Skip to content

Accept server certificate on start #211

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
praveenkumar merged 1 commit into from
Dec 8, 2025
Merged

Accept server certificate on start #211

praveenkumar merged 1 commit into from
Dec 8, 2025

Conversation

@danpawlik
Copy link
Collaborator

@danpawlik danpawlik commented Dec 8, 2025
edited by coderabbitai bot
Loading

It happens that on clean instance, when Kubelet is started, the host certificate change and the bootstrap procedure would fail, because of missing certificate acceptation.
Accept certificates in "Pending" state to avoid errors.

Summary by CodeRabbit

  • New Features
    • Automatic certificate approval added to the deployment flow: pending certificate requests are detected and approved during deployment, reducing manual steps and improving setup reliability and uptime.

✏️ Tip: You can customize this high-level summary in your review settings.

@coderabbitai
Copy link

coderabbitai bot commented Dec 8, 2025
edited
Loading

Walkthrough

This pull request adds two Ansible tasks to retrieve and approve pending OpenShift certificate signing requests (CSRs) during CRC cloud deployment, with the workflow integrated into the main deployment task sequence between certificate replacement and cluster health verification steps.

Changes

Cohort / File(s) Summary
CSR Certificate Management
ansible/roles/deploy-crc-cloud/tasks/accept_cert.yaml		 New file with two tasks: (1) capture pending CSR names via `oc get csr --no-headers
Deployment Workflow Integration
ansible/roles/deploy-crc-cloud/tasks/main.yaml		 Inserts an include_tasks: accept_cert.yaml call into the main task sequence between the certificate replacement step and the cluster health wait step.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

  • Verify the awk expression reliably extracts CSR names in target environments.
  • Confirm the conditional (when: _pending_csr.stdout_lines | length > 0) prevents unnecessary task execution.
  • Ensure oc CLI commands run with required permissions and in the correct context/location.
  • Check placement in main.yaml does not race with other certificate or cluster readiness steps.

Poem

🐰 I nibble logs and watch the sky,
Pending CSRs I spot nearby.
With nimble paw and hopeful cheer,
I approve them all — the cluster's clear! ✨

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title 'Accept server certificate on start' directly and clearly summarizes the main change: adding certificate acceptance logic during startup to handle pending certificates.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
✨ Finishing touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment
📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between a03c5be and d2f113f.

📒 Files selected for processing (2)
  • ansible/roles/deploy-crc-cloud/tasks/accept_cert.yaml (1 hunks)
  • ansible/roles/deploy-crc-cloud/tasks/main.yaml (1 hunks)
🚧 Files skipped from review as they are similar to previous changes (2)
  • ansible/roles/deploy-crc-cloud/tasks/main.yaml
  • ansible/roles/deploy-crc-cloud/tasks/accept_cert.yaml
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)
  • GitHub Check: build (macOS-latest, 1.20)
  • GitHub Check: build (ubuntu-latest, 1.20)
  • GitHub Check: build-and-push-image

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

coderabbitai[bot]
coderabbitai bot reviewed Dec 8, 2025
View reviewed changes
Copy link

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 0

🧹 Nitpick comments (2)
ansible/roles/deploy-crc-cloud/tasks/accept_cert.yaml (2)

3-4: Use community.kubernetes.k8s_info module instead of shell parsing.

Shell-based parsing of oc output is fragile; if the output format changes, the awk pattern may fail silently. Kubernetes-native Ansible modules are more robust and idiomatic.

Replace the shell command with a proper Kubernetes module:

  - name: Get csr in Pending state
-   ansible.builtin.shell: |
-     oc get csr --no-headers | awk '/Pending/ {print $1}'
+   community.kubernetes.k8s_info:
+     kind: CertificateSigningRequest
+     api_version: certificates.k8s.io/v1
+     kubeconfig: "{{ kubeconfig_path }}"
+     field_selectors:
+       - status.conditions[0].type=Pending
    register: _pending_csr
+   vars:
+     _pending_csr_names: "{{ _pending_csr.resources | map(attribute='metadata.name') | list }}"

Then adjust the approval task to use _pending_csr_names instead of _pending_csr.stdout_lines.

9-11: Add error handling for certificate approval.

If oc adm certificate approve fails (e.g., CSR already approved), the entire deployment stops. Consider adding error handling or idempotency checks.

  - name: Approve OpenShift certificate if in Pending state
    when: _pending_csr.stdout_lines | length > 0
    ansible.builtin.shell: |
      oc adm certificate approve {{ item }}
+   ignore_errors: true
    loop: "{{ _pending_csr.stdout_lines }}"
+   register: _approve_result
+   changed_when: "'approved' in _approve_result.stdout"

Alternatively, use the community.kubernetes.k8s module with idempotent patch operations to avoid approval failures on re-runs.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 49d5584 and a03c5be.

📒 Files selected for processing (2)
  • ansible/roles/deploy-crc-cloud/tasks/accept_cert.yaml (1 hunks)
  • ansible/roles/deploy-crc-cloud/tasks/main.yaml (1 hunks)
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)
  • GitHub Check: build (macOS-latest, 1.20)
  • GitHub Check: build (ubuntu-latest, 1.20)
  • GitHub Check: build-and-push-image
🔇 Additional comments (1)
ansible/roles/deploy-crc-cloud/tasks/main.yaml (1)

19-20: Correct placement in the deployment sequence.

The certificate acceptance task is appropriately positioned after kubelet and SSH key setup, and before cluster health validation. This aligns well with the PR objective of accepting pending certificates during early deployment stages.

@danpawlik
Accept server certificate on start
d2f113f 
It happens that on clean instance, when Kubelet is started, the
host certificate change and the bootstrap procedure would fail,
because of missing certificate acceptation.
Accept certificates in "Pending" state to avoid errors.

Signed-off-by: Daniel Pawlik <[email protected]>
@danpawlik danpawlik mentioned this pull request Dec 8, 2025
Open
@praveenkumar praveenkumar merged commit 1c98532 into crc-org:main Dec 8, 2025
4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@danpawlik @praveenkumar