:0d:23:49:6a:17:67:46:
         dd:40:9c:e6:ce:a6:d5:19:b2:46:08:b2:10:81:4a:89:6b:cd
Certificate Request:
    Data:
        Version: 1 (0x0)
        Subject: O = system:nodes, CN = system:node:compute-0
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (256 bit)
                pub:
                    04:44:b1:c3:75:01:03:af:40:8a:29:30:e7:d6:3f:
                    55:cb:84:e3:77:b7:7f:4d:99:d1:8e:06:4c:eb:61:
                    42:86:70:af:94:d3:b6:f7:3b:80:e1:c3:52:0e:5d:
                    72:a7:97:c1:81:2d:fb:14:e0:f6:dc:ee:46:0b:88:
                    77:d8:09:df:0b
                ASN1 OID: prime256v1
                NIST CURVE: P-256
        Attributes:
            a0:00
    Signature Algorithm: ecdsa-with-SHA256
         30:45:02:21:00:a8:89:b9:df:2f:ef:fb:5b:bf:a2:4b:82:f8:
         ce:b0:f8:a2:76:b4:ce:61:f6:02:6d:16:50:bb:99:bd:e6:43:
         16:02:20:46:4c:ef:ec:b2:52:49:70:fb:b5:35:d2:47:d1:de:
         ec:c5:6c:ee:07:90:0e:e7:57:ba:a3:0e:4a:87:ea:49:4b

shows that the compute is booting and sending CSR but those are not getting approved.

So I think we should be good wrt ignition change in vSphere UPI

cgwalters · 2020-07-29T19:06:03Z

So I think we should be good wrt ignition change in vSphere UPI

OK, just need someone to /approve here then right?

abhinavdahiya · 2020-07-29T20:08:14Z

https://prow.ci.openshift.org/view/gs/origin-ci-test/pr-logs/pull/openshift_installer/3871/pull-ci-openshift-installer-master-e2e-aws-upi/1288538277200007168#1:build-log.txt%3A759

no kind "CertificateSigningRequest" is registered for version "certificates.k8s.io/v1" in scheme "k8s.io/kubernetes/pkg/kubectl/scheme/scheme.go:28"

https://storage.googleapis.com/origin-ci-test/pr-logs/pull/openshift_installer/3871/pull-ci-openshift-installer-master-e2e-aws-upi/1288538277200007168/artifacts/e2e-aws-upi/csr.json

$ for i in $(curl -s https://storage.googleapis.com/origin-ci-test/pr-logs/pull/openshift_installer/3871/pull-ci-openshift-installer-master-e2e-aws-upi/1288538277200007168/artifacts/e2e-aws-upi/csr.json | jq -r '.items[] | select(.status == {}) | .spec.request'); do echo "$i" | base64 -d | openssl req -noout -text; done
Certificate Request:
    Data:
        Version: 1 (0x0)
        Subject: O = system:nodes, CN = system:node:ip-10-0-67-141.ec2.internal
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (256 bit)
                pub:
                    04:95:2c:92:d1:2a:2b:04:d4:55:5b:58:5b:a5:a0:
                    4b:49:9b:69:20:68:b7:a9:03:cc:ca:9f:8f:38:cb:
                    a7:ad:42:92:55:b3:3d:b7:c2:9e:7f:ad:70:3e:a6:
                    0a:46:3c:71:39:7c:be:b4:e6:f3:6e:30:dc:98:9d:
                    a7:17:87:9e:07
                ASN1 OID: prime256v1
                NIST CURVE: P-256
        Attributes:
            a0:00
    Signature Algorithm: ecdsa-with-SHA256
         30:44:02:20:45:7c:c3:87:f5:68:5d:da:e9:2a:0f:19:60:de:
         a3:28:1c:8d:ad:d1:66:cc:b8:77:12:56:11:6c:70:8e:99:22:
         02:20:5a:75:c8:55:c9:35:73:72:87:9a:ea:8d:46:50:e8:7a:
         5e:1e:8f:73:35:5c:72:d7:23:7e:e5:21:00:bf:7a:9f
Certificate Request:
    Data:
        Version: 1 (0x0)
        Subject: O = system:nodes, CN = system:node:ip-10-0-67-141.ec2.internal
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (256 bit)
                pub:
                    04:6d:66:de:6e:5a:36:43:ed:04:83:66:44:29:65:
                    41:f6:49:35:a9:25:40:af:57:70:ef:0c:34:b4:cc:
                    7c:7b:e2:25:77:13:0a:a6:2f:84:e2:0a:12:b7:e3:
                    bd:ed:08:22:5e:ef:4e:46:90:11:29:63:aa:8c:28:
                    39:22:c8:3f:2b
                ASN1 OID: prime256v1
                NIST CURVE: P-256
        Attributes:
            a0:00
    Signature Algorithm: ecdsa-with-SHA256
         30:44:02:20:40:93:0d:ec:b5:09:e4:3f:21:0f:fc:ff:03:33:
         0e:67:56:f2:98:9d:df:28:1a:c0:ce:f9:89:c4:49:d7:78:e1:
         02:20:6c:3e:78:43:33:2b:91:97:21:d8:74:50:5e:51:b0:65:
         10:69:82:6f:0a:b9:50:3d:6b:46:f2:11:20:78:38:30
Certificate Request:
    Data:
        Version: 1 (0x0)
        Subject: O = system:nodes, CN = system:node:ip-10-0-86-165.ec2.internal
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (256 bit)
                pub:
                    04:19:a6:54:03:10:80:fb:19:da:00:82:19:1d:92:
                    b9:8b:2e:8b:59:f0:7e:2d:82:f3:33:10:ad:b7:2d:
                    c6:2d:06:94:23:41:c0:92:7d:fc:aa:21:06:e3:99:
                    83:9c:60:03:e5:ad:b4:0e:20:fc:e7:43:85:9f:e0:
                    67:11:b6:53:f9
                ASN1 OID: prime256v1
                NIST CURVE: P-256
        Attributes:
            a0:00
    Signature Algorithm: ecdsa-with-SHA256
         30:46:02:21:00:ab:ca:d8:50:61:99:e1:29:b2:dd:d8:bc:a7:
         51:38:cb:2f:bc:37:38:b9:cc:8c:73:ee:0e:1f:8d:cb:cc:32:
         94:02:21:00:d4:d6:6a:35:19:e4:31:35:69:6c:a5:4f:a8:cc:
         80:85:9a:10:3f:03:ee:fa:bb:af:5d:e4:17:75:ae:26:bf:1f
Certificate Request:
    Data:
        Version: 1 (0x0)
        Subject: O = system:nodes, CN = system:node:ip-10-0-86-165.ec2.internal
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (256 bit)
                pub:
                    04:25:56:5a:57:8d:4c:09:14:10:db:95:f4:4d:19:
                    6e:36:94:86:22:85:b8:be:84:6c:13:12:a8:a4:df:
                    eb:3c:85:04:85:cf:f6:48:7a:92:ad:98:27:e9:65:
                    18:bf:aa:ef:2c:e7:12:d1:17:40:1c:a1:6a:81:ce:
                    53:b8:08:48:87
                ASN1 OID: prime256v1
                NIST CURVE: P-256
        Attributes:
            a0:00
    Signature Algorithm: ecdsa-with-SHA256
         30:44:02:20:19:f8:c3:36:f6:89:ea:c1:f9:30:40:a5:a4:b8:
         62:6b:c8:eb:46:2b:3e:d8:d0:ae:d5:65:2c:a7:ad:78:a1:e7:
         02:20:41:c5:30:7f:eb:3e:e4:09:bd:3c:50:24:f0:16:c9:e5:
         56:7d:2c:2e:35:31:a8:cd:e6:77:fc:51:2d:a7:78:f8
Certificate Request:
    Data:
        Version: 1 (0x0)
        Subject: O = system:nodes, CN = system:node:ip-10-0-51-79.ec2.internal
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (256 bit)
                pub:
                    04:4a:5e:ae:55:ec:c2:7f:7e:e5:c7:76:88:db:8a:
                    ce:3c:a3:d1:b3:10:5b:55:42:2d:31:5b:de:fe:6a:
                    8c:43:49:0a:e7:cd:3f:79:f5:6c:df:9b:6c:b4:7f:
                    94:c5:2b:e0:f4:2d:30:d7:6c:25:b8:7c:ab:8d:fb:
                    99:55:48:d7:3a
                ASN1 OID: prime256v1
                NIST CURVE: P-256
        Attributes:
            a0:00
    Signature Algorithm: ecdsa-with-SHA256
         30:46:02:21:00:aa:5c:e3:bb:5b:76:43:38:f1:a5:96:0e:61:
         e2:07:ec:41:91:4f:05:ae:a1:5c:d7:1b:07:ed:9f:6e:61:7b:
         d5:02:21:00:80:de:cb:9c:3f:57:a0:2e:eb:ce:c7:a6:14:7b:
         f5:97:4f:22:ba:8f:3e:e0:ed:92:0c:20:47:e0:aa:44:7a:9a
Certificate Request:
    Data:
        Version: 1 (0x0)
        Subject: O = system:nodes, CN = system:node:ip-10-0-51-79.ec2.internal
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (256 bit)
                pub:
                    04:a2:2d:7f:7d:9f:1b:69:d0:88:aa:f1:9c:d0:29:
                    1a:cd:21:8f:f5:44:47:48:f1:e2:c5:bf:65:ea:2f:
                    c2:a8:93:22:91:1e:8c:a6:87:0a:5c:4a:5f:5b:84:
                    22:52:f2:72:95:52:d6:c3:2c:64:c6:b0:d0:63:d0:
                    ec:64:f4:2e:6f
                ASN1 OID: prime256v1
                NIST CURVE: P-256
        Attributes:
            a0:00
    Signature Algorithm: ecdsa-with-SHA256
         30:45:02:21:00:ae:1f:14:eb:b4:ec:cf:a7:71:31:d9:3c:04:
         08:08:72:0e:bd:8d:2a:ad:08:53:97:1b:8d:79:a9:ea:3b:5c:
         d0:02:20:52:1a:ec:70:a4:32:2f:1d:50:7e:da:a5:74:17:29:
         e2:fd:fd:78:e9:71:69:43:5d:47:bf:d4:3f:b2:fb:90:bf

So it seems like aws upi is also facing the same issue described in #3871 (comment)

The nodes are booting but failing to join the cluster due to CSR not getting approved.

abhinavdahiya · 2020-07-29T20:10:15Z

#3871 (comment)
#3871 (comment)

Based on those, it seems like the ignition work should be fine. and i will update the BZ https://bugzilla.redhat.com/show_bug.cgi?id=1861828 to reflect our CSR being broken due to oc rebase.

/approve

openshift-ci-robot · 2020-07-29T20:10:38Z

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: abhinavdahiya, cgwalters

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

~~OWNERS~~ [abhinavdahiya]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

LorbusChris · 2020-07-29T20:15:51Z

cgwalters · 2020-07-29T20:29:38Z

Adding overrides based on above
/override ci/prow/e2e-metal
/override ci/prow/e2e-aws-upi
/override ci/prow/e2e-gcp-upi
/override ci/prow/e2e-vsphere
/override ci/prow/e2e-vsphere-upi

openshift-ci-robot · 2020-07-29T20:29:57Z

@cgwalters: cgwalters unauthorized: /override is restricted to Repo administrators, approvers in top level OWNERS file.

Details

In response to this:

Adding overrides based on above
/override ci/prow/e2e-metal
/override ci/prow/e2e-aws-upi
/override ci/prow/e2e-gcp-upi
/override ci/prow/e2e-vsphere
/override ci/prow/e2e-vsphere-upi

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

openshift-bot · 2020-07-29T20:33:00Z

/retest