cmd/openshift-install/create: Make waitForInstallComplete() more robust

[wking]

If the cluster failed to completely initialize, we may still have a router CA or console URL. With this commit, errors in finalization components are no longer immediately fatal; instead we hold any errors but continue to try the later components. We retain the first component component error, and log any later errors.

To avoid waiting on a console URL when the cluster failed to initialize, I've added a oneShot argument to waitForConsole. When waitForInitializedCluster failed, we set oneShot true and only make a single attempt to resolve the console URL. I've also shuffled around the Until function to flatten some of its previous if/else blocks so I only have to add single oneShot-cancel block.

Tangentially related, addRouterCAToClusterCA is idempotent, because AppendCertsFromPEM wraps AddCert and AddCert checks to avoid duplicate certificates.

CC @abhinavdahiya, I think this is as discussed on the group-G arch call just now.

[wking]

Heh, this is not quite what I was aiming for:

level=info msg="Waiting up to context.Background.WithDeadline(2019-03-21 18:52:12.039581075 +0000 UTC m=+2153.930641135 [9m59.999985838s]) for openshift-console routes to be created..."
level=info msg="Install complete!"
level=info msg="Run 'export KUBECONFIG=/tmp/artifacts/installer/auth/kubeconfig' to manage the cluster with 'oc', the OpenShift CLI."
level=info msg="The cluster is ready when 'oc login -u kubeadmin -p BdURA-FwDhx-B5Jix-JHHYK' succeeds (wait a few minutes)."
level=info msg="Login to the console with user: kubeadmin, password: BdURA-FwDhx-B5Jix-JHHYK"
level=fatal msg="failed to wait for openshift-console routes: timed out waiting for the condition"

[wking]

Ok, updated a few things with 2f625248e -> 8aba2fac1. Hopefully that covers it, although I guess CI will tell us ;).

[wking]

$ curl -s https://storage.googleapis.com/origin-ci-test/pr-logs/pull/openshift_installer/1413/pull-ci-openshift-installer-master-e2e-aws/4580/artifacts/e2e-aws/installer/.openshift_install.log | grep -B5 fatal
time="2019-03-22T09:23:19Z" level=debug msg="Cluster is initialized"
time="2019-03-22T09:23:19Z" level=info msg="Waiting up to 10m0s for openshift-console routes to be created..."
time="2019-03-22T09:33:19Z" level=info msg="Run 'export KUBECONFIG=/tmp/artifacts/installer/auth/kubeconfig' to manage the cluster with 'oc', the OpenShift CLI."
time="2019-03-22T09:33:19Z" level=info msg="Depending on the severity of the error, you may be able to log in with 'oc login -u kubeadmin -p Gqqf8-f5sSv-5KqZS-saiZF https://api.ci-op-9pdd09zr-1d3f3.origin-ci-int-aws.dev.rhcloud.com:6443' succeeds."
time="2019-03-22T09:33:19Z" level=info msg="Login to the console with user: kubeadmin, password: Gqqf8-f5sSv-5KqZS-saiZF"
time="2019-03-22T09:33:19Z" level=fatal msg="failed to wait for openshift-console routes: timed out waiting for the condition"
$ curl -s https://storage.googleapis.com/origin-ci-test/pr-logs/pull/openshift_installer/1413/pull-ci-openshift-installer-master-e2e-aws/4580/artifacts/e2e-aws/pods/openshift-cluster-version_cluster-version-operator-d6958f9b6-2gr9r_cluster-version-operator.log.gz | gunzip | grep route | grep downloads | head -n2
I0322 09:16:56.022824       1 sync_worker.go:462] Running sync for route "openshift-console/downloads" (270 of 310)
I0322 09:16:56.095793       1 sync_worker.go:475] Done syncing for route "openshift-console/downloads" (270 of 310)

I seem to have broken the route watcher. Robust finish is looking pretty good though.

[wking]

So my UntilWithSync reroll (requested here) was broken, and even if it wasn't, the watcher approach was not compatible with oneShot (at least as I had it implemented so far). I've pushed 8aba2fac1 -> 2995aef49, rebasing onto master and dropping the UntilWithSync commit. Can we land the finish commit, and I'll come back around and take another pass at UntilWithSync for routes in a follow-up PR?

[wking]

e2e-aws:

level=fatal msg="failed to initialize the cluster: timed out waiting for the condition"

/retest

[wking]

e2e-aws:

level=error msg="\t* aws_route_table_association.route_net.1: timeout while waiting for state to become 'success' (timeout: 5m0s)"

/retest

[wking]

e2e-aws:

level=error msg="\t* aws_instance.master.1: Error waiting for instance (i-010d8bf6e3b4e5f7e) to become ready: timeout while waiting for state to become 'running' (last state: 'pending', timeout: 10m0s)"

Amazon short of instances :/

/retest

[wking]

/retest

[wking]

All green. @abhinavdahiya, can you take another look at some point today?

[abhinavdahiya]

/s/consoleNamespace/consoleRouteName

[wking]

/s/consoleNamespace/consoleRouteName

My follow up is waiting for the downloads route too; this choice will be a better fit then. Even without follow-up work, I think "the main console-namespace route" isn't that bad vs. naming the route without the namespace. If we end up sticking with a single route, I'll probably write both the namespace and name.

[abhinavdahiya]

/s/consoleNamespace/consoleRouteName

[abhinavdahiya]

this is

err := <>
if err != nil {
..
}

while all other calls are

if err = <>; err != nil {
....
}

??

[wking]

... while all other calls are...

They're all using this err ;). But whatever, I wish gofmt would just make this sort of thing consistent with whatever a coin-flip says is the easiest to read :p.

[wking]

e2e-aws:

level=fatal msg="failed to initialize the cluster: Working towards 0.0.1-2019-03-27-010000: 98% complete: timed out waiting for the condition"

/retest

[wking]

Depending on the severity of the error, you may be able to log in with: oc login -u kubeadmin -p

I don't think we should be telling people maybe you will be able to log in. Please drop this

I thought that was helpful ;). You'd rather me not say anything about oc login when we have errors? Do I need to ever say anything about oc login? Folks using oc will likely be using auth/kubeconfig or setting up a real identity provider anyway.

[abhinavdahiya]

Depending on the severity of the error, you may be able to log in with: oc login -u kubeadmin -p

I don't think we should be telling people maybe you will be able to log in. Please drop this

I thought that was helpful ;). You'd rather me not say anything about oc login when we have errors? Do I need to ever say anything about oc login? Folks using oc will likely be using auth/kubeconfig or setting up a real identity provider anyway.

I'm not sure, if oc login needs to be called out at all. But it is now... So making sure we are not calling that out when we don't know if the authentication operator succeeded...

oc with auth/kubeconfig will work as we have successfully bootstrapped. We can keep that part on partial failure.

[wking]

I'm not sure, if oc login needs to be called out at all.

Rebased onto master with 2995aef49 -> c3723847d, and dropping the oc login reference as part of that (thanks to #1513).

[wking]

oc delete project ci-op-84i4xlit

/retest

[wking]

Rebased onto master with c3723847d -> 19866aa38.

[wking]

And I've pushed 19866aa38 -> cddd3f0ec to distingish between Failing and Progressing.

[wking]

All green. Here's the end of the e2e-aws run:

$ curl -s https://storage.googleapis.com/origin-ci-test/pr-logs/pull/openshift_installer/1413/pull-ci-openshift-installer-master-e2e-aws/5140/artifacts/e2e-aws/installer/.openshift_install.log | grep -A8 'Cluster is initialized'
time="2019-04-11T03:53:34Z" level=debug msg="Cluster is initialized"
time="2019-04-11T03:53:34Z" level=info msg="Waiting up to 10m0s for the openshift-console route to be created..."
time="2019-04-11T03:53:34Z" level=debug msg="Route found in openshift-console namespace: console"
time="2019-04-11T03:53:34Z" level=debug msg="Route found in openshift-console namespace: downloads"
time="2019-04-11T03:53:34Z" level=debug msg="OpenShift console route is created"
time="2019-04-11T03:53:34Z" level=info msg="Install complete!"
time="2019-04-11T03:53:34Z" level=info msg="To access the cluster as the system:admin user when using 'oc', run 'export KUBECONFIG=/tmp/artifacts/installer/auth/kubeconfig'"
time="2019-04-11T03:53:34Z" level=info msg="Access the OpenShift web-console here: https://console-openshift-console.apps.ci-op-b89kp5jd-1d3f3.origin-ci-int-aws.dev.rhcloud.com"
time="2019-04-11T03:53:34Z" level=info msg="Login to the console with user: kubeadmin, password: ShUna-zfIzJ-HPSYX-WhzpE"

[trown]

/test e2e-openstack

[trown]

/test e2e-openstack

[wking]

Rebased around #1718 with f79f53c0d -> 773a2b0.

[wking]

e2e-aws:

level=fatal msg="failed to initialize the cluster: Some cluster operators are still updating: authentication, console: timed out waiting for the condition"

/retest

[openshift-ci-robot]

@wking: The following test failed, say /retest to rerun them all:

Test name	Commit	Details	Rerun command
ci/prow/e2e-aws-scaleup-rhel7	773a2b0	link	/test e2e-aws-scaleup-rhel7

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[openshift-ci-robot]

@wking: PR needs rebase.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[abhinavdahiya]

closing due to inactivity. Please reopen if needed.

/close

[openshift-ci-robot]

@abhinavdahiya: Closed this PR.

In response to this:

closing due to inactivity. Please reopen if needed.

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.