OKD
New user trying to install OKD 4.20 on Mini PC's #2291
Replies: 2 comments 2 replies
-
|
Hi there! Welcome to the OKD community, and great initiative getting hands-on experience before your company's potential OpenShift deployment! Looking at your logs, I can see two distinct issues happening: Main Problem: The kube-controller-manager installer pod is failing because it can't find a required ConfigMap:
This is causing the installer pod to error out. The client-ca ConfigMap should contain the client certificate authority bundle and is essential for the kube-controller-manager to start properly. Secondary Issue: Metal3 Pod Running Despite Disabled Provisioning
suggests the Metal3 pod is trying to configure itself but has certificate Subject Alternative Name (SAN) mismatches. |
Beta Was this translation helpful? Give feedback.
-
|
Hi, Where should it be created and with which content? And why is it not created initially during the setup as expected... When creating it manually (for testing) in the affected namespaces like openshift-kube-controller-manager and openshift-controller-manager, it will be removed by some automatism/operator. |
Beta Was this translation helpful? Give feedback.
-
|
If I had to guess, something is not initializing that should be creating that configmap. That should all be transparent I believe and this is indicative of something getting stuck in bootstrap. Do you happen to have a log bundle from a failed installation we could look at? |
Beta Was this translation helpful? Give feedback.
-
|
providing the logs is not that easy because of customer data. But as soon as the first master is starting to bootstrap, you can see the problem when the "openshift-controller-manager*" pods try to start. I0122 10:48:40.665006 1 cmd.go:629] Writing config file "/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-4/configmaps/recycler-config/recycler-pod.yaml" ... which mechanism should provide and create this client-ca configmap and with what content? Is it already a problem with the bootstrap node? Related to these "static pods" searching for the client-ca bundle?? In the bootstrap logs I see for some time (when the openshift-config NS is not yet created): So it is created in NS openshift-config (assuming this is the correct content that should then be used for client-ca CM) |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
Hi All,
I am a new OKD user. I am trying to setup a OKD cluster at home as we might be looking to use openshift in the coming months at work so i wanted to get a head start ;) . I have been able to bootstrap my nodes and get the cluster up and running. I used the baremetal platrom config to allow me to have keepalived configure the required VIP's on the cluster (save any external HA proxy) - this is how we plan to push in our company as we will have small clusters initially.
install-config.yaml has:
baremetal:
apiVIP: 192.168.2.250
ingressVIP: 192.168.2.251
provisioningNetworkCIDR: disabled
the cluster of 3 bootstraps and comes up with keepalived correctly configuring the VIP's but i end up with pods crashlooping / erroring.
openshift-kube-controller-manager installer pod status: error - logs below
openshift-machine-api metal3 pod status: crashloop - logs below
Unsure if this is a know issue or not. I have re-installed 3x trying different things but i still end up in the same position. Any help/advise on how to fix or any workarounds would be greatly appreciated!
metal3 - should this be running. I disabled the provisioning didnt i? as i have no BMC's:
++ export IRONIC_IP= ++ IRONIC_IP= ++ PROVISIONING_INTERFACE= ++ PROVISIONING_IP=192.168.2.12 ++ PROVISIONING_MACS=84:47:09:66:d0:a1,84:47:09:66:de:9e,84:47:09:66:df:0d ++ IPXE_CUSTOM_FIRMWARE_DIR=/shared/custom_ipxe_firmware ++ CUSTOM_CONFIG_DIR=/conf ++ CUSTOM_DATA_DIR=/data ++ export DNSMASQ_CONF_DIR=/conf/dnsmasq ++ DNSMASQ_CONF_DIR=/conf/dnsmasq ++ export DNSMASQ_DATA_DIR=/data/dnsmasq ++ DNSMASQ_DATA_DIR=/data/dnsmasq ++ export DNSMASQ_TEMP_DIR=/conf/dnsmasq ++ DNSMASQ_TEMP_DIR=/conf/dnsmasq ++ export HTTPD_DIR=/conf/httpd ++ HTTPD_DIR=/conf/httpd ++ export HTTPD_CONF_DIR=/conf/httpd/conf ++ HTTPD_CONF_DIR=/conf/httpd/conf ++ export HTTPD_CONF_DIR_D=/conf/httpd/conf.d ++ HTTPD_CONF_DIR_D=/conf/httpd/conf.d ++ export IRONIC_CONF_DIR=/conf/ironic ++ IRONIC_CONF_DIR=/conf/ironic ++ export IRONIC_DB_DIR=/data/db ++ IRONIC_DB_DIR=/data/db ++ export IRONIC_GEN_CERT_DIR=/data/auto_gen_certs ++ IRONIC_GEN_CERT_DIR=/data/auto_gen_certs ++ export IRONIC_TMP_DATA_DIR=/data/tmp ++ IRONIC_TMP_DATA_DIR=/data/tmp ++ export PROBE_CONF_DIR=/conf/probes ++ PROBE_CONF_DIR=/conf/probes ++ export HTTP_PORT=6180 ++ HTTP_PORT=6180 ++ export IRONIC_JSON_RPC_PORT=6189 ++ IRONIC_JSON_RPC_PORT=6189 <snip> [Thu Nov 27 23:39:29.409210 2025] [ssl:debug] [pid 1:tid 1] ssl_engine_init.c(536): AH01893: Configuring TLS extension handling [Thu Nov 27 23:39:29.409462 2025] [ssl:debug] [pid 1:tid 1] ssl_util_ssl.c(451): AH02412: [192-168-2-12.machine-config-daemon.openshift-machine-config-operator.svc.cluster.local:6388] Cert does not match for name '192-168-2-12.machine-config-daemon.openshift-machine-config-operator.svc.cluster.local' [subject: CN=localhost / issuer: CN=metal3-ironic / serial: 3FAE37F57048CB21 / notbefore: Nov 27 23:25:46 2025 GMT / notafter: Nov 27 23:25:47 2027 GMT] [Thu Nov 27 23:39:29.409470 2025] [ssl:warn] [pid 1:tid 1] AH01909: 192-168-2-12.machine-config-daemon.openshift-machine-config-operator.svc.cluster.local:6388:0 server certificate does NOT include an ID which matches the server name [Thu Nov 27 23:39:29.409474 2025] [ssl:info] [pid 1:tid 1] AH02568: Certificate and private key 192-168-2-12.machine-config-daemon.openshift-machine-config-operator.svc.cluster.local:6388:0 configured from /certs/ironic/tls.crt and /certs/ironic/tls.key [Thu Nov 27 23:39:29.412040 2025] [mpm_event:notice] [pid 1:tid 1] AH00489: Apache/2.4.62 (CentOS Stream) OpenSSL/3.5.1 configured -- resuming normal operations [Thu Nov 27 23:39:29.412077 2025] [core:notice] [pid 1:tid 1] AH00094: Command line: '/usr/sbin/httpd -D FOREGROUND -f /conf/httpd/conf/httpd.conf' [Thu Nov 27 23:39:29.414605 2025] [proxy:debug] [pid 43:tid 43] proxy_util.c(2252): AH00925: initializing worker unix:/shared/ironic.sock|http://127.0.0.1/ shared [Thu Nov 27 23:39:29.414632 2025] [proxy:debug] [pid 44:tid 44] proxy_util.c(2252): AH00925: initializing worker unix:/shared/ironic.sock|http://127.0.0.1/ shared [Thu Nov 27 23:39:29.414639 2025] [proxy:debug] [pid 43:tid 43] proxy_util.c(2323): AH00927: initializing worker unix:/shared/ironic.sock|http://127.0.0.1/ localopenshift-kube-controller-manager:
I1127 23:23:22.838331 1 cmd.go:95] &{<nil> true {false} installer true map[cert-configmaps:0xc0007a12c0 cert-dir:0xc0007a14a0 cert-secrets:0xc0007a1220 configmaps:0xc0007a0dc0 namespace:0xc0007a0be0 optional-cert-configmaps:0xc0007a1400 optional-configmaps:0xc0007a0f00 optional-secrets:0xc0007a0e60 pod:0xc0007a0c80 pod-manifest-dir:0xc0007a1040 resource-dir:0xc0007a0fa0 revision:0xc0007a0b40 secrets:0xc0007a0d20 v:0xc0007a1ea0] [0xc0007a1ea0 0xc0007a0b40 0xc0007a0be0 0xc0007a0c80 0xc0007a0fa0 0xc0007a1040 0xc0007a0dc0 0xc0007a0f00 0xc0007a0d20 0xc0007a0e60 0xc0007a14a0 0xc0007a12c0 0xc0007a1400 0xc0007a1220] [] map[cert-configmaps:0xc0007a12c0 cert-dir:0xc0007a14a0 cert-secrets:0xc0007a1220 configmaps:0xc0007a0dc0 help:0xc0005e70e0 kubeconfig:0xc0007a0aa0 log-flush-frequency:0xc0007a1e00 namespace:0xc0007a0be0 optional-cert-configmaps:0xc0007a1400 optional-cert-secrets:0xc0007a1360 optional-configmaps:0xc0007a0f00 optional-secrets:0xc0007a0e60 pod:0xc0007a0c80 pod-manifest-dir:0xc0007a1040 pod-manifests-lock-file:0xc0007a1180 resource-dir:0xc0007a0fa0 revision:0xc0007a0b40 secrets:0xc0007a0d20 timeout-duration:0xc0007a10e0 v:0xc0007a1ea0 vmodule:0xc0005e6c80] [0xc0007a0aa0 0xc0007a0b40 0xc0007a0be0 0xc0007a0c80 0xc0007a0d20 0xc0007a0dc0 0xc0007a0e60 0xc0007a0f00 0xc0007a0fa0 0xc0007a1040 0xc0007a10e0 0xc0007a1180 0xc0007a1220 0xc0007a12c0 0xc0007a1360 0xc0007a1400 0xc0007a14a0 0xc0007a1e00 0xc0007a1ea0 0xc0005e6c80 0xc0005e70e0] [0xc0007a12c0 0xc0007a14a0 0xc0007a1220 0xc0007a0dc0 0xc0005e70e0 0xc0007a0aa0 0xc0007a1e00 0xc0007a0be0 0xc0007a1400 0xc0007a1360 0xc0007a0f00 0xc0007a0e60 0xc0007a0c80 0xc0007a1040 0xc0007a1180 0xc0007a0fa0 0xc0007a0b40 0xc0007a0d20 0xc0007a10e0 0xc0007a1ea0 0xc0005e6c80] map[104:0xc0005e70e0 118:0xc0007a1ea0] [] -1 0 0xc00016d3b0 true 0x77e700 []} I1127 23:23:22.838434 1 cmd.go:96] (*installerpod.InstallOptions)(0xc0003de340)({ KubeConfig: (string) "", KubeClient: (kubernetes.Interface) <nil>, Revision: (string) (len=1) "5", NodeName: (string) "", Namespace: (string) (len=33) "openshift-kube-controller-manager", Clock: (clock.RealClock) { }, PodConfigMapNamePrefix: (string) (len=27) "kube-controller-manager-pod", SecretNamePrefixes: ([]string) (len=2 cap=2) { (string) (len=27) "service-account-private-key", (string) (len=31) "localhost-recovery-client-token" }, OptionalSecretNamePrefixes: ([]string) (len=1 cap=1) { (string) (len=12) "serving-cert" }, ConfigMapNamePrefixes: ([]string) (len=8 cap=8) { (string) (len=27) "kube-controller-manager-pod", (string) (len=6) "config", (string) (len=32) "cluster-policy-controller-config", (string) (len=29) "controller-manager-kubeconfig", (string) (len=38) "kube-controller-cert-syncer-kubeconfig", (string) (len=17) "serviceaccount-ca", (string) (len=10) "service-ca", (string) (len=15) "recycler-config" }, OptionalConfigMapNamePrefixes: ([]string) (len=1 cap=1) { (string) (len=12) "cloud-config" }, CertSecretNames: ([]string) (len=2 cap=2) { (string) (len=39) "kube-controller-manager-client-cert-key", (string) (len=10) "csr-signer" }, OptionalCertSecretNamePrefixes: ([]string) <nil>, CertConfigMapNamePrefixes: ([]string) (len=2 cap=2) { (string) (len=20) "aggregator-client-ca", (string) (len=9) "client-ca" }, OptionalCertConfigMapNamePrefixes: ([]string) (len=1 cap=1) { (string) (len=17) "trusted-ca-bundle" }, CertDir: (string) (len=66) "/etc/kubernetes/static-pod-resources/kube-controller-manager-certs", ResourceDir: (string) (len=36) "/etc/kubernetes/static-pod-resources", PodManifestDir: (string) (len=25) "/etc/kubernetes/manifests", Timeout: (time.Duration) 2m0s, StaticPodManifestsLockFile: (string) "", PodMutationFns: ([]installerpod.PodMutationFunc) <nil>, KubeletVersion: (string) "" }) I1127 23:23:22.838627 1 envvar.go:172] "Feature gate default state" feature="WatchListClient" enabled=false I1127 23:23:22.838635 1 envvar.go:172] "Feature gate default state" feature="ClientsAllowCBOR" enabled=false I1127 23:23:22.838639 1 envvar.go:172] "Feature gate default state" feature="ClientsPreferCBOR" enabled=false I1127 23:23:22.838642 1 envvar.go:172] "Feature gate default state" feature="InformerResourceVersion" enabled=false I1127 23:23:22.838645 1 envvar.go:172] "Feature gate default state" feature="InOrderInformers" enabled=true I1127 23:23:22.838905 1 cmd.go:413] Getting controller reference for node m2 I1127 23:23:22.844166 1 cmd.go:426] Waiting for installer revisions to settle for node m2 I1127 23:23:22.845584 1 cmd.go:506] Pod container: installer state for node m2 is not terminated, waiting I1127 23:23:32.849245 1 cmd.go:506] Pod container: installer state for node m2 is not terminated, waiting I1127 23:23:42.847941 1 cmd.go:518] Waiting additional period after revisions have settled for node m2 I1127 23:24:12.848337 1 cmd.go:524] Getting installer pods for node m2 I1127 23:24:12.851130 1 cmd.go:542] Latest installer revision for node m2 is: 5 I1127 23:24:12.851138 1 cmd.go:431] Querying kubelet version for node m2 I1127 23:24:12.852260 1 cmd.go:444] Got kubelet version 1.33.5 on target node m2 I1127 23:24:12.852286 1 cmd.go:293] Creating target resource directory "/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-5" ... I1127 23:24:12.852467 1 cmd.go:221] Creating target resource directory "/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-5" ... I1127 23:24:12.852480 1 cmd.go:229] Getting secrets ... I1127 23:24:12.853403 1 copy.go:32] Got secret openshift-kube-controller-manager/localhost-recovery-client-token-5 I1127 23:24:12.854976 1 copy.go:32] Got secret openshift-kube-controller-manager/service-account-private-key-5 I1127 23:24:12.856041 1 copy.go:32] Got secret openshift-kube-controller-manager/serving-cert-5 I1127 23:24:12.856078 1 cmd.go:242] Getting config maps ... I1127 23:24:12.857042 1 copy.go:60] Got configMap openshift-kube-controller-manager/cluster-policy-controller-config-5 I1127 23:24:12.857839 1 copy.go:60] Got configMap openshift-kube-controller-manager/config-5 I1127 23:24:12.858548 1 copy.go:60] Got configMap openshift-kube-controller-manager/controller-manager-kubeconfig-5 I1127 23:24:12.859823 1 copy.go:60] Got configMap openshift-kube-controller-manager/kube-controller-cert-syncer-kubeconfig-5 I1127 23:24:12.860884 1 copy.go:60] Got configMap openshift-kube-controller-manager/kube-controller-manager-pod-5 I1127 23:24:13.050601 1 copy.go:60] Got configMap openshift-kube-controller-manager/recycler-config-5 I1127 23:24:13.250604 1 copy.go:60] Got configMap openshift-kube-controller-manager/service-ca-5 I1127 23:24:13.450452 1 copy.go:60] Got configMap openshift-kube-controller-manager/serviceaccount-ca-5 I1127 23:24:13.650207 1 copy.go:52] Failed to get config map openshift-kube-controller-manager/cloud-config-5: configmaps "cloud-config-5" not found I1127 23:24:13.650224 1 cmd.go:261] Creating directory "/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-5/secrets/localhost-recovery-client-token" ... I1127 23:24:13.650327 1 cmd.go:639] Writing secret manifest "/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-5/secrets/localhost-recovery-client-token/token" ... I1127 23:24:13.650451 1 cmd.go:639] Writing secret manifest "/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-5/secrets/localhost-recovery-client-token/ca.crt" ... I1127 23:24:13.650514 1 cmd.go:639] Writing secret manifest "/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-5/secrets/localhost-recovery-client-token/namespace" ... I1127 23:24:13.650577 1 cmd.go:261] Creating directory "/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-5/secrets/service-account-private-key" ... I1127 23:24:13.650614 1 cmd.go:639] Writing secret manifest "/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-5/secrets/service-account-private-key/service-account.key" ... I1127 23:24:13.650674 1 cmd.go:261] Creating directory "/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-5/secrets/serving-cert" ... I1127 23:24:13.650717 1 cmd.go:639] Writing secret manifest "/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-5/secrets/serving-cert/tls.crt" ... I1127 23:24:13.650774 1 cmd.go:639] Writing secret manifest "/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-5/secrets/serving-cert/tls.key" ... I1127 23:24:13.650833 1 cmd.go:277] Creating directory "/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-5/configmaps/cluster-policy-controller-config" ... I1127 23:24:13.650893 1 cmd.go:629] Writing config file "/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-5/configmaps/cluster-policy-controller-config/config.yaml" ... I1127 23:24:13.650950 1 cmd.go:277] Creating directory "/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-5/configmaps/config" ... I1127 23:24:13.650984 1 cmd.go:629] Writing config file "/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-5/configmaps/config/config.yaml" ... I1127 23:24:13.651045 1 cmd.go:277] Creating directory "/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-5/configmaps/controller-manager-kubeconfig" ... I1127 23:24:13.651080 1 cmd.go:629] Writing config file "/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-5/configmaps/controller-manager-kubeconfig/kubeconfig" ... I1127 23:24:13.651144 1 cmd.go:277] Creating directory "/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-5/configmaps/kube-controller-cert-syncer-kubeconfig" ... I1127 23:24:13.651180 1 cmd.go:629] Writing config file "/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-5/configmaps/kube-controller-cert-syncer-kubeconfig/kubeconfig" ... I1127 23:24:13.651239 1 cmd.go:277] Creating directory "/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-5/configmaps/kube-controller-manager-pod" ... I1127 23:24:13.651271 1 cmd.go:629] Writing config file "/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-5/configmaps/kube-controller-manager-pod/forceRedeploymentReason" ... I1127 23:24:13.651321 1 cmd.go:629] Writing config file "/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-5/configmaps/kube-controller-manager-pod/pod.yaml" ... I1127 23:24:13.651385 1 cmd.go:629] Writing config file "/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-5/configmaps/kube-controller-manager-pod/version" ... I1127 23:24:13.651443 1 cmd.go:277] Creating directory "/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-5/configmaps/recycler-config" ... I1127 23:24:13.651519 1 cmd.go:629] Writing config file "/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-5/configmaps/recycler-config/recycler-pod.yaml" ... I1127 23:24:13.651578 1 cmd.go:277] Creating directory "/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-5/configmaps/service-ca" ... I1127 23:24:13.651616 1 cmd.go:629] Writing config file "/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-5/configmaps/service-ca/ca-bundle.crt" ... I1127 23:24:13.651674 1 cmd.go:277] Creating directory "/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-5/configmaps/serviceaccount-ca" ... I1127 23:24:13.651708 1 cmd.go:629] Writing config file "/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-5/configmaps/serviceaccount-ca/ca-bundle.crt" ... I1127 23:24:13.651760 1 cmd.go:221] Creating target resource directory "/etc/kubernetes/static-pod-resources/kube-controller-manager-certs" ... I1127 23:24:13.651795 1 cmd.go:229] Getting secrets ... I1127 23:24:13.850727 1 copy.go:32] Got secret openshift-kube-controller-manager/csr-signer I1127 23:24:14.050451 1 copy.go:32] Got secret openshift-kube-controller-manager/kube-controller-manager-client-cert-key I1127 23:24:14.050473 1 cmd.go:242] Getting config maps ... I1127 23:24:14.250390 1 copy.go:60] Got configMap openshift-kube-controller-manager/aggregator-client-ca I1127 23:24:14.450427 1 copy.go:52] Failed to get config map openshift-kube-controller-manager/client-ca: configmaps "client-ca" not found F1127 23:24:14.651050 1 cmd.go:109] failed to copy: configmaps "client-ca" not foundBeta Was this translation helpful? Give feedback.
All reactions