-
Notifications
You must be signed in to change notification settings - Fork 2.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Set etcd pod cipher suites per OpenShift 3.10 documentation #9869
Set etcd pod cipher suites per OpenShift 3.10 documentation #9869
Conversation
…e specified according to the value of openshift_master_cipher_suites (https://bugzilla.redhat.com/show_bug.cgi?id=1623646)
…e specified according to the value of openshift_master_cipher_suites (https://bugzilla.redhat.com/show_bug.cgi?id=1623646)
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: bbeaudoin If they are not already assigned, you can assign the PR to them by writing The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
@bbeaudoin: The following test failed, say
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
Wouldn't it be much easier to set environment variables in /etc/etcd/etcd.conf? |
nit: you could squash the 2 commits into one @bbeaudoin |
Agree with @sdodson - mixing conf file and cli params is unmaintainable |
Weird, it worked fine here, see #9883, works with Did you use the image from quay.io or registry.access.redhat.com? |
I'll do a quick test in my OCP 3.10 cluster. |
@vrutkovs @sdodson I've retested against the solution at Last week the pod was consistently exiting without explanation in the Docker logs and system logs reporting
This week I am unable to reproduce the issue. Checked against #9883, that solution is working. Closing this PR and suggesting we move forward with the solution proposed by @vrutkovs. |
As long as the value of the envrionment variable is quoted it works, here I connect with DES-CBC3-SHA, add the envvar, restart, and show that it fails to handshake afterwards.
|
It definitely caused the pod to crashloop if the value was unquoted. |
Setting the etcd cipher suites does not work as documented (the etcd.yaml does not specify the
--cipher-suites
option and does not read values from/etc/origin/master/master-config.yaml
).https://docs.openshift.com/container-platform/3.10/install_config/master_node_configuration.html#master-config-tls-cipher
This change converts files/etcd.yaml to a template in templates/etcd.yaml.j2 and appends the correct option to the command entrypoint.
Without this change, the issue described in etcd-io/etcd#8320 still exists as the cipher suite list remains autopopulated by go without a whitelist. This addresses the following bug: https://bugzilla.redhat.com/show_bug.cgi?id=1623646.