Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

bug: join command should not create csr repeatedly #214

Closed
ycyaoxdu opened this issue Apr 20, 2022 · 10 comments
Closed

bug: join command should not create csr repeatedly #214

ycyaoxdu opened this issue Apr 20, 2022 · 10 comments
Labels
kind/bug

Comments

@ycyaoxdu
Copy link
Member

While using clusteradm join ... command to signing a cluster to hub, the command can be execute as many times as you want, causing many csr be created in hub.

╭─yuyao@redhats-MacBook-Pro ~/go/bin 
╰─$ kubectl get csr
NAME             AGE     SIGNERNAME                                    REQUESTOR                                                         CONDITION
cluster1-5hgz6   8m21s   kubernetes.io/kube-apiserver-client           system:serviceaccount:open-cluster-management:cluster-bootstrap   Pending
cluster1-9s9xg   11m     kubernetes.io/kube-apiserver-client           system:serviceaccount:open-cluster-management:cluster-bootstrap   Pending
cluster1-kmhtd   26m     kubernetes.io/kube-apiserver-client           system:serviceaccount:open-cluster-management:cluster-bootstrap   Approved,Issued
cluster1-p5bx8   13m     kubernetes.io/kube-apiserver-client           system:serviceaccount:open-cluster-management:cluster-bootstrap   Pending
cluster2-nvfk9   8m46s   kubernetes.io/kube-apiserver-client           system:serviceaccount:open-cluster-management:cluster-bootstrap   Pending
csr-5rg72        44m     kubernetes.io/kube-apiserver-client-kubelet   system:node:hub-control-plane                                     Approved,Issued

I think we should prevent creating a csr every time we executing clusteradm join .... Instead, we just create csr first time we call clusteradm join ... for specified cluster.
@yue9944882
Copy link
Member

/kind bug

@openshift-ci
Copy link

openshift-ci bot commented Apr 20, 2022

@yue9944882: The label(s) kind/bug cannot be applied, because the repository doesn't have them.

In response to this:

/kind bug

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@ycyaoxdu
Copy link
Member Author

ycyaoxdu commented Apr 25, 2022
edited
Loading

I unjoined mcl1, delete the mcl resource and csr resource in hub.
and re-join mcl1, then i can create many csr:

╰─$ kubectl get csr -w
NAME             AGE     SIGNERNAME                                    REQUESTOR                                                         CONDITION
cluster1-dkvbv   41h     kubernetes.io/kube-apiserver-client           system:serviceaccount:open-cluster-management:cluster-bootstrap   Pending
cluster1-hnxk5   4m23s   kubernetes.io/kube-apiserver-client           system:serviceaccount:open-cluster-management:cluster-bootstrap   Pending
cluster1-x4dll   28h     kubernetes.io/kube-apiserver-client           system:serviceaccount:open-cluster-management:cluster-bootstrap   Pending
csr-hsmxt        42h     kubernetes.io/kube-apiserver-client-kubelet   system:node:hub-control-plane                                     Approved,Issued

and when i accepted the mcl1:

╰─$ kubectl get mcl
NAME       HUB ACCEPTED   MANAGED CLUSTER URLS                  JOINED   AVAILABLE   AGE
cluster1   true           https://cluster1-control-plane:6443/            Unknown     41h

It will be unknown.

@ycyaoxdu
Copy link
Member Author

i tried unjoin mcl1, clean hub, delete csr(clean command will not delete the csr for now),
then re-init hub, re-join mcl1 several times, no duplicate csr created.

@yue9944882
Copy link
Member

@ycyaoxdu i suppose the duplicated CSRs are created due to restarting of the registartion-agent. the agent will generate and work upon a random identity e.g. - every time it restarts, which results in additional CSRs.

@xauthulei
Copy link
Member

I am thinking how to fix this:

  1. Do the checking if there is the agent klusterlet in the joining cluster
  2. Add the clean CSRs action when clean and unjion

Any suggestions? @ycyaoxdu and @yue9944882

@ycyaoxdu
Copy link
Member Author

I am thinking how to fix this:

  1. Do the checking if there is the agent klusterlet in the joining cluster
  2. Add the clean CSRs action when clean and unjion

Any suggestions? @ycyaoxdu and @yue9944882

seems we cannot do clean csr in unjoin, we do unjoin under managed cluster context , not hub context.

@ycyaoxdu
Copy link
Member Author

Agree with @yue9944882

@ycyaoxdu i suppose the duplicated CSRs are created due to restarting of the registartion-agent. the agent will generate and work upon a random identity e.g. - every time it restarts, which results in additional CSRs.

I think the problem is: after unjoin we just removed resources on managed cluster, resources on hub but related to managed cluster are not removed. The old CSR still exists until next time we using the same managed cluster name to join, in the meanwhile, a new csr created by the new klusterlet.

@ycyaoxdu
Copy link
Member Author

#277 coverd this issue, close this one.
/close

@openshift-ci openshift-ci bot closed this as completed Oct 24, 2022
@openshift-ci
Copy link

openshift-ci bot commented Oct 24, 2022

@ycyaoxdu: Closing this issue.

In response to this:

#277 coverd this issue, close this one.
/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@qiujian16 @yue9944882 @xauthulei @ycyaoxdu