kubeadm: When etcd is listening on all interfaces, set the etcd probe to use loopback

[stealthybox]

What this PR does / why we need it:
When constructing the etcd liveness probe, if the user passes an IPv4 or IPv6 address,
we set the etcdctl liveness probe to use the respective IPv4 or IPv6 loopback address for --endpoints.

The etcd probe is now always formatted with the https:// protocol and square brackets around the IP (required for IPv6 / compatible with IPv4).

::1 is now also included in the etcd serving cert SAN by default.

/kind bug
/area kubeadm
/area etcd
/priority important-soon

/sig cluster-lifecycle
/assign @fabriziopandini

Which issue(s) this PR fixes
Fixes kubernetes/kubeadm#882

Special notes for your reviewer:

root@vagrant:~# /vagrant/bin/882_kubeadm init --config /dev/stdin << EOF |& tail -n5
etcd:
  extraArgs:
    listen-client-urls: https://[::]:2379
EOF
I0603 19:52:15.666594   24743 tlsbootstrap.go:50] [bootstraptoken] configured RBAC rules to allow Node Bootstrap tokens to post CSRs in order for nodes to get long term certificate credentials
I0603 19:52:15.671424   24743 tlsbootstrap.go:72] [bootstraptoken] configured RBAC rules to allow the csrapprover controller automatically approve CSRs from a Node Bootstrap Token
I0603 19:52:15.674607   24743 tlsbootstrap.go:95] [bootstraptoken] configured RBAC rules to allow certificate rotation for all node client certificates in the cluster
I0603 19:52:15.677551   24743 clusterinfo.go:43] [bootstraptoken] creating the "cluster-info" ConfigMap in the "kube-public" namespace
[addons] Applied essential addon: CoreDNS
[addons] Applied essential addon: kube-proxy
root@vagrant:~# cat /etc/kubernetes/manifests/etcd.yaml |grep -C4 listen
spec:
  containers:
  - command:
    - etcd
    - --listen-client-urls=https://[::]:2379
    - --advertise-client-urls=https://127.0.0.1:2379
    - --cert-file=/etc/kubernetes/pki/etcd/server.crt
    - --client-cert-auth=true
    - --data-dir=/var/lib/etcd
root@vagrant:~# cat /etc/kubernetes/manifests/etcd.yaml |grep -C4 etcdctl
      exec:
        command:
        - /bin/sh
        - -ec
        - ETCDCTL_API=3 etcdctl --endpoints=https://[::1]:2379 --cacert=/etc/kubernetes/pki/etcd/ca.crt
          --cert=/etc/kubernetes/pki/etcd/healthcheck-client.crt --key=/etc/kubernetes/pki/etcd/healthcheck-client.key
          get foo
      failureThreshold: 8
      initialDelaySeconds: 15

Release note:

kubeadm now configures the etcd liveness probe correctly when etcd is listening on all interfaces

[dixudx]

/lgtm

[kad]

if we are in IPv6 configuration, better to use IPv6 loopback.

[stealthybox]

This is intentional.
IPv6 endpoints don't work /w etcdctl.
I couldn't find an upstream bug -- perhaps we should file one.

[stealthybox]

this is commented in the line below

[detiber]

So, I tested this locally and using ::1 appears to work for etcdctl v3.1.12.

When testing, I had originally just modified the etcd manifest for a kubectl-based install, but neglected to update the certificate to add the ipv6 loopback address and was seeing this error: Error: grpc: timed out when dialing. Once I updated the etcd server certificate to include ::1 I was able to use etcdctl with --endpoints https://[::1]:2379 without an issue.

[detiber]

@stealthybox We should probably update GetEtcdAltNames() in pki_helpers.go to add the ipv6 loopback address by default as well.

[stealthybox]

@detiber Ah, that's totally the issue
I really struggled to determine what was wrong since it seems they removed the --debug flag

I'll fix this

[detiber]

@stealthybox I ended up figuring it out by using etcdctl v3.2.x and using the --debug flag 🤣

[kad]

https://[::]:2379

[stealthybox]

This is also intentional.
It forces us to use net.ParseIP() because these are all equivalent:

0:0:0:0:0:0:0:0
::0:0:0:0:0
::0:0
::0
::

[kad]

I understand that those are equivalent, but what is the reason behind that particular notation ?

[stealthybox]

It prevents code that just does a string match on :: or ::0 instead of parsing the IP and doing real equivalence.

If you'd like I can expand the test cases, but I figured that if I just add one, I should pick an edge case.

[luxas]

Please fix @kad's comments

[timothysc]

/approve

Please fix comment and @detiber - please weigh in too for lgtm.

[stealthybox]

Thanks for the review @kad 👍 -- weighed in on the comments.
Please lmk if we need to clarify more in the code.

[detiber]

lgtm, but would like to see the use of the ipv6 loopback in the healthcheck when the ipv6 unspecified address is provided.

[dims]

/priority important-soon

Is this priority ok? please alter if you disagree (need one for the bot)

[jberkus]

Also needs a kind/ label

/kind bug

[cjwagner]

There are multiple priority labels on this PR. The milestone maintainer is expecting exactly 1.

[stealthybox]

@kad @detiber @dixudx

• added ::1 to the server SAN
• now returning ::1 in the ipv6 unspecified case
• formatted the probes to always use https://[%s]:%d for ipv6 compatibility
• added more tests to cover the v6 parsing cases

PTAL tyvm

[k8s-github-robot]

[MILESTONENOTIFIER] Milestone Pull Request Labels Incomplete

@dixudx @fabriziopandini @stealthybox

Action required: This pull request requires label changes.

priority: Must specify exactly one of priority/critical-urgent, priority/important-longterm or priority/important-soon.

Help

• Additional instructions
• Commands for setting labels

[dixudx]

/lgtm

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: dixudx, stealthybox, timothysc

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• cmd/kubeadm/OWNERS [timothysc]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[dixudx]

/retest

[k8s-github-robot]

/test all [submit-queue is verifying that this PR is safe to merge]

[k8s-github-robot]

Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions here.