enable kubelet server cert bootstrapping

[sjenning]

@smarterclayton @ericavonb @mrogers950 @rphillips

wait for openshift/cluster-machine-approver#3 to merge and ensure that machine-approver is running

[sjenning]

/hold

[smarterclayton]

Also add RotateKubeletClientCertificate, and let's make sure rotate certificates is set here too.

3.10 on always rotated both, but at a slower interval. We want 4.0 to rotate both, more quickly (days).

[sjenning]

Yes, this is set for workers, but not masters. I didn't want to make that change as part of this until I understood why this was done.

[sjenning]

Test cluster is working with the approver starting and approving new machines as expected, but I think I need to move the approver to runlevel 0. At runlevel 1 is starts late and kubelets will not accept incoming connections until the server cert is installed. openshift/cluster-machine-approver#4

[sjenning]

/retest

[smarterclayton]

I think you'll need to ensure the signer is running early in bootstrap.

…

On Tue, Nov 20, 2018 at 11:36 PM OpenShift CI Robot < ***@***.***> wrote: @sjenning <https://github.com/sjenning>: The following test *failed*, say /retest to rerun them all: Test name Commit Details Rerun command ci/prow/e2e-aws c78e5cd <c78e5cd> link <https://openshift-gce-devel.appspot.com/build/origin-ci-test/pr-logs/pull/openshift_machine-config-operator/187/pull-ci-openshift-machine-config-operator-master-e2e-aws/333> /test e2e-aws Full PR test history <https://openshift-gce-devel.appspot.com/pr/openshift_machine-config-operator/187>. Your PR dashboard <https://openshift-gce-devel.appspot.com/pr/sjenning>. Please help us cut down on flakes by linking to <https://github.com/kubernetes/community/blob/master/contributors/devel/flaky-tests.md#filing-issues-for-flaky-tests> an open issue <https://github.com/openshift/machine-config-operator/issues?q=is:issue+is:open> when you hit one in your PR. Instructions for interacting with me using PR comments are available here <https://git.k8s.io/community/contributors/guide/pull-requests.md>. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra <https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:> repository. I understand the commands that are listed here <https://go.k8s.io/bot-commands>. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#187 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/ABG_pz87-jrQzR18BkP78-0U5swV5b_lks5uxNhQgaJpZM4YsD7O> .

[sjenning]

i think openshift/cluster-machine-approver#4 may have not gone in before the previous retest
/retest

[rphillips]

EOL got stripped on this file

[sjenning]

# crictl logs f2fd6df8c27e0
2018/11/26 18:16:29 socat[4847] E connect(5, AF=1 "/var/run/openshift-sdn/cni-server.sock", 40): No such file or directory
User "sa" set.
Context "kubelet" modified.
I1126 18:16:29.545148    4826 start_network.go:200] Reading node configuration from /tmp/sdn-config.yaml
Invalid NodeConfig /tmp/sdn-config.yaml
  servingInfo.certFile: Invalid value: "/etc/kubernetes/pki/kubelet.crt": could not read file: stat /etc/kubernetes/pki/kubelet.crt: no such file or directory
  servingInfo.keyFile: Invalid value: "/etc/kubernetes/pki/kubelet.key": could not read file: stat /etc/kubernetes/pki/kubelet.key: no such file or directory

# crictl inspect f2fd6df8c27e0
...
      {
        "containerPath": "/etc/kubernetes/pki",
        "hostPath": "/var/lib/kubelet/pki",
        "propagation": "PROPAGATION_PRIVATE",
        "readonly": true,
        "selinuxRelabel": false
      },
...

The sdn pod is not starting and is blocking the cluster control plane from starting. It is not clear why the sdn pod needs the kubelet server key/cert. Seem to be a remnant of using the NodeConfig code in the sdn process. Discussing with @squeed and @dcbw.

[sjenning]

needs openshift/origin#21551 plus a PR to the cluster-network-operator to not set the kubelet serving info in the generated NodeConfig.

[sjenning]

next in line openshift/cluster-network-operator#43

[sjenning]

/retest

[sjenning]

/retest

[sjenning]

/retest

[smarterclayton]

Please rebase - this is critical for getting metrics from nodes.

[openshift-bot]

@sjenning: PR needs rebase.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[sjenning]

/hold cancel

[sjenning]

/retest

[sjenning]

/retest

[smarterclayton]

/lgtm

[openshift-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: sjenning, smarterclayton

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [smarterclayton]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment