cert_renewal: Watch kubelet-serving signer along with kube-apiserver-…

…client-kubelet

Since 4.15, user provisioned infra (UPI) is used for creating the
bundle, kubelet-serving signer csr request also need to be approved
manually as per docs. This PR watch kubelet-serving signer and check if
it pending then approve it.

- https://docs.openshift.com/container-platform/4.15/backup_and_restore/control_plane_backup_and_restore/disaster_recovery/scenario-3-expired-certs.html

pkg/crc/cluster/cert_renewal.go

@@ -45,7 +45,8 @@ func approvePendingCSRs(ctx context.Context, ocConfig oc.Config, expectedSignerN
 
 func ApproveCSRAndWaitForCertsRenewal(ctx context.Context, sshRunner *ssh.Runner, ocConfig oc.Config, client, server bool) error {
 	const (
-		kubeletClientSignerName = "kubernetes.io/kube-apiserver-client-kubelet"
+		kubeletClientSignerName  = "kubernetes.io/kube-apiserver-client-kubelet"
+		kubeletServingSignerName = "kubernetes.io/kubelet-serving"
 	)
 
 	// First, kubelet starts and tries to connect to API server. If its certificate is expired, it asks for a new one
@@ -58,6 +59,11 @@ func ApproveCSRAndWaitForCertsRenewal(ctx context.Context, sshRunner *ssh.Runner
 			return err
 		}
 
+		if err := approvePendingCSRs(ctx, ocConfig, kubeletServingSignerName); err != nil {
+			logging.Debugf("Error approving pending kubelet-serving CSRs: %v", err)
+			return err
+		}
+
 		if err := crcerrors.Retry(ctx, 5*time.Minute, waitForCertRenewal(sshRunner, KubeletClientCert), time.Second*5); err != nil {
 			logging.Debugf("Error approving pending kube-apiserver-client-kubelet CSR: %v", err)
 			return err