kube-aws: use rkt for decrypt-tls-assets #666
Conversation
colhom
force-pushed
the
rkt-decrypt-tls-assets
branch
from
d865fb3
to
33478d0
Compare
| @@ -137,8 +137,6 @@ coreos: | |||
| [Unit] | |||
| Description=decrypt kubelet tls assets using amazon kms | |||
| Before=kubelet.service | |||
There was a problem hiding this comment.
why leave this? isn't it a noop unless you also have requires?
There was a problem hiding this comment.
[Install]
RequiredBy=kubelet.serviceDependency injection.
There was a problem hiding this comment.
@robszumski also keep in mind that ordering constraints in systemd are entirely decoupled from dependency relationships.
Even in the absence of any explicit Required/RequiredBy (or equivalent) relationship between the two services, If both services were being brought up as dependencies of something else, the Before/After relationships between them would still be applied even though the two services do not depend on each other in any way.
|
\m/ lgtm besides addressing robs comment |
|
I see the confusion between dependencies and ordering dependencies pop up a lot in discussion of systemd units here. @pbx0 @robszumski I highly recommend reading this section on Before/After of the systemd docs carefully. The crux is:
|
|
Understood, SGTM |
|
We have a successful e2e run on this PR, so I'm going to merge it and fix #670 |
fixes #545
My investigation has found (at least on my reproductions) that
kubelet.servicefailing for dependency reasons is caused bydecrypt-tls-assets.serviceexplicitly listing docker a dependency and failing for that reason.I took this opportunity to switch us over to
rktfor decrypting the TLS assets as well.\cc @aaronlevy @robszumski @pbx0 @cgag