Approving CSR Certificate

During the bootstrap process, the bootstrap node handles the signing of certificate requests from the masters that they can become a single cluster. After this stage, to add workers or any other node into the cluster, the Certificate Signing Requests (CSR) must be manually accepted from the new nodes.

Perform the following steps for CSRs approval on Bastion node:

Procedure
  1. Log in to cluster as a default system user by exporting the cluster kubeconfig file using the following command: 
    export KUBECONFIG=/var/nps/ISO/ign_config/auth/kubeconfig

    Replace <installation-directory> with the path where ignition files are generated.

  2. List all pending CSRs after adding worker node by running the following command: 
    oc get csr
    A sample output is as follows: 
    NAME        AGE     REQUESTOR                                                                   CONDITION
csr-76qdv   34m     system:serviceaccount:openshift-machine-config-operator:node-bootstrapper   Pending
csr-qf8kn   19m     system:serviceaccount:openshift-machine-config-operator:node-bootstrapper   Pending
csr-qfltb   4m37s   system:serviceaccount:openshift-machine-config-operator:node-bootstrapper   Pending
csr-vp6rl   32s     system:serviceaccount:openshift-machine-config-operator:node-bootstrapper   Pending
  3. Approve CSRs one by one. 
    oc adm certificate approve <csr_name>

    Replace <csr_name> with the name displayed in step 2.

    Repeat the same command to approve each CSR.

  4. Alternatively, all pending CSRs can be approved at once by using the jq command. 
    oc get csr -ojson | jq -r '.items[] | select(.status == {} ) | .metadata.name' | xargs oc adm certificate approve
    NOTE:

    The jq package must be installed for the above command to execute else follow step 3 to approve CSRs.