NodeCSRApprover doesn't approve requests on GCP

[xmudrii]

The NodeCSRApprover controller is not approving CSRs for GCP worker nodes due to lack of private IP address and DNS name in the .status.Addresses field in the Machine object.

The CSR includes both private IP address and DNS name and as those are not in the Machine object, the validation fails, therefore the CSR is not signed.

As a workaround, until the issue is not fixed, the operator can manually approve the CSR, by following the instructions from the CSR docs.

As a fix, the following function should be extended to include the other type of addresses.

[toschneck]

Unfortunately the bug is still present, used the latest machine controller version v1.14.3 and it seams the machine controller is still not approving the CSRs:

k get csr
NAME        AGE     REQUESTOR                                   CONDITION
csr-2grjt   3m20s   system:node:k1-pool-az-a-75cf6c85cf-h6bpn   Pending
csr-flqd4   6m32s   system:bootstrap:oszbfi                     Approved,Issued
csr-tz7tx   7m7s    system:bootstrap:oszbfi                     Approved,Issued
csr-wbq8n   9m45s   system:node:k1-control-plane-1              Approved,Issued
csr-z5sqm   3m35s   system:bootstrap:fqdtlp                     Approved,Issued

Attached you will find logs and current object states to determine the error. My guess is the following error:

I0628 17:31:35.991471       1 node_csr_approver.go:109] Skipping reconciling CSR 'csr-z5sqm' because CSR object is not valid: username must have the 'system:node:' prefix

machinecontroller.pod.log
machinecontroller.describe.log

csr.output.yaml.log

[xmudrii]

The root of the issue is that the hostname (InternalDNSName) on the Machine object is empty for some reason. I had no time to investigate why this happens, but I'll try to find out once I have some more time.

[toschneck]

can confirm seams to work now