Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Etcd certs: use symlink in kubeadm config #12044

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Etcd certs: use symlink in kubeadm config #12044

wants to merge 1 commit into from

Conversation

ant31
Copy link
Contributor

@ant31 ant31 commented Mar 17, 2025
edited
Loading

What type of PR is this?

/kind bug

What this PR does / why we need it:

kubeadm is fetching the configuration from the cluster instead of reading the file locally.
The configuration must be valid on every nodes, this PR creates symbolic link to the etcd certs and use the symbolic link inside the kubeadm-config.

Introduce a new variable etcd_cert_paths that keep track of the absolute path to certs.

Which issue(s) this PR fixes:

Fixes #

Special notes for your reviewer:

Does this PR introduce a user-facing change?:

External ETCD: create symbolic link to certificates with the same path on every control planes

@k8s-ci-robot k8s-ci-robot added release-note Denotes a PR that will be considered when it comes time to generate release notes. kind/bug Categorizes issue or PR as related to a bug. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. labels Mar 17, 2025
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: ant31

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added approved Indicates a PR has been approved by an approver from all required OWNERS files. size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Mar 17, 2025
@ant31
Copy link
Contributor Author

ant31 commented Mar 17, 2025

/label ci-extended

@k8s-ci-robot k8s-ci-robot added the ci-extended Run additional tests label Mar 17, 2025
@ant31 ant31 requested a review from VannTen March 17, 2025 10:27
@ant31 ant31 removed the ci-extended Run additional tests label Mar 17, 2025
@ant31
Copy link
Contributor Author

ant31 commented Mar 17, 2025

/ok-to-test

@k8s-ci-robot k8s-ci-robot added the ok-to-test Indicates a non-member PR verified by an org member that is safe to test. label Mar 17, 2025
@ant31 ant31 force-pushed the symlinketcd branch 5 times, most recently from 5988197 to 5ef28e0 Compare March 18, 2025 11:35
VannTen
VannTen reviewed Mar 24, 2025
View reviewed changes
Copy link
Contributor

@VannTen VannTen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry for the delay, I was a bit busy.

And additional thought: When is the kubeadm-config map uploaded exactly ? On first control plane upgrade when using kubeadm upgrade ?

VannTen
VannTen requested changes Mar 26, 2025
View reviewed changes
Copy link
Contributor

@VannTen VannTen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/cherrypick release-2.27
/cherrypick release-2.26

@VannTen VannTen mentioned this pull request Mar 26, 2025
Open
@VannTen
Copy link
Contributor

VannTen commented Mar 26, 2025

/cherrypick release-2.27
/cherrypick release-2.26

Review comments are not taken into account by the cherrypicker apparently...

@k8s-infra-cherrypick-robot
Copy link

@VannTen: once the present PR merges, I will cherry-pick it on top of release-2.26, release-2.27 in new PRs and assign them to you.

In response to this:

/cherrypick release-2.27
/cherrypick release-2.26

Review comments are not taken into account by the cherrypicker apparently...

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@ant31 ant31 force-pushed the symlinketcd branch 2 times, most recently from d608ac8 to dd1b894 Compare March 26, 2025 10:41
@ant31 ant31 requested a review from VannTen March 26, 2025 10:52
@VannTen
Copy link
Contributor

VannTen commented Mar 26, 2025

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Mar 26, 2025
VannTen
VannTen reviewed Mar 26, 2025
View reviewed changes
roles/kubespray-defaults/vars/main.yml
Comment on lines +31 to +34
# Symlinks to etcd certs
kube_etcd_cacert_file: "kube-client-ca.pem"
kube_etcd_cert_file: "kube-client-cert.pem"
kube_etcd_key_file: "kube-client-key.pem"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Seems to conflict with cilium / calico (with etcd datatstore presumably), given the test results.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yes, I'll have to dig a bit more here. maybe need to run the symlink tasks from the calico/cilium roles

Copy link
Member

@chadswen chadswen Mar 28, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yes, I'll have to dig a bit more here. maybe need to run the symlink tasks from the calico/cilium roles

Was going to suggest this. Currently calico and cilium both use state: hard instead of state: link, not sure if they need to be hard links, but I'd prefer to convert them to symbolic links (state: link) if possible as symbolic has fewer limitations, such as the ability to create the link under mount paths with destinations backed by different devices.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@chadswen chadswen chadswen left review comments

@VannTen VannTen VannTen requested changes

@mzaian mzaian Awaiting requested review from mzaian

@tico88612 tico88612 Awaiting requested review from tico88612

Assignees

@VannTen VannTen

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/bug Categorizes issue or PR as related to a bug. lgtm "Looks good to me", indicates that a PR is ready to be merged. ok-to-test Indicates a non-member PR verified by an org member that is safe to test. release-note Denotes a PR that will be considered when it comes time to generate release notes. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@ant31 @k8s-ci-robot @VannTen @k8s-infra-cherrypick-robot @chadswen