Skip to content

OCPBUGS-74970: Fix kubelet certificate wait loop in criometricsproxy.yaml#6125

Open
aksjadha wants to merge 1 commit into
openshift:mainfrom
aksjadha:fix-OCPBUGS-74970
Open

OCPBUGS-74970: Fix kubelet certificate wait loop in criometricsproxy.yaml#6125
aksjadha wants to merge 1 commit into
openshift:mainfrom
aksjadha:fix-OCPBUGS-74970

Conversation

@aksjadha
Copy link
Copy Markdown

@aksjadha aksjadha commented Jun 3, 2026
edited by coderabbitai Bot
Loading

  • Related bug: Fix kubelet certificate wait loop and mount path in criometricsproxy.yaml

  • The previous condition [ -n "$(test -e ...)" ] always evaluated to false because test -e produces no stdout output — it communicates via exit code only. So -n always evaluated to false, causing the loop to exit immediately instead of waiting for the kubelet certificate to appear.

  • The init container mounts the host's /var/lib/kubelet at /var. So inside the init container, the host's /var/lib/kubelet/pki/kubelet-server-current.pem appears at /var/pki/kubelet-server-current.pem — but the script checks /var/lib/kubelet/pki/kubelet-server-current.pem, which doesn't exist at that path inside the init container.

- What I did

  • Replaced with the correct condition [ ! -e /var/lib/kubelet/pki/kubelet-server-current.pem ], which properly loops until the kubelet certificate file exists
  • Updated init container mount path to /var/lib/kubelet from /var to match main container so the script's path /var/lib/kubelet/pki/kubelet-server-current.pem resolves correctly.

- How to verify it

  • Check kube-rbac-proxy-crio-ip pod logs in namespace openshift-machine-config-operator to verify the CRI-O metrics proxy init container correctly waits for the kubelet certificate before proceeding

- Description for the changelog

  • Fixes the kubelet certificate wait loop condition in criometricsproxy.yaml across all node roles (arbiter, master, worker)
  • The old condition [ -n "$(test -e /var/lib/kubelet/pki/kubelet-server-current.pem)" ] was incorrect. Replaced with the correct condition [ ! -e /var/lib/kubelet/pki/kubelet-server-current.pem ], which properly loops until the kubelet certificate file exists

Summary by CodeRabbit

  • Bug Fixes
    • Ensures arbiter, master, and worker nodes now reliably wait for the kubelet server certificate/key to appear before starting dependent pods, improving startup stability and preventing race conditions during node initialization.

@openshift-merge-bot
Copy link
Copy Markdown
Contributor

openshift-merge-bot Bot commented Jun 3, 2026

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: LGTM mode

@openshift-ci-robot openshift-ci-robot added jira/severity-moderate Referenced Jira bug's severity is moderate for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. labels Jun 3, 2026
@openshift-ci-robot
Copy link
Copy Markdown
Contributor

openshift-ci-robot commented Jun 3, 2026

@aksjadha: This pull request references Jira Issue OCPBUGS-74970, which is invalid:

  • expected the bug to target the "5.0.0" version, but no target version was set

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

  • Related bug: Fix kubelet certificate wait loop in criometricsproxy.yaml

  • The previous condition [ -n "$(test -e ...)" ] always evaluated to false because test -e produces no stdout output — it communicates via exit code only. So -n always evaluated to false, causing the loop to exit immediately instead of waiting for the kubelet certificate to appear.

- What I did

  • Replaced with the correct condition [ ! -e /var/lib/kubelet/pki/kubelet-server-current.pem ], which properly loops until the kubelet certificate file exists

- How to verify it

  • Check kube-rbac-proxy-crio-ip pod logs in namespace openshift-machine-config-operator to verify the CRI-O metrics proxy init container correctly waits for the kubelet certificate before proceeding

- Description for the changelog

  • Fixes the kubelet certificate wait loop condition in criometricsproxy.yaml across all node roles (arbiter, master, worker)
  • The old condition [ -n "$(test -e /var/lib/kubelet/pki/kubelet-server-current.pem)" ] was incorrect. Replaced with the correct condition [ ! -e /var/lib/kubelet/pki/kubelet-server-current.pem ], which properly loops until the kubelet certificate file exists

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@coderabbitai
Copy link
Copy Markdown

coderabbitai Bot commented Jun 3, 2026
edited
Loading

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: b3267d52-2aff-4a1a-9dcb-095132542a6a

📥 Commits

Reviewing files that changed from the base of the PR and between ee0dcdd and 78749ce.

📒 Files selected for processing (3)
  • templates/arbiter/01-arbiter-kubelet/_base/files/criometricsproxy.yaml
  • templates/master/01-master-kubelet/_base/files/criometricsproxy.yaml
  • templates/worker/01-worker-kubelet/_base/files/criometricsproxy.yaml
🚧 Files skipped from review as they are similar to previous changes (3)
  • templates/master/01-master-kubelet/_base/files/criometricsproxy.yaml
  • templates/arbiter/01-arbiter-kubelet/_base/files/criometricsproxy.yaml
  • templates/worker/01-worker-kubelet/_base/files/criometricsproxy.yaml

Walkthrough

The PR inverts the kubelet server certificate wait condition across three node configuration templates and updates an arbiter volumeMount path. InitContainers now wait until /var/lib/kubelet/pki/kubelet-server-current.pem exists before proceeding.

Changes

Kubelet Certificate Readiness Wait

Layer / File(s) Summary
Kubelet certificate readiness condition across node types
templates/arbiter/01-arbiter-kubelet/_base/files/criometricsproxy.yaml, templates/master/01-master-kubelet/_base/files/criometricsproxy.yaml, templates/worker/01-worker-kubelet/_base/files/criometricsproxy.yaml		 The initContainer wait loop condition is inverted from while [ -e /var/lib/kubelet/pki/kubelet-server-current.pem ] to while [ ! -e /var/lib/kubelet/pki/kubelet-server-current.pem ], causing the initContainer to wait until the kubelet server certificate file appears. The arbiter template also changes the var-lib-kubelet volumeMount target path to /var/lib/kubelet.

🎯 3 (Moderate) | ⏱️ ~20 minutes

Suggested labels: verified

🚥 Pre-merge checks | ✅ 15
✅ Passed checks (15 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately describes the main change: fixing a kubelet certificate wait loop condition in criometricsproxy.yaml files across three node templates (arbiter, master, worker).
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names ✅ Passed PR modifies only YAML configuration files (criometricsproxy.yaml), not Ginkgo test files. No test names are present in the changes, so the check is not applicable.
Test Structure And Quality ✅ Passed PR modifies Kubernetes Pod manifests (YAML files) for kubelet certificate wait logic, not Ginkgo test code. Custom check for test quality is not applicable.
Microshift Test Compatibility ✅ Passed This PR does not add any Ginkgo e2e tests. It only modifies YAML configuration templates for kubelet and criometricsproxy manifests. The custom check does not apply.
Single Node Openshift (Sno) Test Compatibility ✅ Passed This PR fixes kubelet certificate wait loop in criometricsproxy.yaml (configuration change), not adding new Ginkgo e2e tests. The check applies only to new Ginkgo tests.
Topology-Aware Scheduling Compatibility ✅ Passed The PR modifies static Pod manifests with no scheduling constraints (no affinity, topology spread, nodeSelectors, etc.). Changes fix kubelet certificate wait logic needed on all supported topologies.
Ote Binary Stdout Contract ✅ Passed PR modifies only YAML Kubernetes manifest templates, not any OTE binary code or process-level Go code. The custom check does not apply to declarative configuration files.
Ipv6 And Disconnected Network Test Compatibility ✅ Passed PR modifies only YAML configuration files (criometricsproxy.yaml manifests) for arbiter/master/worker kubelet templates, not Ginkgo e2e tests. Check is not applicable.
No-Weak-Crypto ✅ Passed PR modifies only shell script logic for certificate file checks and volume mount paths. No weak cryptographic algorithms, custom crypto implementations, or secret comparisons detected.
Container-Privileges ✅ Passed PR does not introduce privilege escalation. All privileged: true and hostNetwork settings existed before the PR; only fixes shell condition bug and adds readOnly: true.
No-Sensitive-Data-In-Logs ✅ Passed Logging in modified files only outputs static messages and progress indicators; no secrets, credentials, PII, tokens, or sensitive data are exposed.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@openshift-ci
Copy link
Copy Markdown
Contributor

openshift-ci Bot commented Jun 3, 2026

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: aksjadha
Once this PR has been reviewed and has the lgtm label, please assign mrunalp for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@aksjadha
Copy link
Copy Markdown
Author

aksjadha commented Jun 3, 2026

/jira refresh

@openshift-ci-robot
Copy link
Copy Markdown
Contributor

openshift-ci-robot commented Jun 3, 2026

@aksjadha: This pull request references Jira Issue OCPBUGS-74970, which is invalid:

  • expected the bug to target either version "5.0." or "openshift-5.0.", but it targets "4.23" instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@aksjadha aksjadha marked this pull request as draft June 3, 2026 08:31
@openshift-ci openshift-ci Bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jun 3, 2026
@aksjadha
Copy link
Copy Markdown
Author

aksjadha commented Jun 3, 2026

/jira refresh

@openshift-ci-robot openshift-ci-robot added jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. and removed jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. labels Jun 3, 2026
@openshift-ci-robot
Copy link
Copy Markdown
Contributor

openshift-ci-robot commented Jun 3, 2026

@aksjadha: This pull request references Jira Issue OCPBUGS-74970, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target version (5.0.0) matches configured target version for branch (5.0.0)
  • bug is in the state ASSIGNED, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @sergiordlr

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci openshift-ci Bot requested a review from sergiordlr June 3, 2026 08:33
@aksjadha aksjadha force-pushed the fix-OCPBUGS-74970 branch from af45f24 to ee0dcdd Compare June 3, 2026 14:39
@openshift-ci-robot
Copy link
Copy Markdown
Contributor

openshift-ci-robot commented Jun 3, 2026

@aksjadha: This pull request references Jira Issue OCPBUGS-74970, which is valid.

3 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target version (5.0.0) matches configured target version for branch (5.0.0)
  • bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @sergiordlr

Details

In response to this:

  • Related bug: Fix kubelet certificate wait loop in criometricsproxy.yaml

  • The previous condition [ -n "$(test -e ...)" ] always evaluated to false because test -e produces no stdout output — it communicates via exit code only. So -n always evaluated to false, causing the loop to exit immediately instead of waiting for the kubelet certificate to appear.

- What I did

  • Replaced with the correct condition [ ! -e /var/lib/kubelet/pki/kubelet-server-current.pem ], which properly loops until the kubelet certificate file exists

- How to verify it

  • Check kube-rbac-proxy-crio-ip pod logs in namespace openshift-machine-config-operator to verify the CRI-O metrics proxy init container correctly waits for the kubelet certificate before proceeding

- Description for the changelog

  • Fixes the kubelet certificate wait loop condition in criometricsproxy.yaml across all node roles (arbiter, master, worker)
  • The old condition [ -n "$(test -e /var/lib/kubelet/pki/kubelet-server-current.pem)" ] was incorrect. Replaced with the correct condition [ ! -e /var/lib/kubelet/pki/kubelet-server-current.pem ], which properly loops until the kubelet certificate file exists

Summary by CodeRabbit

  • Bug Fixes
  • Fixed kubelet initialization so nodes now wait for the kubelet server certificate to become available before starting dependent pods, ensuring reliable startup across arbiter, master, and worker nodes.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@aksjadha
Copy link
Copy Markdown
Author

aksjadha commented Jun 4, 2026
edited
Loading

Fix is working as expected.

Before fix, there were multiple restarts of pods as init container was not waiting for file to exist.

$ oc describe pod kube-rbac-proxy-crio-ip -n openshift-machine-config-operator
  containerStatuses:
    lastState:
      terminated:
        message: "W0601 01:32:19.053758       1 deprecated.go:66] \n==== Removed Flag
          Warning ======================\n\nlogtostderr is removed in the k8s upstream
          and has no effect any more.\n\n===============================================\n\t\t\nI0601
          01:32:19.053832       1 kube-rbac-proxy.go:532] Reading config file: /etc/kubernetes/crio-metrics-proxy.cfg\nE0601
          01:32:19.055157       1 run.go:72] \"command failed\" err=\"failed to load
          kubeconfig: unable to build rest config based on provided path to kubeconfig
          file: invalid configuration: [unable to read client-cert /var/lib/kubelet/pki/kubelet-client-current.pem
          for default-auth due to open /var/lib/kubelet/pki/kubelet-client-current.pem:
          no such file or directory, unable to read client-key /var/lib/kubelet/pki/kubelet-client-current.pem
          for default-auth due to open /var/lib/kubelet/pki/kubelet-client-current.pem:
          no such file or directory]\"\n"
        reason: Error
    name: kube-rbac-proxy-crio

$ oc logs kube-rbac-proxy-crio-ip -n openshift-machine-config-operator
I0603 08:59:37.507013       1 kube-rbac-proxy.go:532] Reading config file: /etc/kubernetes/crio-metrics-proxy.cfg
I0603 08:59:37.508125       1 kube-rbac-proxy.go:235] Valid token audiences: 
I0603 08:59:37.508369       1 dynamic_cafile_content.go:161] "Starting controller" name="client-ca::/etc/kubernetes/kubelet-ca.crt"
I0603 08:59:37.510016       1 kube-rbac-proxy.go:349] Reading certificate files
E0603 08:59:37.510065       1 run.go:72] "command failed" err="failed to initialize certificate reloader: error loading certificates: error loading certificate: open /var/lib/kubelet/pki/kubelet-server-current.pem: no such file or directory"

With fix, init container checking if file exists and checking correct mount path i,e /var/lib/kubelet/, there are no multiple restart.

NAME                                                             READY   STATUS    RESTARTS   AGE
kube-rbac-proxy-crio-ip-11.us-west-2.compute.internal   1/1     Running   0          67m
kube-rbac-proxy-crio-ip-12.us-west-2.compute.internal    1/1     Running   0          130m
kube-rbac-proxy-crio-ip-13.us-west-2.compute.internal   1/1     Running   0          130m
kube-rbac-proxy-crio-ip-14.us-west-2.compute.internal     1/1     Running   0          130m

@aksjadha aksjadha marked this pull request as ready for review June 4, 2026 06:33
@openshift-ci openshift-ci Bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jun 4, 2026
ngopalak-redhat
ngopalak-redhat suggested changes Jun 4, 2026
View reviewed changes
Comment thread templates/arbiter/01-arbiter-kubelet/_base/files/criometricsproxy.yaml
ngopalak-redhat
ngopalak-redhat suggested changes Jun 4, 2026
View reviewed changes
Comment thread templates/arbiter/01-arbiter-kubelet/_base/files/criometricsproxy.yaml
@aksjadha
Fix kubelet certificate wait loop in criometricsproxy.yaml and update…
78749ce 
… init container's volumeMount to /var/lib/kubelet
@aksjadha aksjadha force-pushed the fix-OCPBUGS-74970 branch from ee0dcdd to 78749ce Compare June 4, 2026 10:29
@openshift-ci
Copy link
Copy Markdown
Contributor

openshift-ci Bot commented Jun 4, 2026

@aksjadha: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cheesesashimi cheesesashimi Awaiting requested review from cheesesashimi

@pablintino pablintino Awaiting requested review from pablintino

@sergiordlr sergiordlr Awaiting requested review from sergiordlr

@isabella-janssen isabella-janssen Awaiting requested review from isabella-janssen

@yuqi-zhang yuqi-zhang Awaiting requested review from yuqi-zhang

1 more reviewer

@ngopalak-redhat ngopalak-redhat ngopalak-redhat requested changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

jira/severity-moderate Referenced Jira bug's severity is moderate for the branch this PR is targeting. jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@aksjadha @openshift-ci-robot @ngopalak-redhat