[release-4.14] OCPBUGS-19357: install: Recreate and delayed default ServiceAccount deletion

[openshift-cherrypick-robot]

This is an automated cherry-pick of #3895

/assign yuqi-zhang

[openshift-ci-robot]

@openshift-cherrypick-robot: Jira Issue OCPBUGS-16905 has been cloned as Jira Issue OCPBUGS-19357. Will retitle bug to link to clone.
/retitle [release-4.14] OCPBUGS-19357: install: Recreate and delayed default ServiceAccount deletion

Details

In response to this:

This is an automated cherry-pick of #3895

/assign yuqi-zhang

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[openshift-ci-robot]

@openshift-cherrypick-robot: This pull request references Jira Issue OCPBUGS-19357, which is valid. The bug has been moved to the POST state.

6 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.14.0) matches configured target version for branch (4.14.0)
• bug is in the state New, which is one of the valid states (NEW, ASSIGNED, POST)
• dependent bug Jira Issue OCPBUGS-16905 is in the state MODIFIED, which is one of the valid states (MODIFIED, ON_QA, VERIFIED)
• dependent Jira Issue OCPBUGS-16905 targets the "4.15.0" version, which is one of the valid target versions: 4.15.0
• bug has dependents

Requesting review from QA contact:
/cc @sergiordlr

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

This is an automated cherry-pick of #3895

/assign yuqi-zhang

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[yuqi-zhang]

/lgtm
/label backport-risk-assessed

This should be a pretty safe change generally speaking, and can help some environments with upgrade time

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: openshift-cherrypick-robot, yuqi-zhang

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [yuqi-zhang]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

@openshift-cherrypick-robot: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/okd-scos-e2e-gcp-op	496abc1	link	false	/test okd-scos-e2e-gcp-op
ci/prow/e2e-gcp-rt	496abc1	link	false	/test e2e-gcp-rt
ci/prow/e2e-aws-ovn-fips-op	496abc1	link	false	/test e2e-aws-ovn-fips-op
ci/prow/e2e-gcp-rt-op	496abc1	link	false	/test e2e-gcp-rt-op
ci/prow/e2e-vsphere-upi-zones	496abc1	link	false	/test e2e-vsphere-upi-zones

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[sergiordlr]

Verified using SNO IPI on GCP

We upgraded from 4.13 to 4.14+current fix:

$ oc get clusterversion -o yaml 
...
    history:
    - acceptedRisks: |-
        Target release version="" image="registry.build03.ci.openshift.org/ci-ln-k4c8qv2/release:latest" cannot be verified, but continuing anyway because the update was forced: release images that are not accessed via digest cannot be verified
        Forced through blocking failures: Multiple precondition checks failed:
        * Precondition "ClusterVersionUpgradeable" failed because of "AdminAckRequired": Kubernetes 1.27 and therefore OpenShift 4.14 remove several APIs which require admin consideration. Please see the knowledge article https://access.redhat.com/articles/6958395 for details and instructions.
        * Precondition "EtcdRecentBackup" failed because of "ControllerStarted": RecentBackup: The etcd backup controller is starting, and will decide if recent backups are available or if a backup is required
        * Precondition "ClusterVersionRecommendedUpdate" failed because of "UnknownUpdate": RetrievedUpdates=False (VersionNotFound), so the recommended status of updating from 4.13.0-0.nightly-2023-09-12-074803 to 4.14.0-0.ci.test-2023-09-19-074741-ci-ln-k4c8qv2-latest is unknown.
      completionTime: "2023-09-19T09:13:40Z"
      image: registry.build03.ci.openshift.org/ci-ln-k4c8qv2/release:latest
      startedTime: "2023-09-19T08:28:54Z"
      state: Completed
      verified: false
      version: 4.14.0-0.ci.test-2023-09-19-074741-ci-ln-k4c8qv2-latest
    - completionTime: "2023-09-19T08:19:27Z"
      image: registry.ci.openshift.org/ocp/release@sha256:e03f07af4872b73f425c6095cabba4600106b063005d5236991f7225fedd9704
      startedTime: "2023-09-19T07:50:26Z"
      state: Completed
      verified: false
      version: 4.13.0-0.nightly-2023-09-12-074803

Before the operator pod was upgraded, we had these messages in the machine-config-operator pod:

W0919 09:00:09.731668       1 warnings.go:70] unknown field "spec.infra.metadata.resourceVersion"
W0919 09:00:09.731670       1 warnings.go:70] unknown field "spec.infra.metadata.uid"
I0919 09:00:28.092785       1 helpers.go:93] Shutting down due to: terminated
I0919 09:00:28.099910       1 helpers.go:96] Context cancelled
I0919 09:00:28.115105       1 operator.go:286] Shutting down MachineConfigOperator
I0919 09:00:28.192052       1 start.go:115] Stopped leading. Terminating.

After the operator pod was updated, we can find these messages in the machine-config-operator pod:

2023-09-19T09:00:43.987657360+00:00 stderr F I0919 09:00:43.987594       1 start.go:49] Version: 4.14.0-0.ci.test-2023-09-19-074741-ci-ln-k4c8qv2-latest (Raw: machine-config-daemon-4.6.0-202006240615.p0-2312-g2bd89b29-dirty, Hash: 2bd89b29582b689694ee9f3dddb97962dc891230)
2023-09-19T09:00:43.988008877+00:00 stderr F I0919 09:00:43.987965       1 leaderelection.go:122] The leader election gives 4 retries and allows for 30s of clock skew. The kube-apiserver downtime tolerance is 78s. Worst non-graceful lease acquisition is 2m43s. Worst graceful lease acquisition is {26s}.
2023-09-19T09:00:43.989377943+00:00 stderr F I0919 09:00:43.988649       1 metrics.go:74] Registering Prometheus metrics
2023-09-19T09:00:43.989377943+00:00 stderr F I0919 09:00:43.988680       1 metrics.go:81] Starting metrics listener on 127.0.0.1:8797
2023-09-19T09:00:44.064489189+00:00 stderr F I0919 09:00:44.064427       1 leaderelection.go:245] attempting to acquire leader lease openshift-machine-config-operator/machine-config...
2023-09-19T09:00:44.248651741+00:00 stderr F I0919 09:00:44.247322       1 leaderelection.go:255] successfully acquired lease openshift-machine-config-operator/machine-config

It took 16 for the new operator pod to acquire the lease.

And after the node was rebooted, we can find these messages in the machine-config-operator pod:

Defaulted container "machine-config-operator" out of: machine-config-operator, kube-rbac-proxy
I0919 09:10:08.585284       1 start.go:49] Version: 4.14.0-0.ci.test-2023-09-19-074741-ci-ln-k4c8qv2-latest (Raw: machine-config-daemon-4.6.0-202006240615.p0-2312-g2bd89b29-dirty, Hash: 2bd89b29582b689694ee9f3dddb97962dc891230)
I0919 09:10:08.592032       1 metrics.go:74] Registering Prometheus metrics
I0919 09:10:08.596207       1 leaderelection.go:122] The leader election gives 4 retries and allows for 30s of clock skew. The kube-apiserver downtime tolerance is 78s. Worst non-graceful lease acquisition is 2m43s. Worst graceful lease acquisition is {26s}.
I0919 09:10:08.597132       1 metrics.go:81] Starting metrics listener on 127.0.0.1:8797
I0919 09:10:08.618197       1 leaderelection.go:245] attempting to acquire leader lease openshift-machine-config-operator/machine-config...
I0919 09:10:08.625006       1 leaderelection.go:255] successfully acquired lease openshift-machine-config-operator/machine-config

After the reboot it could get the lease quickly as well.

We can add the qe-approved label

/label qe-approved

[sinnykumari]

Thanks Sergio for verifying, backport PR would need cherry-pick-approved label.

[sergiordlr]

/label cherry-pick-approved

[openshift-ci-robot]

@openshift-cherrypick-robot: Jira Issue OCPBUGS-19357: All pull requests linked via external trackers have merged:

• openshift/machine-config-operator#3920

Jira Issue OCPBUGS-19357 has been moved to the MODIFIED state.

Details

In response to this:

This is an automated cherry-pick of #3895

/assign yuqi-zhang

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[yuqi-zhang]

/cherry-pick release-4.13

Since the original bug was reported against 4.13

[openshift-cherrypick-robot]

@yuqi-zhang: new pull request created: #3923

Details

In response to this:

/cherry-pick release-4.13

Since the original bug was reported against 4.13

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[openshift-merge-robot]

Fix included in accepted release 4.14.0-0.nightly-2023-09-19-201452