Browse Source

Fix api-cert-manager=true blocking cluster creation

In the current release, cert-api-manager runs on kubecluster.yaml [1],
but in the kubemaster.yaml [2] the script [3] expects the existance of
the ca.key file (if the cert_api_manager_enabled=true), otherwise it gets blocked.
This file (ca.key), in turn, it's created only when enable-cert-api-manager.sh runs [4]

So, we have a dead lock...
So we need to change the call enable-cert-api-manager.sh into the kubemaster.yaml

[1] https://github.com/openstack/magnum/blob/master/magnum/drivers/k8s_fedora_atomic_v1/templates/kubecluster.yaml#L1158-L1161
[2] https://github.com/openstack/magnum/blob/master/magnum/drivers/k8s_fedora_atomic_v1/templates/kubemaster.yaml#L760
[3] https://github.com/openstack/magnum/blob/master/magnum/drivers/common/templates/kubernetes/fragments/enable-services-master.sh#L12-L16
[4] https://github.com/openstack/magnum/blob/master/magnum/drivers/common/templates/kubernetes/fragments/enable-cert-api-manager.sh#L11

On other issue, the chown of this file (ca.key) it's not working. Moving the
call of this file into kubemaster.yaml makes cluster creation FAILS because of
an error [7] in [5]. If we check a cluster created in stein [6] we notice that
the file is owned by root:root. Knowing this we can comment [5] for now.

[5] https://github.com/openstack/magnum/blob/master/magnum/drivers/common/templates/kubernetes/fragments/enable-cert-api-manager.sh#L13
[6] http://paste.openstack.org/show/788534/
[7] http://paste.openstack.org/show/788537/

Change-Id: Ibee2df435c3f7c34bff74e9146fb28d8367124b1
Signed-off-by: Diogo Guerra <diogo.filipe.tomas.guerra@cern.ch>
changes/76/703076/3
Diogo Guerra 3 years ago committed by Diogo Guerra
parent
commit
1ecec95b8c
  1. 2
      magnum/drivers/common/templates/kubernetes/fragments/enable-cert-api-manager.sh
  2. 4
      magnum/drivers/k8s_fedora_atomic_v1/templates/kubecluster.yaml
  3. 4
      magnum/drivers/k8s_fedora_atomic_v1/templates/kubemaster.yaml
  4. 4
      magnum/drivers/k8s_fedora_coreos_v1/templates/kubecluster.yaml
  5. 4
      magnum/drivers/k8s_fedora_coreos_v1/templates/kubemaster.yaml
  6. 5
      releasenotes/notes/fix-cert-apimanager-527352622c5a9c3b.yaml

2
magnum/drivers/common/templates/kubernetes/fragments/enable-cert-api-manager.sh

@ -10,7 +10,7 @@ if [ "$(echo "${CERT_MANAGER_API}" | tr '[:upper:]' '[:lower:]')" = "true" ]; th
echo -e "${CA_KEY}" > ${cert_dir}/ca.key
chown kube.kube ${cert_dir}/ca.key
# chown kube:kube ${cert_dir}/ca.key
chmod 400 ${cert_dir}/ca.key
fi

4
magnum/drivers/k8s_fedora_atomic_v1/templates/kubecluster.yaml

@ -1155,10 +1155,6 @@ resources:
list_join:
- "\n"
-
- str_replace:
template: {get_file: ../../common/templates/kubernetes/fragments/enable-cert-api-manager.sh}
params:
"$CA_KEY": {get_param: ca_key}
- get_file: ../../common/templates/kubernetes/fragments/kube-apiserver-to-kubelet-role.sh
- get_file: ../../common/templates/kubernetes/fragments/core-dns-service.sh
- get_file: ../../common/templates/kubernetes/fragments/calico-service.sh

4
magnum/drivers/k8s_fedora_atomic_v1/templates/kubemaster.yaml

@ -750,6 +750,10 @@ resources:
"$NODEGROUP_NAME": {get_param: nodegroup_name}
"$USE_PODMAN": {get_param: use_podman}
- get_file: ../../common/templates/kubernetes/fragments/make-cert.sh
- str_replace:
template: {get_file: ../../common/templates/kubernetes/fragments/enable-cert-api-manager.sh}
params:
"$CA_KEY": {get_param: ca_key}
- get_file: ../../common/templates/kubernetes/fragments/configure-etcd.sh
- get_file: ../../common/templates/kubernetes/fragments/write-kube-os-config.sh
- get_file: ../../common/templates/kubernetes/fragments/configure-kubernetes-master.sh

4
magnum/drivers/k8s_fedora_coreos_v1/templates/kubecluster.yaml

@ -1159,10 +1159,6 @@ resources:
list_join:
- "\n"
-
- str_replace:
template: {get_file: ../../common/templates/kubernetes/fragments/enable-cert-api-manager.sh}
params:
"$CA_KEY": {get_param: ca_key}
- get_file: ../../common/templates/kubernetes/fragments/kube-apiserver-to-kubelet-role.sh
- get_file: ../../common/templates/kubernetes/fragments/core-dns-service.sh
- get_file: ../../common/templates/kubernetes/fragments/calico-service.sh

4
magnum/drivers/k8s_fedora_coreos_v1/templates/kubemaster.yaml

@ -763,6 +763,10 @@ resources:
"$USE_PODMAN": {get_param: use_podman}
"$KUBE_IMAGE_DIGEST": {get_param: kube_image_digest}
- get_file: ../../common/templates/kubernetes/fragments/make-cert.sh
- str_replace:
template: {get_file: ../../common/templates/kubernetes/fragments/enable-cert-api-manager.sh}
params:
"$CA_KEY": {get_param: ca_key}
- get_file: ../../common/templates/kubernetes/fragments/configure-etcd.sh
- get_file: ../../common/templates/kubernetes/fragments/write-kube-os-config.sh
- get_file: ../../common/templates/kubernetes/fragments/configure-kubernetes-master.sh

5
releasenotes/notes/fix-cert-apimanager-527352622c5a9c3b.yaml

@ -0,0 +1,5 @@
---
fixes:
- |
Fixed the usage of cert_manager_api=true making cluster creation fail
due to a logic lock between kubemaster.yaml and kubecluster.yaml
Loading…
Cancel
Save