Description of problem: ETCD_CA_FILE is deprecated and replaced by ETCD_TRUSTED_CA_FILE ETCD_PEER_CA_FILE is deprecated and replaced by ETCD_PEER_TRUSTED_CA_FILE ``` #[cluster] ETCD_QUOTA_BACKEND_BYTES=4294967296 #[security] ETCD_TRUSTED_CA_FILE=/etc/etcd/ca.crt ETCD_PEER_TRUSTED_CA_FILE=/etc/etcd/ca.crt ETCD_CLIENT_CERT_AUTH="true" ETCD_PEER_CERT_AUTH="true" ``` https://coreos.com/etcd/docs/latest/v2/configuration.html#security-flags Version-Release number of the following components: 3.6 and 3.7 migrate playbooks. Actual results: /etc/etcd/etcd.conf is not updated Expected results: The following values added: ``` #[cluster] ETCD_QUOTA_BACKEND_BYTES=4294967296 #[security] ETCD_TRUSTED_CA_FILE=/etc/etcd/ca.crt ETCD_PEER_TRUSTED_CA_FILE=/etc/etcd/ca.crt ETCD_CLIENT_CERT_AUTH="true" ETCD_PEER_CERT_AUTH="true" ``` The following removed: ``` ETCD_CA_FILE ETCD_PEER_CA_FILE ```
Is there actually any consequence of not updating them in version 3.2 of etcd? ... as in everything works without error as it is currently, correct?
(In reply to Scott Dodson from comment #1) > Is there actually any consequence of not updating them in version 3.2 of > etcd? ... as in everything works without error as it is currently, correct? Everything works now, but I we need to make sure that these values get set, if the we leave these unchanged are you 100% that a future updated of etcd will not result in issues due to these not getting set? When we do an update or migration we must make sure all installs are configured with the same needed variables. If not a future update might cause a production down due to missing this step.
With out setting the following to true ETCD_CLIENT_CERT_AUTH="true" ETCD_PEER_CLIENT_CERT_AUTH="true" The code defaults to false. Not sure what the impact of this is. https://github.com/coreos/etcd/blob/master/etcdmain/config.go#L180 https://github.com/coreos/etcd/blob/master/etcdmain/config.go#L187 Also a correction to the above. ETCD_PEER_CERT_AUTH in the comments above should be ETCD_PEER_CLIENT_CERT_AUTH *3.6 and 3.7 installer sets this correctly its just my typo.
I just tested this by running a plain "yum update" in a 3.5 cluster running etcd3.1, and it crashed while throwing messages about authority certificate issues (caused for those deprecated variables). Increasing the priority as we have seen this as well on a customer production environment where the etcd cluster was upgraded from 3.1 to 3.2, as a result the etcd cluster got broken (As the etcd is not included within the "atomic-excluder" package, I'm re-opening BZ 1493034) for this.)
If setting these two variables alleviates the problem then please set them as a workaround for now. ETCD_CLIENT_CERT_AUTH="true" ETCD_PEER_CLIENT_CERT_AUTH="true"
We need to add all of the uncommented variables from https://github.com/openshift/openshift-ansible/commit/7c96c92cc3a71a8d00494b2e177afc3e130a58d4 during upgrades via the lineinfile module or potentially re-evaluate the template but that may be risky as the inputs to openshift-ansible may have changed or we may not evaluate all facts. We should also go ahead and audit 3.3 config file changes and get those in. We have no immediate plans to push customers to upgrade to 3.3 but I imagine we'll roll that out in an errata within the year.
Summarizing: During 3.6 and later upgrades we need to assert that the following configuration lines exist in /etc/etcd/etcd.conf ETCD_CLIENT_CERT_AUTH="true" ETCD_PEER_CLIENT_CERT_AUTH="true" ETCD_TRUSTED_CA_FILE=/etc/etcd/ca.crt ETCD_PEER_TRUSTED_CA_FILE=/etc/etcd/ca.crt Also need to backport the commit in comment 6 to release-3.6 to ensure that new installs of 3.6 get the required configuration items.
Commit in comment 6 is already backported in [1] so new installs of 3.6 should set the correct values. [1] https://github.com/openshift/openshift-ansible/pull/5424
master: https://github.com/openshift/openshift-ansible/pull/7711
release-3.9: https://github.com/openshift/openshift-ansible/pull/7754
Commit is in build e1f1eda4e1e3938a55a5172d89664facd2ca4ca4
*** Bug 1559876 has been marked as a duplicate of this bug. ***
Blocked verify by bz1566435
Version: openshift-ansible-3.9.24-1.git.0.d0289ea.el7.noarch Steps: 1. install ocp v3.7 with etcd-3.1.9 2. since etcd.conf is the latest version of config,so edit etcd.conf to change some variables as the description. update: ETCD_CA_FILE=/etc/etcd/ca.crt ETCD_PEER_CA_FILE=/etc/etcd/ca.crt remove: ETCD_QUOTA_BACKEND_BYTES=4294967296 ETCD_CLIENT_CERT_AUTH=true ETCD_PEER_CLIENT_CERT_AUTH=true 3. restart etcd service to ensure etcd works well with updated etcd.conf 4. do upgrade against above ocp Etcd was updated successfully with etcd config updated. ETCD_QUOTA_BACKEND_BYTES=4294967296 ETCD_CLIENT_CERT_AUTH=true ETCD_PEER_CLIENT_CERT_AUTH=true ETCD_TRUSTED_CA_FILE=/etc/etcd/ca.crt ETCD_PEER_TRUSTED_CA_FILE=/etc/etcd/ca.crt