-
Notifications
You must be signed in to change notification settings - Fork 38.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
kubeadm: When etcd is listening on all interfaces, set the etcd probe to use loopback #64670
kubeadm: When etcd is listening on all interfaces, set the etcd probe to use loopback #64670
Conversation
/lgtm |
@@ -254,6 +254,12 @@ func GetProbeAddress(cfg *kubeadmapi.MasterConfiguration, componentName string) | |||
} | |||
// Return the IP if the URL contains an address instead of a name. | |||
if ip := net.ParseIP(parsedURL.Hostname()); ip != nil { | |||
// etcdctl doesn't support auto-converting zero addresses into loopback addresses | |||
if ip.Equal(net.IPv4zero) || ip.Equal(net.IPv6zero) { | |||
return "127.0.0.1" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
if we are in IPv6 configuration, better to use IPv6 loopback.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is intentional.
IPv6 endpoints don't work /w etcdctl.
I couldn't find an upstream bug -- perhaps we should file one.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this is commented in the line below
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So, I tested this locally and using ::1 appears to work for etcdctl v3.1.12.
When testing, I had originally just modified the etcd manifest for a kubectl-based install, but neglected to update the certificate to add the ipv6 loopback address and was seeing this error: Error: grpc: timed out when dialing
. Once I updated the etcd server certificate to include ::1 I was able to use etcdctl with --endpoints https://[::1]:2379
without an issue.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@stealthybox We should probably update GetEtcdAltNames()
in pki_helpers.go to add the ipv6 loopback address by default as well.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@detiber Ah, that's totally the issue
I really struggled to determine what was wrong since it seems they removed the --debug
flag
I'll fix this
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@stealthybox I ended up figuring it out by using etcdctl v3.2.x and using the --debug
flag 🤣
- --data-dir=/var/lib/etcd | ||
- --peer-key-file=/etc/kubernetes/pki/etcd/peer.key | ||
- --peer-trusted-ca-file=/etc/kubernetes/pki/etcd/ca.crt | ||
- --listen-client-urls=https://[::0:0]:2379 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
https://[::]:2379
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is also intentional.
It forces us to use net.ParseIP()
because these are all equivalent:
0:0:0:0:0:0:0:0
::0:0:0:0:0
::0:0
::0
::
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I understand that those are equivalent, but what is the reason behind that particular notation ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It prevents code that just does a string match on ::
or ::0
instead of parsing the IP and doing real equivalence.
If you'd like I can expand the test cases, but I figured that if I just add one, I should pick an edge case.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please fix @kad's comments
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/approve
Please fix comment and @detiber - please weigh in too for lgtm.
Thanks for the review @kad 👍 -- weighed in on the comments. |
lgtm, but would like to see the use of the ipv6 loopback in the healthcheck when the ipv6 unspecified address is provided. |
/priority important-soon Is this priority ok? please alter if you disagree (need one for the bot) |
Also needs a kind/ label /kind bug |
There are multiple priority labels on this PR. The milestone maintainer is expecting exactly 1. |
83d80c6
to
166b5b9
Compare
… to use loopback Fixes kubernetes/kubeadm#882
166b5b9
to
76c04b9
Compare
[MILESTONENOTIFIER] Milestone Pull Request Labels Incomplete @dixudx @fabriziopandini @stealthybox Action required: This pull request requires label changes. priority: Must specify exactly one of |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: dixudx, stealthybox, timothysc The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/retest |
/test all [submit-queue is verifying that this PR is safe to merge] |
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions here. |
What this PR does / why we need it:
When constructing the etcd liveness probe, if the user passes an IPv4 or IPv6 address,
we set the
etcdctl
liveness probe to use the respective IPv4 or IPv6 loopback address for--endpoints
.The etcd probe is now always formatted with the https:// protocol and square brackets around the IP (required for IPv6 / compatible with IPv4).
::1
is now also included in the etcd serving cert SAN by default./kind bug
/area kubeadm
/area etcd
/priority important-soon
/sig cluster-lifecycle
/assign @fabriziopandini
Which issue(s) this PR fixes
Fixes kubernetes/kubeadm#882
Special notes for your reviewer:
Release note: