Task "Approve node certificates when bootstrapping " fails when scaling new node to OCP 3.11
Issue
- In the past, this node was removed from the cluster for maintenance activities. Now we need to rejoin the node to the cluster.
Ansible log
p=95883 u=root n=ansible | fatal: [master05.example.com]: FAILED! => {"all_subjects_found": ["subject=/O=system:nodes/CN=system:node:node02.example.comr\n", "subject=/O=system:nodes
CN=system:node:node02.example.com\n"], "attempts": 30, "changed": false, "client_approve_results": [], "client_csrs": {}, "msg": "Could not find csr for nodes: node02.example.com", "oc_get_nodes": {"apiVersion": "v1", "items": [{"apiVersion": "v1", "kind": "Node", "metadata": {"annotations": {"node.openshift.io/md5sum": "6b224a506b0936bedecb69c6a1e55ced", "volumes.kubernetes.io/controller-managed-attach-detach": "true"}, "creationTimestamp": "2020-05-27T22:09:59Z", "labels":
- Logs from
atomic-openshift-node
service
/etc/origin/node/certificates/kubelet-client-current.pem: no such file or directory, unable to read client-key /etc/origin/node/certificates/kubelet-client-current.pem for default-auth due to open /etc/origin/node/certificates/kubelet-client-current.pem: no such file or directory]
I0413 10:07:42.795132 42189 bootstrap.go:56] Using bootstrap kubeconfig to generate TLS client cert, key and kubeconfig file
I0413 10:07:42.799115 42189 bootstrap.go:86] No valid private key and/or certificate found, reusing existing private key or creating a new one
F0413 10:07:42.916137 42189 server.go:261] failed to run Kubelet: cannot create certificate signing request: Unauthorized
Environment
- Red Hat OpenShift Container Platform
- 3.11
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.