Clean up CSR approver (#49)

* Clean up CSR approver

* wait for all pods to be ready before clearing registry

* fix script

* add more retries

* update script

Author: loganmc10

edge/roles/edge_csr_approver/files/csr_approver.sh

@@ -4,19 +4,16 @@
 
 set -o pipefail
 
-export KUBECONFIG="/var/local/csr_approver/kubeconfig"
+CSR_KUBECONFIG=/var/local/csr_approver/kubeconfig
+NODE_KUBECONFIG=/etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/node-kubeconfigs/localhost.kubeconfig
 
 # wait until API is online
-until oc --request-timeout=30s get csr; do
+until oc --request-timeout=30s --kubeconfig "${CSR_KUBECONFIG}" get csr; do
   sleep 10
 done
 
-count=30
 go_template='{{range .items}}{{if not .status}}{{if or (eq .spec.signerName "kubernetes.io/kubelet-serving") (eq .spec.signerName "kubernetes.io/kube-apiserver-client-kubelet")}}{{.metadata.name}}{{"\n"}}{{end}}{{end}}{{end}}'
-while [[ ${count} -gt 0 ]]; do
-  oc --request-timeout=30s get csr -o go-template="${go_template}" | xargs --no-run-if-empty oc --request-timeout=30s adm certificate approve
+until oc --request-timeout=30s --kubeconfig "${NODE_KUBECONFIG}" get node; do
+  oc --request-timeout=30s --kubeconfig "${CSR_KUBECONFIG}" get csr -o go-template="${go_template}" | xargs --no-run-if-empty oc --request-timeout=30s --kubeconfig "${CSR_KUBECONFIG}" adm certificate approve
   sleep 20
-  count=$((count - 1))
-  echo "${count} checks remaining"
 done
-echo "CSR Approver complete"

edge/roles/edge_csr_approver/tasks/main.yaml

@@ -4,7 +4,7 @@
       apiVersion: v1
       kind: ServiceAccount
       metadata:
-        name: ztpfw-csr-approver
+        name: csr-approver
         namespace: openshift-infra
     apply: true
     state: present
@@ -17,7 +17,7 @@
       apiVersion: rbac.authorization.k8s.io/v1
       kind: ClusterRole
       metadata:
-        name: ztpfw-csr-approver
+        name: csr-approver
       rules:
         - apiGroups:
             - certificates.k8s.io
@@ -50,14 +50,14 @@
       apiVersion: rbac.authorization.k8s.io/v1
       kind: ClusterRoleBinding
       metadata:
-        name: ztpfw-csr-approver
+        name: csr-approver
       subjects:
         - kind: ServiceAccount
-          name: ztpfw-csr-approver
+          name: csr-approver
           namespace: openshift-infra
       roleRef:
         kind: ClusterRole
-        name: ztpfw-csr-approver
+        name: csr-approver
         apiGroup: rbac.authorization.k8s.io
     apply: true
     state: present
@@ -70,10 +70,10 @@
       apiVersion: v1
       kind: Secret
       metadata:
-        name: ztpfw-csr-approver-secret
+        name: csr-approver-secret
         namespace: openshift-infra
         annotations:
-          kubernetes.io/service-account.name: ztpfw-csr-approver
+          kubernetes.io/service-account.name: csr-approver
       type: kubernetes.io/service-account-token
     apply: true
     state: present
@@ -84,7 +84,7 @@
   kubernetes.core.k8s_info:
     api_version: v1
     kind: Secret
-    name: ztpfw-csr-approver-secret
+    name: csr-approver-secret
     namespace: openshift-infra
   register: csr_secret
   until: csr_secret.resources[0].data.token is defined

edge/roles/edge_csr_approver/templates/CSRKubeconfig.yaml.j2

@@ -9,9 +9,9 @@ contexts:
   - name: default-context
     context:
       cluster: "{{ metadata.name }}"
-      user: ztpfw-csr-approver
+      user: csr-approver
 current-context: default-context
 users:
-  - name: ztpfw-csr-approver
+  - name: csr-approver
     user:
       token: "{{ csr_secret.resources[0].data.token | b64decode }}"

edge/roles/edge_post_install/tasks/clear_registry_config.yaml

@@ -1,3 +1,13 @@
+- name: Wait for all Pods to be ready
+  kubernetes.core.k8s_info:
+    kind: Pod
+    field_selectors:
+      - status.phase=Pending
+  register: pending_pod_list
+  until: pending_pod_list.resources | length | int == 0
+  retries: 60
+  delay: 10
+
 - name: Get ICSPs
   kubernetes.core.k8s_info:
     api_version: operator.openshift.io/v1alpha1