How to Enable Auto Approval of CSR in Openshift v3.10+

By | May 3, 2020

There is a Slight Change starting from OpenShift v3.10  Cluster. Nodes certificates are not Completely redeployed through playbook but through a different mechanism which is explained briefly below.

Basically, SSL Certificates will be valid for the period of 1 year and around 85% of the certificate lifetime,  the node will trigger a CSR that would have to be approved for the certificate to be redeployed. 

The Only certificates that are renewed/redeployed through CSR’s mechanism are the kubelet/nodes certificates. Any other certificates e.g, routermasterapi certsetcddocker-registry, etc are still redeployed through the usual playbooks. 

For more details, please see the official redhat documentation here.

Check here for renewal of SSL Certificate


If triggered CSR is not approved either manually or in automated way then after one year certificate will fail and treated as expired with Pending CSR validation Issue and all nodes will go to NotReady State. This will bring down the entire cluster.

To Check if any of the CSR needs validation, use the below command

# oc get csr

Command to view the details of CSR

 $ oc describe csr csr_name

Command to approve CSR manually.

 $ oc adm certificate approve csr_name

To approve all the pending CSR’s at once, use the below command

$ oc get csr -o name | xargs oc adm certificate approve


$ oc get csr -o go-template='{{range .items}}{{if not .status}}{{}}{{"\n"}}{{end}}{{end}}' | xargs oc adm certificate approve

Once we approve these CSR’s all these certificates will be deployed on all nodes

Now as this is a manual step and can not be the recommended way of doing it for your production cluster, the best way is  to Automate the process of CSR’s Validation and approval. This Can be achieved by,

At the time of Installing Cluster

You can configure automatic approval of nodes CSR’s by specifying  the following parameter to your ansible Inventory files when deploying cluster.


Note: Adding this parameter allows all CSRs generated by using the bootstrap credential or from a previously authenticated node with the same hostname to be approved without any administrator intervention.

After the Cluster Setup

Run the below playbook to add this parameter “openshift_master_bootstrap_auto_approve=true”

$ ansible-playbook -vvv /usr/share/ansible/openshift-ansible/playbooks/openshift-master/enable_bootstrap.yml -e openshift_master_bootstrap_auto_approve=true

This creates statefulset.apps/bootstrap-autoapprover pod in the openshift-infra project and it will take care of the CSR’s approval automatically from the next time.

You may also need to look at,

How to Renew SSL Certificate of Your OpenShift Cluster – 3.x

Leave a Reply

Your email address will not be published. Required fields are marked *