[multiple] Accept CA certificate if expired when CRC is used by danpawlik · Pull Request #3720 · openstack-k8s-operators/ci-framework

danpawlik · 2026-02-26T18:07:50Z

It can happen that the image used by the CRC has expired certificate,
so it require to approve new generated certificate before making test.
The CRC log shows a log message:

level=info msg="Kubelet serving certificate has expired, waiting for automatic renewal... [will take up to 5 minutes]"
Failed to renew TLS certificates: please check if a newer CRC release is available:
Temporary error: certificate /var/lib/kubelet/pki/kubelet-server-current.pem still expired (x59)

Wait for the cluster to be stable when CA cert is expired.
Also move all crc command to single playbook, for easier
maintenance.

openshift-ci · 2026-02-26T18:07:56Z

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign brjackma for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

danpawlik · 2026-02-26T19:57:37Z

It seems all images are outdated. Waiting for infra team to replace images.

softwarefactory-project-zuul · 2026-02-26T23:00:08Z

Build failed (check pipeline). Post recheck (without leading slash)
to rerun all jobs. Make sure the failure cause has been resolved before
you rerun jobs.

https://softwarefactory-project.io/zuul/t/rdoproject.org/buildset/549ca1031aa64fd88a1ffbc83a6e03df

danpawlik · 2026-02-27T11:12:47Z

recheck

holser

/LGTM

evallesp · 2026-02-27T14:16:57Z

+  ignore_errors: true  # noqa: ignore-errors
+
+- name: Login to the OpenShift when certificate is expired
+  when: "'Kubelet serving certificate has expired' in _crc_output.stderr"


(non-blocking) suggestion: I'd go by creating an above task that checks the previous _crc_output to fail with message:

msg: >- CRC start failed with an unexpected error: {{ _crc_output.stderr }}

if: _crc_output.rc != 0 AND "'Kubelet serving certificate has expired' not in _crc_output.stderr"
So if there's an error unrelated to certificates, this would fail with a clear message.
If the error is related to certificates the fail task wouldn't execute and then we go to the certificate recovery path.

Its printing already

If the crc start fails for some reason other than the cert issue we're expecting here, we still ignore whatever error that was because of ignore_errors in the above task, right? Is it safe to assume we can continue on to other tasks without manually failing like Enrique is suggesting? Or are we certain that this task (Login to the OpenShift when certificate is expired) will fail? If so, it could still save some time to manually fail early and avoid all of the retries, right?

is this printing if the error is not related with expired certificate?

openshift-ci · 2026-02-27T16:17:14Z

New changes are detected. LGTM label has been removed.

It can happen that the image used by the CRC has expired certificate, so it require to approve new generated certificate before making test. The CRC log shows a log message: level=info msg="Kubelet serving certificate has expired, waiting for automatic renewal... [will take up to 5 minutes]" Failed to renew TLS certificates: please check if a newer CRC release is available: Temporary error: certificate /var/lib/kubelet/pki/kubelet-server-current.pem still expired (x59) Wait for the cluster to be stable when CA cert is expired. Also move all crc command to single playbook, for easier maintenance. Signed-off-by: Daniel Pawlik <dpawlik@redhat.com>

softwarefactory-project-zuul · 2026-02-27T17:13:15Z

Build failed (check pipeline). Post recheck (without leading slash)
to rerun all jobs. Make sure the failure cause has been resolved before
you rerun jobs.

https://softwarefactory-project.io/zuul/t/rdoproject.org/buildset/551e59eab468480fa8193bba79402152

❌ openstack-k8s-operators-content-provider FAILURE in 4m 56s
⚠️ podified-multinode-edpm-deployment-crc SKIPPED Skipped due to failed job openstack-k8s-operators-content-provider
⚠️ cifmw-crc-podified-edpm-baremetal SKIPPED Skipped due to failed job openstack-k8s-operators-content-provider
⚠️ cifmw-crc-podified-edpm-baremetal-minor-update SKIPPED Skipped due to failed job openstack-k8s-operators-content-provider
✔️ cifmw-pod-zuul-files SUCCESS in 5m 37s
⚠️ adoption-standalone-to-crc-ceph-provider SKIPPED Skipped due to failed job openstack-k8s-operators-content-provider
✔️ noop SUCCESS in 0s
✔️ cifmw-pod-ansible-test SUCCESS in 10m 11s
✔️ cifmw-pod-pre-commit SUCCESS in 9m 13s
❌ cifmw-molecule-cert_manager FAILURE in 14m 06s
✔️ cifmw-molecule-ci_local_storage SUCCESS in 12m 48s
✔️ cifmw-molecule-cifmw_helpers SUCCESS in 4m 40s
✔️ cifmw-molecule-env_op_images SUCCESS in 23m 41s
✔️ cifmw-molecule-install_openstack_ca SUCCESS in 25m 58s
✔️ cifmw-molecule-manage_secrets SUCCESS in 21m 04s
✔️ cifmw-molecule-openshift_login SUCCESS in 24m 39s
✔️ cifmw-molecule-openshift_obs SUCCESS in 12m 42s
✔️ cifmw-molecule-openshift_setup SUCCESS in 13m 28s
✔️ cifmw-molecule-operator_deploy SUCCESS in 14m 35s
✔️ cifmw-molecule-os_must_gather SUCCESS in 25m 35s
✔️ cifmw-molecule-reproducer SUCCESS in 15m 10s
✔️ cifmw-molecule-set_openstack_containers SUCCESS in 23m 34s
✔️ cifmw-molecule-shiftstack SUCCESS in 16m 21s
✔️ cifmw-molecule-sushy_emulator SUCCESS in 17m 15s
✔️ cifmw-molecule-tofu SUCCESS in 11m 56s

danpawlik · 2026-02-27T17:15:07Z

recheck

danpawlik · 2026-02-27T18:24:46Z

recheck

softwarefactory-project-zuul · 2026-02-27T20:55:59Z

Build failed (check pipeline). Post recheck (without leading slash)
to rerun all jobs. Make sure the failure cause has been resolved before
you rerun jobs.

https://softwarefactory-project.io/zuul/t/rdoproject.org/buildset/d63b44ff8fe84106950a1d386732790d

danpawlik · 2026-03-02T07:22:29Z

recheck

softwarefactory-project-zuul · 2026-03-02T10:35:22Z

Build failed (check pipeline). Post recheck (without leading slash)
to rerun all jobs. Make sure the failure cause has been resolved before
you rerun jobs.

https://softwarefactory-project.io/zuul/t/rdoproject.org/buildset/d70505b1aebe43d8a9bf9e4a0b1d0247

michburk · 2026-03-02T18:12:54Z

recheck

danpawlik mentioned this pull request Feb 26, 2026

[sushy_emulator] Fix list handling for VM instances #3678

Merged

danpawlik force-pushed the fix-molecule-reproducer branch from 6e845ff to 0ed017c Compare February 26, 2026 19:11

danpawlik changed the title ~~[reproducer] Accept CA certificate if expired when CRC is used~~ [multiple] Accept CA certificate if expired when CRC is used Feb 26, 2026

danpawlik force-pushed the fix-molecule-reproducer branch from 0ed017c to b68f767 Compare February 26, 2026 19:45

danpawlik marked this pull request as draft February 26, 2026 19:57

openshift-ci Bot added the do-not-merge/work-in-progress label Feb 26, 2026

danpawlik requested a review from a team February 27, 2026 11:12

danpawlik force-pushed the fix-molecule-reproducer branch 2 times, most recently from 8631fae to d0c55c1 Compare February 27, 2026 11:43

danpawlik marked this pull request as ready for review February 27, 2026 11:57

openshift-ci Bot removed the do-not-merge/work-in-progress label Feb 27, 2026

danpawlik requested a review from holser February 27, 2026 11:58

holser reviewed Feb 27, 2026

View reviewed changes

Comment thread roles/cifmw_helpers/tasks/crc_start.yml Outdated

Comment thread roles/cifmw_helpers/tasks/crc_start.yml

danpawlik force-pushed the fix-molecule-reproducer branch 2 times, most recently from 466ec7e to 289154a Compare February 27, 2026 13:51

holser self-requested a review February 27, 2026 13:56

holser previously approved these changes Feb 27, 2026

View reviewed changes

openshift-ci Bot assigned holser Feb 27, 2026

openshift-ci Bot added the lgtm label Feb 27, 2026

michburk reviewed Feb 27, 2026

View reviewed changes

Comment thread roles/cifmw_helpers/tasks/crc_start.yml Outdated

evallesp reviewed Feb 27, 2026

View reviewed changes

danpawlik dismissed holser’s stale review via 4a595fb February 27, 2026 16:17

danpawlik force-pushed the fix-molecule-reproducer branch from 289154a to 4a595fb Compare February 27, 2026 16:17

openshift-ci Bot removed the lgtm label Feb 27, 2026

danpawlik requested a review from holser February 27, 2026 16:18

danpawlik requested review from a team, evallesp and michburk February 27, 2026 16:18

michburk reviewed Feb 27, 2026

View reviewed changes

Comment thread roles/cifmw_helpers/tasks/crc_start.yml Outdated

danpawlik force-pushed the fix-molecule-reproducer branch from 4a595fb to 252e5f5 Compare February 27, 2026 16:45

holser approved these changes Mar 2, 2026

View reviewed changes

github-actions Bot added the Ready For Review label Mar 2, 2026

danpawlik merged commit d93ea23 into openstack-k8s-operators:main Mar 3, 2026
7 of 8 checks passed

danpawlik deleted the fix-molecule-reproducer branch March 3, 2026 09:57

Conversation

danpawlik commented Feb 26, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

openshift-ci Bot commented Feb 26, 2026

Uh oh!

danpawlik commented Feb 26, 2026

Uh oh!

softwarefactory-project-zuul Bot commented Feb 26, 2026

Uh oh!

danpawlik commented Feb 27, 2026

Uh oh!

Uh oh!

Uh oh!

holser left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

evallesp Feb 27, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

danpawlik Feb 27, 2026

Choose a reason for hiding this comment

Uh oh!

michburk Feb 27, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

evallesp Mar 2, 2026

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

openshift-ci Bot commented Feb 27, 2026

Uh oh!

Uh oh!

softwarefactory-project-zuul Bot commented Feb 27, 2026

Uh oh!

danpawlik commented Feb 27, 2026

Uh oh!

danpawlik commented Feb 27, 2026

Uh oh!

softwarefactory-project-zuul Bot commented Feb 27, 2026

Uh oh!

danpawlik commented Mar 2, 2026

Uh oh!

softwarefactory-project-zuul Bot commented Mar 2, 2026

Uh oh!

michburk commented Mar 2, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

danpawlik commented Feb 26, 2026 •

edited

Loading

evallesp Feb 27, 2026 •

edited

Loading

michburk Feb 27, 2026 •

edited

Loading