This repository has been archived by the owner on Feb 5, 2020. It is now read-only.
Fix external etcd with TLS #2969
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Can one of the admins verify this patch? |
1 similar comment
|
Can one of the admins verify this patch? |
|
Hey @lblackstone. We need to resync the track-1 branch to the 1.8.7 branch. This will happen once we ship the release (any day now). So you may need to do some rebasing once that happens. Sorry for the inconvenience. We'll keep you posted. |
lblackstone
force-pushed
the
external-etcd-tls
branch
from
c73988d
to
d2d17f4
Compare
|
Rebased on track-1 with 1.8.7 changes merged in |
added 6 commits
March 12, 2018 09:16
Recent versions of sshd already set `UsePrivilegeSeparation sandbox` by default, and this option is deprecated.
The dropin file for the etcd-member service was inadvertently overwriting the existing RKT_RUN_ARGS set in the service unit file. This prevented the uuid-file-save from being set, which then prevented the service from being restarted correctly on reboot, etc.
The conditional check for self-hosted etcd was not handling the disabled case correctly (using external etcd).
The required TLS assets were not being copied to the location expected by the control plane manifests, so external etcd was not working if tectonic_etcd_tls_enabled was true.
The coreos-metadata service was failing to restart correctly on reboot, preventing the etcd-member service from restarting. It doesn't look like the etcd-member service was actually using metadata, and disabling the service appears to fix the problem.
TLS certs for etcd are generated based on this variable. Previously, this was using the bare IP addresses rather than DNS names, which is less robust, and was causing TLS failures for external etcd.
lblackstone
force-pushed
the
external-etcd-tls
branch
from
d2d17f4
to
45b7c61
Compare
|
@squat Can these be reviewed now? Looks like the 1.8.7 sync may be done now? |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fixes #2841
This series of changes fixes external etcd with TLS enabled for the OpenStack platform (and possibly other platforms). I tested both self-hosted and external etcd + TLS successfully on OpenStack.
Note that external etcd with TLS is also broken on the master branch, so the relevant fixes should probably be cherry-picked after this merges.
/cc @squat