cert-rotation: CSR approval fixes

* print when CSR approval is completed. This helps correlate between kubelet logs and csr approval start/end period * extend time we want for new certs. With leader election it takes ~7 minutes for new certs to be generated and distributed, so that kubelet could create CSRs after we finish approval. This extends timeout we wait for bootstrap certs to be approved from 30*10/60 = 5 minutes to 40*15/60 = 10 minutes
openshift · May 10, 2024 · 156f3db · 156f3db
1 parent 3b7369f
commit 156f3db
Showing 1 changed file with 4 additions and 3 deletions.
diff --git a/...otation/prepare-for-shutdown/openshift-e2e-cert-rotation-prepare-for-shutdown-commands.sh b/...otation/prepare-for-shutdown/openshift-e2e-cert-rotation-prepare-for-shutdown-commands.sh
@@ -57,7 +57,7 @@ cat << 'EOZ' > /tmp/approve-csrs-with-timeout.sh
     (( required_csrs=${#control_nodes[@]} + ${#compute_nodes[@]} ))
     approved_csrs=0
     attempts=0
-    max_attempts=30
+    max_attempts=40
     while (( required_csrs >= approved_csrs )); do
       echo -n '.'
       mapfile -d ' ' -t csrs < <(oc get csr --field-selector=spec.signerName=${field} --no-headers | grep Pending | cut -f1 -d" ")
@@ -70,10 +70,11 @@ cat << 'EOZ' > /tmp/approve-csrs-with-timeout.sh
       if (( attempts > max_attempts )); then
         break
       fi
-      sleep 10s
+      sleep 15s
     done
+    echo ""
   done
-  echo "Done"
+  echo "Finished CSR approval at $(date)"
 EOZ
 chmod a+x /tmp/approve-csrs-with-timeout.sh
 timeout ${COMMAND_TIMEOUT} ${SCP} /tmp/approve-csrs-with-timeout.sh "core@${control_nodes[0]}:/tmp/approve-csrs-with-timeout.sh"