Simultaneously started K3s servers may race to create CA certificates when using external SQL #7185

brandond · 2023-03-30T20:04:23Z

Opening this to fix the issues described at:

We could probably handle this better on the K3s side by having the nodes do some sort of "check/lock/check" step by pre-creating the bootstrap key prior to creating all the CA certs on disk. This would ensure that they don't both create the CA certs, and then blow up when trying to write them into the datastore when the second node finds out that the first node created the bootstrap key while it was preparing to do so.

ShylajaDevadiga · 2023-04-12T00:09:15Z

##Environment Details
VERSION=v1.26.3+k3s1
COMMIT=

Infrastructure

Cloud
Hosted

Node(s) CPU architecture, OS, and version:

Linux 5.4.0-1009-aws x86_64 GNU/Linux
PRETTY_NAME="Ubuntu 20.04 LTS"

Cluster Configuration:
Multi node cluster

Config.yaml:

write-kubeconfig-mode: "0644"
tls-san:
  - <public ip>
token: <TOKEN>
datastore-endpoint: <mydb>

NAME               STATUS   ROLES                  AGE     VERSION
ip-<REDACTED>58     Ready    control-plane,master   4m41s   v1.26.3+k3s1
ip-<REDACTED>56    Ready    <none>                 6m39s   v1.26.3+k3s1
ip-<REDACTED>74    Ready    control-plane,master   6m40s   v1.26.3+k3s1
ip-<REDACTED>1     Ready    control-plane,master   6m38s   v1.26.3+k3s1
ip-<REDACTED>115   Ready    control-plane,master   6m32s   v1.26.3+k3s1
ip-<REDACTED>9    Ready    control-plane,master   5m53s   v1.26.3+k3s1

Results from reproducing the issue

$ journalctl -u k3s|grep ECDSA  |grep -i Unable
Apr 11 23:30:01 ip-<REDACTED> k3s[15490]: time="2023-04-11T23:30:01Z" level=warning msg="unable to verify existing certificate: x509: certificate signed by unknown authority (possibly because of \"x509: ECDSA verification failure\" while trying to verify candidate authority certificate \"k3s-server-ca@1681255795\") - signing operation may change certificate issuer"
ubuntu@ip-172-31-3-28:~$

ShylajaDevadiga · 2023-04-18T05:20:40Z

Validated on k3s v1.26.4-rc1+k3s1 with above config using mysql as external db on a multi node cluster

kubectl get nodes
NAME               STATUS   ROLES                  AGE    VERSION
ip-<REDACTED>-21    Ready    <none>                 9m6s   v1.26.4-rc1+k3s1
ip-<REDACTED>-214    Ready    control-plane,master   12m    v1.26.4-rc1+k3s1
ip-<REDACTED>-30    Ready    control-plane,master   11m    v1.26.4-rc1+k3s1
ip-<REDACTED>-94     Ready    control-plane,master   11m    v1.26.4-rc1+k3s1
ip-<REDACTED>-27     Ready    control-plane,master   11m    v1.26.4-rc1+k3s1
ip-<REDACTED>-55    Ready    control-plane,master   11m    v1.26.4-rc1+k3s1
ip-<REDACTED>-239    Ready    control-plane,master   11m    v1.26.4-rc1+k3s1

$ journalctl -u k3s|grep ECDSA  |grep -i Unable
$

brandond added this to the v1.26.4+k3s1 milestone Mar 30, 2023

brandond changed the title ~~Simultaneously started K3s servers may race to create CA certificates~~ Simultaneously started K3s servers may race to create CA certificates when using external SQL Mar 30, 2023

brandond self-assigned this Apr 4, 2023

ShylajaDevadiga self-assigned this Apr 12, 2023

ShylajaDevadiga closed this as completed Apr 18, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Simultaneously started K3s servers may race to create CA certificates when using external SQL #7185

Simultaneously started K3s servers may race to create CA certificates when using external SQL #7185

brandond commented Mar 30, 2023

ShylajaDevadiga commented Apr 12, 2023

ShylajaDevadiga commented Apr 18, 2023

Simultaneously started K3s servers may race to create CA certificates when using external SQL #7185

Simultaneously started K3s servers may race to create CA certificates when using external SQL #7185

Comments

brandond commented Mar 30, 2023

ShylajaDevadiga commented Apr 12, 2023

ShylajaDevadiga commented Apr 18, 2023