Restart openshift-apiserver only if aggregator-client-ca is expired

This cert is eventually renewed at startup. If it is renewed, we need to wait for it and restart openshift-apiserver. Since this cert is located both in a configmap and on the disk, we prefer to read it from the disk: it is faster to access and more reliable. If the cert is not expired, openshift-apiserver will correctly start. `crc start` will take less time when the bundle is fresh (< 30 days).
crc-org · Nov 27, 2020 · 331c303 · 331c303
1 parent 35ba24d
commit 331c303
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 5 deletions.
diff --git a/pkg/crc/cluster/cluster.go b/pkg/crc/cluster/cluster.go
@@ -37,6 +37,8 @@ const (
 	kubeletClientCert = "/var/lib/kubelet/pki/kubelet-client-current.pem"
 
 	kubeletClientSignerName = "kubernetes.io/kube-apiserver-client-kubelet"
+
+	aggregatorClientCert = "/etc/kubernetes/static-pod-resources/kube-apiserver-certs/configmaps/aggregator-client-ca/ca-bundle.crt"
 )
 
 func CheckCertsValidity(sshRunner *ssh.Runner) (bool, bool, error) {
@@ -67,6 +69,10 @@ func checkCertValidity(sshRunner *ssh.Runner, cert string) (bool, error) {
 	return false, nil
 }
 
+func CheckAggregatorClientCAValidity(sshRunner *ssh.Runner) (bool, error) {
+	return checkCertValidity(sshRunner, aggregatorClientCert)
+}
+
 // Return size of disk, used space in bytes and the mountpoint
 func GetRootPartitionUsage(sshRunner *ssh.Runner) (int64, int64, error) {
 	cmd := "df -B1 --output=size,used,target /sysroot | tail -1"

diff --git a/pkg/crc/machine/machine.go b/pkg/crc/machine/machine.go
@@ -408,13 +408,19 @@ func (client *client) Start(startConfig StartConfig) (*StartResult, error) {
 	// A restart of the openshift-apiserver pod is enough to clear that error and get a working cluster.
 	// This is a work-around while the root cause is being identified.
 	// More info: https://bugzilla.redhat.com/show_bug.cgi?id=1795163
-	logging.Debug("Waiting for update of client-ca request header ...")
-	if err := cluster.WaitforRequestHeaderClientCaFile(ocConfig); err != nil {
-		return nil, errors.Wrap(err, "Failed to wait for the client-ca request header update")
+	expired, err := cluster.CheckAggregatorClientCAValidity(sshRunner)
+	if err != nil {
+		return nil, errors.Wrap(err, "Cannot check expiry date of the aggregator client ca")
 	}
+	if expired {
+		logging.Debug("Waiting for the renewal of the request header client ca...")
+		if err := cluster.WaitforRequestHeaderClientCaFile(ocConfig); err != nil {
+			return nil, errors.Wrap(err, "Failed to wait for aggregator client ca renewal")
+		}
 
-	if err := cluster.DeleteOpenshiftAPIServerPods(ocConfig); err != nil {
-		return nil, errors.Wrap(err, "Cannot delete OpenShift API Server pods")
+		if err := cluster.DeleteOpenshiftAPIServerPods(ocConfig); err != nil {
+			return nil, errors.Wrap(err, "Cannot delete OpenShift API Server pods")
+		}
 	}
 
 	logging.Info("Starting OpenShift cluster ... [waiting 3m]")