Skip to content

Commit

Permalink
data/bootstrap/files/usr/local/bin/bootkube.sh.template: Localhost ke…
Browse files Browse the repository at this point in the history 
…ys for etcd-signer

Since the pivots to prefer loopback Kube-API access:

* bf59ebf (azure: generate loopback kubeconfig to access API
  locally, 2019-07-17, openshift#2085).
* 82d81d9 (data/data/bootstrap: use loopback kubeconfig for API
  access, 2019-07-24, openshift#2086).
* openshift/cluster-bootstrap@61d1428bea (pkg/start: use loopback
  kubeconfig to talk to API, 2019-07-23,
  openshift/cluster-bootstrap#28).
* possibly more

logs on the bootstrap machine have contained distracting errors like
these reported in [1]:

  $ grep 'not localhost\|etcd-signer' journal-bootstrap.log
  ...
  Aug 20 10:33:56 cnv-qe-08.cnvqe.lab.eng.rdu2.redhat.com podman[8366]: 2019-08-20 10:33:56.090073216 +0000 UTC m=+2.644782091 container start d0dcc42a1335c1224df35a48a279f63f1cb7a03c94de5ebb29e2633e6ee6c429 (image=quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:f20394d571ff9a28aed9366434521d221d8d743a6efe2a3d6c6ad242198a522e, name=etcd-signer)
  Aug 20 10:33:58 cnv-qe-08.cnvqe.lab.eng.rdu2.redhat.com openshift.sh[2867]: error: unable to recognize "./99_kubeadmin-password-secret.yaml": Get https://localhost:6443/api?timeout=32s: x509: certificate is valid for api.bm1.oc4, not localhost
  Aug 20 10:34:01 cnv-qe-08.cnvqe.lab.eng.rdu2.redhat.com approve-csr.sh[2870]: Unable to connect to the server: x509: certificate is valid for api.bm1.oc4, not localhost
  ...
  Aug 20 10:43:55 cnv-qe-08.cnvqe.lab.eng.rdu2.redhat.com openshift.sh[2867]: error: unable to recognize "./99_kubeadmin-password-secret.yaml": Get https://localhost:6443/api?timeout=32s: x509: certificate is valid for api.bm1.oc4, not localhost
  Aug 20 10:43:59 cnv-qe-08.cnvqe.lab.eng.rdu2.redhat.com podman[15272]: 2019-08-20 10:43:59.68789639 +0000 UTC m=+0.188325679 container died d0dcc42a1335c1224df35a48a279f63f1cb7a03c94de5ebb29e2633e6ee6c429 (image=quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:f20394d571ff9a28aed9366434521d221d8d743a6efe2a3d6c6ad242198a522e, name=etcd-signer)
  ...

With this commit, we pass the localhost cert to etcd-signer so we can
form the TLS connection to gracefully say "sorry, I'm not really a
Kube API server".  Fixes [2].

[1]: https://bugzilla.redhat.com/show_bug.cgi?id=1743661
[2]: https://bugzilla.redhat.com/show_bug.cgi?id=1743840
  • Loading branch information
@wking @jhixson74
wking authored and jhixson74 committed Dec 6, 2019
1 parent afe750f commit 8893c15
Showing 1 changed file with 2 additions and 0 deletions.
2 changes: 2 additions & 0 deletions data/data/bootstrap/files/usr/local/bin/bootkube.sh.template
View file
Expand Up @@ -257,6 +257,8 @@ bootkube_podman_run \
--servkey=/opt/openshift/tls/kube-apiserver-lb-server.key \
--servcrt=/opt/openshift/tls/kube-apiserver-internal-lb-server.crt \
--servkey=/opt/openshift/tls/kube-apiserver-internal-lb-server.key \
--servcrt=/opt/openshift/tls/kube-apiserver-localhost-server.crt \
--servkey=/opt/openshift/tls/kube-apiserver-localhost-server.key \
--address=0.0.0.0:6443 \
--insecure-health-check-address=0.0.0.0:6080 \
--csrdir=/tmp \
Expand Down

0 comments on commit 8893c15

Please sign in to comment.