search

stormshift / support

This repo should serve as a central source for reporting issues with stormshift
GNU General Public License v3.0
3 stars 0 forks source link

OCP3 cert issues after downtime #72

Closed DanielFroehlich closed 2 years ago

DanielFroehlich commented 2 years ago

OCP3 was (partially) down for a couple of days due to HW issues. After a clean re-boot, nodes compute-1, control-1 control-2 are not ready:

[root@ocp3support ~]# oc get nodes
NAME                                           STATUS     ROLES           AGE     VERSION
compute-0.ocp3.stormshift.coe.muc.redhat.com   Ready      worker          429d    v1.21.6+c180a7c
compute-1.ocp3.stormshift.coe.muc.redhat.com   NotReady   worker          429d    v1.21.6+c180a7c
compute-2.ocp3.stormshift.coe.muc.redhat.com   Ready      worker          429d    v1.21.6+c180a7c
control-0.ocp3.stormshift.coe.muc.redhat.com   Ready      master,worker   2y53d   v1.21.6+c180a7c
control-1.ocp3.stormshift.coe.muc.redhat.com   NotReady   master,worker   2y53d   v1.21.6+c180a7c
control-2.ocp3.stormshift.coe.muc.redhat.com   NotReady   master,worker   2y53d   v1.21.6+c180a7c

Seems certs did expire, I can see new csr's:

[root@ocp3support ~]# oc get csr
NAME        AGE     SIGNERNAME                                    REQUESTOR                                                                   CONDITION
csr-6tqlj   2m41s   kubernetes.io/kubelet-serving                 system:node:control-0.ocp3.stormshift.coe.muc.redhat.com                    Pending
csr-mn4n7   17m     kubernetes.io/kubelet-serving                 system:node:control-0.ocp3.stormshift.coe.muc.redhat.com                    Pending
csr-nvtxq   109s    kubernetes.io/kube-apiserver-client-kubelet   system:serviceaccount:openshift-machine-config-operator:node-bootstrapper   Pending
csr-p7v55   17m     kubernetes.io/kube-apiserver-client-kubelet   system:serviceaccount:openshift-machine-config-operator:node-bootstrapper   Pending
csr-rbckv   17m     kubernetes.io/kube-apiserver-client-kubelet   system:serviceaccount:openshift-machine-config-operator:node-bootstrapper   Pending
csr-x8zz5   2m12s   kubernetes.io/kube-apiserver-client-kubelet   system:serviceaccount:openshift-machine-config-operator:node-bootstrapper   Pending

But approving the csr's fails:

[root@ocp3support ~]# oc adm certificate approve csr-x8zz5
No resources found
error: no kind "CertificateSigningRequest" is registered for version "certificates.k8s.io/v1" in scheme "k8s.io/kubernetes/pkg/kubectl/scheme/scheme.go:28"

That's the end of my troubleshooting skills. I can only speculate that as two of three control nodes are not ready, cluster has no quorum. I think there is some docs on how to recover from this, but I can find them atm.

github-actions[bot] commented 2 years ago

Heads up @cluster/ocp3-admin - the "cluster/ocp3" label was applied to this issue.

rbo commented 2 years ago 
$ ssh root@stormshiftdeploy.coe.muc.redhat.com
ssh: connect to host stormshiftdeploy.coe.muc.redhat.com port 22: No route to host

:-(

rbo commented 2 years ago

oc client version is to old, updated oc client to latest stable 4.8 version:

[root@ocp3support ~]# oc version
Client Version: openshift-clients-4.2.2-201910250432-4-g4ac90784
Server Version: 4.8.24
Kubernetes Version: v1.21.6+c180a7c
[root@ocp3support ~]# type oc
oc is hashed (/root/bin/oc)
[root@ocp3support ~]# cd bin/
[root@ocp3support bin]# ls
kubectl  oc  openshift-install
[root@ocp3support bin]# curl -L -O https://mirror.openshift.com/pub/openshift-v4/clients/ocp/stable-4.8/openshift-client-linux.tar.gz
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 47.4M  100 47.4M    0     0  50.9M      0 --:--:-- --:--:-- --:--:-- 50.9M
[root@ocp3support bin]# tar xzvf openshift-client-linux.tar.gz oc kubectl
oc
kubectl
[root@ocp3support bin]# oc version
Client Version: 4.8.33
Server Version: 4.8.24
Kubernetes Version: v1.21.6+c180a7c
rbo commented 2 years ago

Approve all prending certificates: oc get csr | awk '/Pending/ {print $1}' | xargs oc adm certificate approve

Details ``` [root@ocp3support bin]# oc get csr | awk '/Pending/ {print $1}' | xargs oc adm certificate approve certificatesigningrequest.certificates.k8s.io/csr-2rc4c approved certificatesigningrequest.certificates.k8s.io/csr-2wgfq approved certificatesigningrequest.certificates.k8s.io/csr-42l4q approved certificatesigningrequest.certificates.k8s.io/csr-42p4m approved certificatesigningrequest.certificates.k8s.io/csr-42x96 approved certificatesigningrequest.certificates.k8s.io/csr-4gt4r approved certificatesigningrequest.certificates.k8s.io/csr-4lrsx approved certificatesigningrequest.certificates.k8s.io/csr-5nfrz approved certificatesigningrequest.certificates.k8s.io/csr-5p2sx approved certificatesigningrequest.certificates.k8s.io/csr-5zpns approved certificatesigningrequest.certificates.k8s.io/csr-65zkj approved certificatesigningrequest.certificates.k8s.io/csr-6g2q7 approved certificatesigningrequest.certificates.k8s.io/csr-6kls6 approved certificatesigningrequest.certificates.k8s.io/csr-6tqlj approved certificatesigningrequest.certificates.k8s.io/csr-7rq5n approved certificatesigningrequest.certificates.k8s.io/csr-7vdfw approved certificatesigningrequest.certificates.k8s.io/csr-8bmjp approved certificatesigningrequest.certificates.k8s.io/csr-8h6w5 approved certificatesigningrequest.certificates.k8s.io/csr-8rgl9 approved certificatesigningrequest.certificates.k8s.io/csr-9677w approved certificatesigningrequest.certificates.k8s.io/csr-97cb2 approved certificatesigningrequest.certificates.k8s.io/csr-9chpb approved certificatesigningrequest.certificates.k8s.io/csr-9k9d9 approved certificatesigningrequest.certificates.k8s.io/csr-c2wp6 approved certificatesigningrequest.certificates.k8s.io/csr-c8zgw approved certificatesigningrequest.certificates.k8s.io/csr-cf852 approved certificatesigningrequest.certificates.k8s.io/csr-cq6dv approved certificatesigningrequest.certificates.k8s.io/csr-cqfck approved certificatesigningrequest.certificates.k8s.io/csr-ddrfl approved certificatesigningrequest.certificates.k8s.io/csr-dlzw9 approved certificatesigningrequest.certificates.k8s.io/csr-dr756 approved certificatesigningrequest.certificates.k8s.io/csr-dzjbm approved certificatesigningrequest.certificates.k8s.io/csr-f6vxf approved certificatesigningrequest.certificates.k8s.io/csr-f89vd approved certificatesigningrequest.certificates.k8s.io/csr-fbj4f approved certificatesigningrequest.certificates.k8s.io/csr-fnwd5 approved certificatesigningrequest.certificates.k8s.io/csr-g45xv approved certificatesigningrequest.certificates.k8s.io/csr-g8cj6 approved certificatesigningrequest.certificates.k8s.io/csr-gcrcb approved certificatesigningrequest.certificates.k8s.io/csr-glvfh approved certificatesigningrequest.certificates.k8s.io/csr-gnd6h approved certificatesigningrequest.certificates.k8s.io/csr-gs92w approved certificatesigningrequest.certificates.k8s.io/csr-gtcn5 approved certificatesigningrequest.certificates.k8s.io/csr-hbhxn approved certificatesigningrequest.certificates.k8s.io/csr-hjkt4 approved certificatesigningrequest.certificates.k8s.io/csr-hkkrv approved certificatesigningrequest.certificates.k8s.io/csr-hzhjb approved certificatesigningrequest.certificates.k8s.io/csr-j7f5c approved certificatesigningrequest.certificates.k8s.io/csr-k8sq4 approved certificatesigningrequest.certificates.k8s.io/csr-klrgr approved certificatesigningrequest.certificates.k8s.io/csr-kqll6 approved certificatesigningrequest.certificates.k8s.io/csr-krxpx approved certificatesigningrequest.certificates.k8s.io/csr-kv9gz approved certificatesigningrequest.certificates.k8s.io/csr-mn4n7 approved certificatesigningrequest.certificates.k8s.io/csr-ms7gl approved certificatesigningrequest.certificates.k8s.io/csr-nvtxq approved certificatesigningrequest.certificates.k8s.io/csr-p7v55 approved certificatesigningrequest.certificates.k8s.io/csr-p8vjf approved certificatesigningrequest.certificates.k8s.io/csr-pkccb approved certificatesigningrequest.certificates.k8s.io/csr-pttx2 approved certificatesigningrequest.certificates.k8s.io/csr-q76nm approved certificatesigningrequest.certificates.k8s.io/csr-q78hr approved certificatesigningrequest.certificates.k8s.io/csr-qd6dr approved certificatesigningrequest.certificates.k8s.io/csr-qfvvg approved certificatesigningrequest.certificates.k8s.io/csr-qjr5x approved certificatesigningrequest.certificates.k8s.io/csr-qm67d approved certificatesigningrequest.certificates.k8s.io/csr-qnxs9 approved certificatesigningrequest.certificates.k8s.io/csr-rbckv approved certificatesigningrequest.certificates.k8s.io/csr-rzmkc approved certificatesigningrequest.certificates.k8s.io/csr-s6z9t approved certificatesigningrequest.certificates.k8s.io/csr-smjf6 approved certificatesigningrequest.certificates.k8s.io/csr-tg7pl approved certificatesigningrequest.certificates.k8s.io/csr-v5vpj approved certificatesigningrequest.certificates.k8s.io/csr-vbjtb approved certificatesigningrequest.certificates.k8s.io/csr-vkm5z approved certificatesigningrequest.certificates.k8s.io/csr-vlqmw approved certificatesigningrequest.certificates.k8s.io/csr-w6k22 approved certificatesigningrequest.certificates.k8s.io/csr-wc6gj approved certificatesigningrequest.certificates.k8s.io/csr-x2xhm approved certificatesigningrequest.certificates.k8s.io/csr-x585w approved certificatesigningrequest.certificates.k8s.io/csr-x8zz5 approved certificatesigningrequest.certificates.k8s.io/csr-x9rsh approved certificatesigningrequest.certificates.k8s.io/csr-x9w54 approved certificatesigningrequest.certificates.k8s.io/csr-xh2sl approved certificatesigningrequest.certificates.k8s.io/csr-xkh52 approved certificatesigningrequest.certificates.k8s.io/csr-xktcw approved certificatesigningrequest.certificates.k8s.io/csr-zb4m9 approved certificatesigningrequest.certificates.k8s.io/csr-zjdt8 approved certificatesigningrequest.certificates.k8s.io/csr-zvtv6 approved certificatesigningrequest.certificates.k8s.io/csr-zx7pd approved [root@ocp3support bin]# ```
rbo commented 2 years ago

Looks much better: 

[root@ocp3support bin]# oc get nodes
NAME                                           STATUS     ROLES           AGE     VERSION
compute-0.ocp3.stormshift.coe.muc.redhat.com   Ready      worker          430d    v1.21.6+c180a7c
compute-1.ocp3.stormshift.coe.muc.redhat.com   Ready      worker          430d    v1.21.6+c180a7c
compute-2.ocp3.stormshift.coe.muc.redhat.com   Ready      worker          430d    v1.21.6+c180a7c
control-0.ocp3.stormshift.coe.muc.redhat.com   Ready      master,worker   2y54d   v1.21.6+c180a7c
control-1.ocp3.stormshift.coe.muc.redhat.com   NotReady   master,worker   2y54d   v1.21.6+c180a7c
control-2.ocp3.stormshift.coe.muc.redhat.com   Ready      master,worker   2y54d   v1.21.6+c180a7c
[root@ocp3support bin]#
rbo commented 2 years ago

Shutdown control-1.ocp3.stormshift.coe.muc.redhat.com & enable rhev console

rbo commented 2 years ago

Console looks good: image

Node is still notready.

I don't have ssh access because stormshiftdeploy is still not available.

DanielFroehlich commented 2 years ago

For ssh access:

dfroehli@dfroehli-mac21 ~ % ssh ocp3bastion.stormshift.coe.muc.redhat.com
Last login: Mon Mar 14 17:47:47 2022 from 10.39.194.46

[root@ocp3bastion ~]# ssh core@172.16.10.11
Red Hat Enterprise Linux CoreOS 48.84.202112022303-0
[core@control-1 ~]$

For kubeconfig access:

% ssh ocp3bastion.stormshift.coe.muc.redhat.com
Last login: Mon Mar 14 17:49:50 2022 from 10.39.194.46
[root@ocp3bastion ~]# ssh root@ocp3support.stormshift.coe.muc.redhat.com
Last login: Mon Mar 14 17:13:44 2022 from 172.16.10.1
[root@ocp3support ~]# export KUBECONFIG=/root/ocp4install/auth/kubeconfig

stormshift deploy vm has moved from COE RHV to stormshift RHV, was also affected from the HW issue last week and thus down. Its now online again after I started the VM:

% ssh root@stormshiftdeploy.coe.muc.redhat.com 
Last login: Mon Mar  7 15:46:21 2022 from 10.39.194.156
[root@stormshiftdeploy ~]#
rbo commented 2 years ago

Let's recover kubelet:

On control-0
# Created temp admin kubeconfig
export KUBECONFIG=/tmp/kubeconfig
kubectl config set-cluster localhost --insecure-skip-tls-verify=true --server=https://localhost:6443
cd /etc/kubernetes/static-pod-resources/kube-apiserver-pod-*/secrets/localhost-recovery-client-token
kubectl config set-credentials localhost --token=$(cat token )
kubectl config set-context localhost --cluster=localhost --user=localhost
kubectl config use-context localhost

# Create recovery kubeconfig for control-2
recover-kubeconfig.sh > /tmp/recovery-kubeconfig
oc get configmap kube-apiserver-to-kubelet-client-ca -n openshift-kube-apiserver-operator --template='{{ index .data "ca-bundle.crt" }}' > /tmp/rec-etc-kubernetes-ca.crt

Transfer /tmp/recovery-kubeconfig and /tmp/rec-etc-kubernetes-ca.crt to controle-2

On control-1
systemctl stop kubelet
cp /tmp/recovery-kubeconfig /etc/kubernetes/kubeconfig
cp /tmp/rec-etc-kubernetes-ca.crt /etc/kubernetes/ca.crt
touch /run/machine-config-daemon-force
rm -rf /var/lib/kubelet/pki /var/lib/kubelet/kubeconfig
systemctl start kubelet

Bascilly followed: https://github.com/stormshift/support/issues/46#issuecomment-951242834

Approved CSR's of control-2

[root@ocp3support ~]# oc get nodes
NAME                                           STATUS   ROLES           AGE     VERSION
compute-0.ocp3.stormshift.coe.muc.redhat.com   Ready    worker          430d    v1.21.6+c180a7c
compute-1.ocp3.stormshift.coe.muc.redhat.com   Ready    worker          430d    v1.21.6+c180a7c
compute-2.ocp3.stormshift.coe.muc.redhat.com   Ready    worker          430d    v1.21.6+c180a7c
control-0.ocp3.stormshift.coe.muc.redhat.com   Ready    master,worker   2y54d   v1.21.6+c180a7c
control-1.ocp3.stormshift.coe.muc.redhat.com   Ready    master,worker   2y54d   v1.21.6+c180a7c
control-2.ocp3.stormshift.coe.muc.redhat.com   Ready    master,worker   2y54d   v1.21.6+c180a7c
[root@ocp3support ~]#
DanielFroehlich commented 2 years ago

LGTM THX