Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

New experimental-upload-certs flag handling of external etcd certs #1472

Closed
krisdock opened this issue Mar 28, 2019 · 4 comments
Closed

New experimental-upload-certs flag handling of external etcd certs #1472

krisdock opened this issue Mar 28, 2019 · 4 comments
Assignees
@fabriziopandini
Labels
area/HA kind/bug Categorizes issue or PR as related to a bug. lifecycle/active Indicates that an issue or PR is actively being worked on by a contributor. priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release.
Milestone
v1.14

Comments

@krisdock
Copy link

What keywords did you search in kubeadm issues before filing this one?

experimental
external etcd

Is this a BUG REPORT or FEATURE REQUEST?

Choose one: BUG REPORT

Versions

kubeadm version (use kubeadm version): 1.14

Environment:

  • Kubernetes version (use kubectl version): 1.14
  • Cloud provider or hardware configuration: GCE nodes
  • OS (e.g. from /etc/os-release): CentOS Linux release 7.6.1810 (Core)
  • Kernel (e.g. uname -a): 3.10.0-957.5.1.el7.x86_64
  • Others:

What happened?

I have a cluster utilizing an external etcd cluster. I attempted to add a second control plane node with the --certificate-key flag. The join fails with:

[preflight] Running pre-flight checks before initializing the new control plane instance
	[WARNING ExternalEtcdClientCertificates]: /etc/kubernetes/pki/etcd/ca.crt doesn't exist
	[WARNING ExternalEtcdClientCertificates]: /etc/kubernetes/pki/apiserver-etcd-client.crt doesn't exist
	[WARNING ExternalEtcdClientCertificates]: /etc/kubernetes/pki/apiserver-etcd-client.key doesn't exist
error execution phase preflight: [preflight] Some fatal errors occurred:
	[ERROR ExternalEtcdVersion]: couldn't load external etcd's server certificate /etc/kubernetes/pki/etcd/ca.crt: open /etc/kubernetes/pki/etcd/ca.crt: no such file or directory

If I skip the ExternalEtcdClientCertificates and ExternalEtcdVersion preflight checks, the join works and the external etcd certs/keys are properly copied over.

What you expected to happen?

I shouldn't have to skip those checks if using the new experimental-upload-certs and cert-key flags/features.

How to reproduce it (as minimally and precisely as possible)?

Init a cluster with the --experimental-upload-certs flag that is using an external etcd cluster then use the control plane join command from the output to try to join another control plane node.

Anything else we need to know?
@fabriziopandini
Copy link
Member

/assign

@neolit123 neolit123 added kind/bug Categorizes issue or PR as related to a bug. priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. area/HA labels Mar 28, 2019
@neolit123 neolit123 modified the milestones: v1.15, v1.14 Mar 28, 2019
@fabriziopandini
Copy link
Member

/lifecycle active

@k8s-ci-robot k8s-ci-robot added the lifecycle/active Indicates that an issue or PR is actively being worked on by a contributor. label Mar 28, 2019
@fabriziopandini fabriziopandini mentioned this issue Mar 28, 2019
Merged
@fabriziopandini
Copy link
Member

/close
fixed on master; cherry pick for v1.14 kubernetes/kubernetes#75851

@k8s-ci-robot
Copy link
Contributor

@fabriziopandini: Closing this issue.

In response to this:

/close
fixed on master; cherry pick for v1.14 kubernetes/kubernetes#75851

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@fabriziopandini fabriziopandini

Labels
area/HA kind/bug Categorizes issue or PR as related to a bug. lifecycle/active Indicates that an issue or PR is actively being worked on by a contributor. priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release.
Projects
None yet
Milestone
v1.14
Development

No branches or pull requests
4 participants
@neolit123 @krisdock @fabriziopandini @k8s-ci-robot