Bug 1684206 - Make the etcd signer available in cluster
Summary: Make the etcd signer available in cluster
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Installer
Version: 4.1.0
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
: 4.1.0
Assignee: Abhinav Dahiya
QA Contact: ge liu
Depends On:
TreeView+ depends on / blocked
Reported: 2019-02-28 17:35 UTC by Derek Carr
Modified: 2019-06-04 10:44 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2019-06-04 10:44:51 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2019:0758 0 None None None 2019-06-04 10:44:57 UTC

Description Derek Carr 2019-02-28 17:35:34 UTC
Description of problem:

The etcd signer is not available after the bootstrap node is destroyed.

Expected results:

Required for disaster recovery.

Comment 1 W. Trevor King 2019-03-05 18:30:43 UTC
I have no problem with getting the signer image into the release payload for 4.0.0, but I'm very sceptical about actually wiring it up to run.  Will that just happen via docs and admin intervention?  If etcd is broken, does it matter if the signer was part of the release payload or not?  You certainly don't want it running during regular operations, and allowing anyone who wants access into the etcd cluster (or maybe it is doing some client authentication, I dunno).

Comment 2 W. Trevor King 2019-03-05 18:36:07 UTC
Also in this space: https://github.com/coreos/kubecsr/pull/19

Comment 3 Brenton Leanhardt 2019-03-06 14:51:35 UTC
I think it's fair to say human intervention is required today in a DR scenario (I'm sure Derek will correct me if I'm wrong about this).  I imagining one benefit of getting it to the release image (aside from consistency) is that it's important for disconnected installs.

Comment 4 Alex Crawford 2019-03-07 17:52:10 UTC
Pull request is in-flight here: https://github.com/openshift/installer/pull/1363

This does not add the signer, but instead adds the CA.

Comment 5 W. Trevor King 2019-03-07 20:21:38 UTC
> This does not add the signer, but instead adds the CA.

Wouldn't we want both the signer and the CA?  I think we're going to need the signer referenced from the release image for disconnected installs anyway.

Comment 7 Scott Dodson 2019-04-02 20:42:52 UTC
kube-system namespace should contain configmaps named
etcd-signer-client, etcd-signer, etcd-ca-bundle, and etcd-client-ca-deprecated which can be used to sign certificates for additional etcd members during disaster recovery operations

Comment 8 Wei Sun 2019-04-10 03:18:17 UTC
Please check if it could be verified.

Comment 9 ge liu 2019-04-10 12:08:21 UTC
I Will Verify it after Bug 1698456 fixed.

Comment 10 ge liu 2019-04-19 02:39:17 UTC
Verified it, etcd signer is valid in disaster recovery(tested with etcd leader crashed)

Comment 12 errata-xmlrpc 2019-06-04 10:44:51 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.