Bug 1684206

Summary: Make the etcd signer available in cluster
Product: OpenShift Container Platform Reporter: Derek Carr <decarr>
Component: InstallerAssignee: Abhinav Dahiya <adahiya>
Installer sub component: openshift-installer QA Contact: ge liu <geliu>
Status: CLOSED ERRATA Docs Contact:
Severity: urgent    
Priority: urgent CC: bleanhar, decarr, geliu, wking, wsun
Version: 4.1.0   
Target Milestone: ---   
Target Release: 4.1.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-04 10:44:51 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Derek Carr 2019-02-28 17:35:34 UTC 
Description of problem:

The etcd signer is not available after the bootstrap node is destroyed.

Expected results:

Required for disaster recovery.
Comment 1 W. Trevor King 2019-03-05 18:30:43 UTC 
I have no problem with getting the signer image into the release payload for 4.0.0, but I'm very sceptical about actually wiring it up to run.  Will that just happen via docs and admin intervention?  If etcd is broken, does it matter if the signer was part of the release payload or not?  You certainly don't want it running during regular operations, and allowing anyone who wants access into the etcd cluster (or maybe it is doing some client authentication, I dunno).
Comment 2 W. Trevor King 2019-03-05 18:36:07 UTC 
Also in this space: https://github.com/coreos/kubecsr/pull/19
Comment 3 Brenton Leanhardt 2019-03-06 14:51:35 UTC 
I think it's fair to say human intervention is required today in a DR scenario (I'm sure Derek will correct me if I'm wrong about this).  I imagining one benefit of getting it to the release image (aside from consistency) is that it's important for disconnected installs.
Comment 4 Alex Crawford 2019-03-07 17:52:10 UTC 
Pull request is in-flight here: https://github.com/openshift/installer/pull/1363

This does not add the signer, but instead adds the CA.
Comment 5 W. Trevor King 2019-03-07 20:21:38 UTC 
> This does not add the signer, but instead adds the CA.

Wouldn't we want both the signer and the CA?  I think we're going to need the signer referenced from the release image for disconnected installs anyway.
Comment 7 Scott Dodson 2019-04-02 20:42:52 UTC 
kube-system namespace should contain configmaps named
etcd-signer-client, etcd-signer, etcd-ca-bundle, and etcd-client-ca-deprecated which can be used to sign certificates for additional etcd members during disaster recovery operations
Comment 8 Wei Sun 2019-04-10 03:18:17 UTC 
Please check if it could be verified.
Comment 9 ge liu 2019-04-10 12:08:21 UTC 
I Will Verify it after Bug 1698456 fixed.
Comment 10 ge liu 2019-04-19 02:39:17 UTC 
Verified it, etcd signer is valid in disaster recovery(tested with etcd leader crashed)
Comment 12 errata-xmlrpc 2019-06-04 10:44:51 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:0758