refactor csr approvals

[michaelgugino]

Currently, csr approval process for nodes is quite
fragile.

This commit creates a new custom module oc_csr_client
which facilitates handling the multiple steps involved
for approving pending node certificates.

The module attempts to approve all 'client' csrs
for any nodes provided via node_list, missing csrs
are ignored as long as the missing node is in a
'Ready' status as reported by oc get nodes.

Next, the module approves csrs for 'server' certificates.
Similar to the client process, missing node csrs
are acceptable as long as the node's api endpoint
is reachable without error, indicating a server
certificate is deployed.

In cases of long delay between issuing a csr and
csr approval, there may be several outstanding
'server' csrs. This module will approve any
outstanding csrs.

Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1571515

[vrutkovs]

An overengineered version would be:
oc get nodes -o jsonpath="{range .items[*]}{@.metadata.name}:{range @.status.conditions[*]}{@.type}={@.status};{end}{end}" to output smth like
ip-172-18-14-252.ec2.internal:OutOfDisk=False;MemoryPressure=False;DiskPressure=False;PIDPressure=False;Ready=True;
split it and filter out lines with Ready=True.

[michaelgugino]

That's incomprehensible and probably just as much splitting and filtering.

[sdodson]

Going back to past discussions where David had stated that oc output is not guaranteed stable I think we should either get yaml output or a template like Vadim is suggesting. Perhaps not as complicated, but it still needs to be a format that we're sure of so if they change column ordering we're not busted.

[michaelgugino]

I have run this in a few different iterations against a local cluster (removed certs of a node, restarted), though not on a fresh cluster. Hopefully CI passes :)

[michaelgugino]

2.6

[michaelgugino]

python2 vs python 3.4+

[michaelgugino]

Remove double quotes on this line.

[michaelgugino]

Remove this file.

[michaelgugino]

Remove this line and add some docstrings :)

[michaelgugino]

Rename module?

[sdodson]

Yeah, I'm not sure what we should name it though. All the other oc modules actually map pretty much 1:1 with oc foo bar cli interactions.

[michaelgugino]

This stuff gets passed around a lot. Probably should refactor into a class object, this will help will reporting during failures.

[sdodson]

looks like it's probably functionally correct, just some nits about module name and defaults.

[sdodson]

If we're naming this module oc_ I'd expect it to default this like all the other oc modules do.

[sdodson]

Unless we're sure this is 100% lets leave in debug log generation.

[michaelgugino]

This is no longer necessary. No module provides actually useful failure information.

[sdodson]

ok sounds good

[sdodson]

Yeah, I'm not sure what we should name it though. All the other oc modules actually map pretty much 1:1 with oc foo bar cli interactions.

[sdodson]

Going back to past discussions where David had stated that oc output is not guaranteed stable I think we should either get yaml output or a template like Vadim is suggesting. Perhaps not as complicated, but it still needs to be a format that we're sure of so if they change column ordering we're not busted.

[vrutkovs]

/lgtm

Worked perfectly here

[michaelgugino]

/test install

[openshift-ci-robot]

@michaelgugino: The following test failed, say /retest to rerun them all:

Test name	Commit	Details	Rerun command
ci/prow/gcp-crio	fef0430	link	/test gcp-crio

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[sdodson]

May require tweaking of the retries and time but we can figure that out later.
/lgtm

[openshift-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: michaelgugino, sdodson, vrutkovs

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [michaelgugino,sdodson,vrutkovs]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[sdodson]

gcp-crio was an e2e flake.

[michaelgugino]

/cherrypick release-3.10

[openshift-cherrypick-robot]

@michaelgugino: #9711 failed to apply on top of branch "release-3.10":

error: Failed to merge in the changes.
Using index info to reconstruct a base tree...
M	roles/openshift_node/tasks/upgrade.yml
Falling back to patching base and 3-way merge...
Auto-merging roles/openshift_node/tasks/upgrade.yml
CONFLICT (content): Merge conflict in roles/openshift_node/tasks/upgrade.yml
Patch failed at 0001 Refactor csr approvals: oc_csr_approve

In response to this:

/cherrypick release-3.10

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.