-
Notifications
You must be signed in to change notification settings - Fork 38.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
kubeadm: cleanup upgrade from no-TLS etcd to TLS etcd #71740
Merged
k8s-ci-robot
merged 1 commit into
kubernetes:master
from
yuexiao-wang:cleanup-upgrad-etcd
Dec 6, 2018
Merged
Changes from all commits
Commits
File filter
Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -165,28 +165,27 @@ func (spm *KubeStaticPodPathManager) CleanupDirs() error { | |
return nil | ||
} | ||
|
||
func upgradeComponent(component string, waiter apiclient.Waiter, pathMgr StaticPodPathManager, cfg *kubeadmapi.InitConfiguration, beforePodHash string, recoverManifests map[string]string, isTLSUpgrade bool) error { | ||
func upgradeComponent(component string, waiter apiclient.Waiter, pathMgr StaticPodPathManager, cfg *kubeadmapi.InitConfiguration, beforePodHash string, recoverManifests map[string]string) error { | ||
// Special treatment is required for etcd case, when rollbackOldManifests should roll back etcd | ||
// manifests only for the case when component is Etcd | ||
recoverEtcd := false | ||
waitForComponentRestart := true | ||
if component == constants.Etcd { | ||
recoverEtcd = true | ||
} | ||
if isTLSUpgrade { | ||
// We currently depend on getting the Etcd mirror Pod hash from the KubeAPIServer; | ||
// Upgrading the Etcd protocol takes down the apiserver, so we can't verify component restarts if we restart Etcd independently. | ||
// Skip waiting for Etcd to restart and immediately move on to updating the apiserver. | ||
if component == constants.Etcd { | ||
waitForComponentRestart = false | ||
} | ||
// Normally, if an Etcd upgrade is successful, but the apiserver upgrade fails, Etcd is not rolled back. | ||
// In the case of a TLS upgrade, the old KubeAPIServer config is incompatible with the new Etcd confg, so we rollback Etcd | ||
// if the APIServer upgrade fails. | ||
if component == constants.KubeAPIServer { | ||
recoverEtcd = true | ||
fmt.Printf("[upgrade/staticpods] The %s manifest will be restored if component %q fails to upgrade\n", constants.Etcd, component) | ||
} | ||
|
||
// We currently depend on getting the Etcd mirror Pod hash from the KubeAPIServer; | ||
// Upgrading the Etcd protocol takes down the apiserver, so we can't verify component restarts if we restart Etcd independently. | ||
// Skip waiting for Etcd to restart and immediately move on to updating the apiserver. | ||
if component == constants.Etcd { | ||
waitForComponentRestart = false | ||
} | ||
// Normally, if an Etcd upgrade is successful, but the apiserver upgrade fails, Etcd is not rolled back. | ||
// In the case of a TLS upgrade, the old KubeAPIServer config is incompatible with the new Etcd confg, so we rollback Etcd | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Same here for the if and for the |
||
// if the APIServer upgrade fails. | ||
if component == constants.KubeAPIServer { | ||
recoverEtcd = true | ||
fmt.Printf("[upgrade/staticpods] The %s manifest will be restored if component %q fails to upgrade\n", constants.Etcd, component) | ||
} | ||
|
||
if err := renewCerts(cfg, component); err != nil { | ||
|
@@ -252,7 +251,7 @@ func upgradeComponent(component string, waiter apiclient.Waiter, pathMgr StaticP | |
} | ||
|
||
// performEtcdStaticPodUpgrade performs upgrade of etcd, it returns bool which indicates fatal error or not and the actual error. | ||
func performEtcdStaticPodUpgrade(client clientset.Interface, waiter apiclient.Waiter, pathMgr StaticPodPathManager, cfg *kubeadmapi.InitConfiguration, recoverManifests map[string]string, isTLSUpgrade bool, oldEtcdClient, newEtcdClient etcdutil.ClusterInterrogator) (bool, error) { | ||
func performEtcdStaticPodUpgrade(client clientset.Interface, waiter apiclient.Waiter, pathMgr StaticPodPathManager, cfg *kubeadmapi.InitConfiguration, recoverManifests map[string]string, oldEtcdClient, newEtcdClient etcdutil.ClusterInterrogator) (bool, error) { | ||
// Add etcd static pod spec only if external etcd is not configured | ||
if cfg.Etcd.External != nil { | ||
return false, errors.New("external etcd detected, won't try to change any etcd state") | ||
|
@@ -313,20 +312,18 @@ func performEtcdStaticPodUpgrade(client clientset.Interface, waiter apiclient.Wa | |
} | ||
|
||
// Waiter configurations for checking etcd status | ||
// If we are upgrading TLS we need to wait for old static pod to be removed. | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. The case if we are upgrading TLS doesn't exist anymore so pod restart delay IMO should go away |
||
// This is needed because we are not able to currently verify that the static pod | ||
// has been updated through the apiserver across an etcd TLS upgrade. | ||
// This value is arbitrary but seems to be long enough in manual testing. | ||
noDelay := 0 * time.Second | ||
podRestartDelay := noDelay | ||
if isTLSUpgrade { | ||
// If we are upgrading TLS we need to wait for old static pod to be removed. | ||
// This is needed because we are not able to currently verify that the static pod | ||
// has been updated through the apiserver across an etcd TLS upgrade. | ||
// This value is arbitrary but seems to be long enough in manual testing. | ||
podRestartDelay = 30 * time.Second | ||
} | ||
podRestartDelay := 30 * time.Second | ||
|
||
retries := 10 | ||
retryInterval := 15 * time.Second | ||
|
||
// Perform etcd upgrade using common to all control plane components function | ||
if err := upgradeComponent(constants.Etcd, waiter, pathMgr, cfg, beforeEtcdPodHash, recoverManifests, isTLSUpgrade); err != nil { | ||
if err := upgradeComponent(constants.Etcd, waiter, pathMgr, cfg, beforeEtcdPodHash, recoverManifests); err != nil { | ||
fmt.Printf("[upgrade/etcd] Failed to upgrade etcd: %v\n", err) | ||
// Since upgrade component failed, the old etcd manifest has either been restored or was never touched | ||
// Now we need to check the health of etcd cluster if it is up with old manifest | ||
|
@@ -404,7 +401,6 @@ func performEtcdStaticPodUpgrade(client clientset.Interface, waiter apiclient.Wa | |
// StaticPodControlPlane upgrades a static pod-hosted control plane | ||
func StaticPodControlPlane(client clientset.Interface, waiter apiclient.Waiter, pathMgr StaticPodPathManager, cfg *kubeadmapi.InitConfiguration, etcdUpgrade bool, oldEtcdClient, newEtcdClient etcdutil.ClusterInterrogator) error { | ||
recoverManifests := map[string]string{} | ||
var isTLSUpgrade bool | ||
var isExternalEtcd bool | ||
|
||
beforePodHashMap, err := waiter.WaitForStaticPodControlPlaneHashes(cfg.NodeRegistration.Name) | ||
|
@@ -442,16 +438,11 @@ func StaticPodControlPlane(client clientset.Interface, waiter apiclient.Waiter, | |
|
||
// etcd upgrade is done prior to other control plane components | ||
if !isExternalEtcd && etcdUpgrade { | ||
previousEtcdHasTLS := oldEtcdClient.HasTLS() | ||
|
||
// set the TLS upgrade flag for all components | ||
isTLSUpgrade = !previousEtcdHasTLS | ||
if isTLSUpgrade { | ||
fmt.Printf("[upgrade/etcd] Upgrading to TLS for %s\n", constants.Etcd) | ||
} | ||
fmt.Printf("[upgrade/etcd] Upgrading to TLS for %s\n", constants.Etcd) | ||
|
||
// Perform etcd upgrade using common to all control plane components function | ||
fatal, err := performEtcdStaticPodUpgrade(client, waiter, pathMgr, cfg, recoverManifests, isTLSUpgrade, oldEtcdClient, newEtcdClient) | ||
fatal, err := performEtcdStaticPodUpgrade(client, waiter, pathMgr, cfg, recoverManifests, oldEtcdClient, newEtcdClient) | ||
if err != nil { | ||
if fatal { | ||
return err | ||
|
@@ -468,7 +459,7 @@ func StaticPodControlPlane(client clientset.Interface, waiter apiclient.Waiter, | |
} | ||
|
||
for _, component := range constants.MasterComponents { | ||
if err = upgradeComponent(component, waiter, pathMgr, cfg, beforePodHashMap[component], recoverManifests, isTLSUpgrade); err != nil { | ||
if err = upgradeComponent(component, waiter, pathMgr, cfg, beforePodHashMap[component], recoverManifests); err != nil { | ||
return err | ||
} | ||
} | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
All the code under to old``if isTLSUpgrade` should go away.
The case "upgrading the etcd protocol" doesn't exist anymore, so probably also the
waitForComponentUpgrade
should go away (this last point should be double checked)