After the SSH reboot step, OKDAddNodeScore now polls the cluster every
5s (up to 15min) until the new Node reports Ready, approving any
pending kubelet CSRs that come up in the meantime. This closes the
last manual step for Day-2 control-plane adds — previously the score's
success footer told the operator to go run `oc adm certificate
approve` themselves.
Two CSR primitives on K8sClient (new harmony-k8s/src/csr.rs):
- list_pending_kubelet_csrs(): CSRs whose signer is kubelet-serving
or kube-apiserver-client-kubelet AND whose status carries no
Approved/Denied condition yet.
- approve_csr(name, reason, message): PATCH /approval with an
Approved=True condition via kube-rs' Api::patch_approval.
The score's approval loop checks Ready *first* each iteration so a
stray CSR appearing after the node is healthy is not approved. CSR
matching:
- kubelet-serving: spec.username == "system:node:<hostname>" (the
kubelet signs this field itself; trust it).
- kube-apiserver-client-kubelet: every pending one is approved.
The node identity lives in the embedded CSR PEM's subject CN and
parsing it would pull a new x509 dep for little gain; a Day-2 add
is an operator-triggered, single-window operation and this matches
what `oc adm certificate approve` of the pending set does.
CP success footer now only flags API serving-cert rotation as the
remaining manual step; etcd membership is explicitly noted as
auto-reconciled by cluster-etcd-operator.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Sylvain Tremblay
d85c18c61e