From 7b058c4357bf8e04dbf2753b276ba2fb162cdbcc Mon Sep 17 00:00:00 2001 From: Ed Bartosh Date: Wed, 2 Jan 2019 13:26:36 +0200 Subject: [PATCH] kubeadm: add required etcd certs to selfhosting api-server Selfhosting pivoting fails when using --store-certs-in-secrets as api-server fails to start because of missing etcd/ca and apiserver-etcd-client certificates: F1227 16:01:52.237352 1 storage_decorator.go:57] Unable to create storage backend: config (&{ /registry [https://127.0.0.1:2379] /etc/kubernetes/pki/apiserver-etcd-client.key /etc/kubernetes/pki/apiserver-etcd-client.crt /etc/kubernetes/pki/etcd/ca.crt true 0xc000884120 5m0s 1m0s}), err (open /etc/kubernetes/pki/apiserver-etcd-client.crt: no such file or directory) Added required certificates to fix this. Secret name for etc/ca certifcate has been converted to conform RFC-1123 subdomain naming conventions to prevent this TLS secret creation failure: unable to create secret: Secret "etcd/ca" is invalid: metadata.name: Invalid value: "etcd/ca": a DNS-1123 subdomain must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character (e.g. 'example.com', regex used for validation is '[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*') Related issue: kubernetes/kubeadm#1281 --- .../phases/selfhosting/selfhosting_volumes.go | 47 ++++++++++++++++++- 1 file changed, 46 insertions(+), 1 deletion(-) diff --git a/cmd/kubeadm/app/phases/selfhosting/selfhosting_volumes.go b/cmd/kubeadm/app/phases/selfhosting/selfhosting_volumes.go index 627fb01f043..d685b39fc8c 100644 --- a/cmd/kubeadm/app/phases/selfhosting/selfhosting_volumes.go +++ b/cmd/kubeadm/app/phases/selfhosting/selfhosting_volumes.go @@ -20,6 +20,7 @@ import ( "fmt" "io/ioutil" "path/filepath" + "strings" "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" @@ -128,6 +129,40 @@ func apiServerCertificatesVolumeSource() v1.VolumeSource { }, }, }, + { + Secret: &v1.SecretProjection{ + LocalObjectReference: v1.LocalObjectReference{ + Name: strings.Replace(kubeadmconstants.EtcdCACertAndKeyBaseName, "/", "-", -1), + }, + Items: []v1.KeyToPath{ + { + Key: v1.TLSCertKey, + Path: kubeadmconstants.EtcdCACertName, + }, + { + Key: v1.TLSPrivateKeyKey, + Path: kubeadmconstants.EtcdCAKeyName, + }, + }, + }, + }, + { + Secret: &v1.SecretProjection{ + LocalObjectReference: v1.LocalObjectReference{ + Name: kubeadmconstants.APIServerEtcdClientCertAndKeyBaseName, + }, + Items: []v1.KeyToPath{ + { + Key: v1.TLSCertKey, + Path: kubeadmconstants.APIServerEtcdClientCertName, + }, + { + Key: v1.TLSPrivateKeyKey, + Path: kubeadmconstants.APIServerEtcdClientKeyName, + }, + }, + }, + }, }, }, } @@ -175,7 +210,7 @@ func controllerManagerCertificatesVolumeSource() v1.VolumeSource { func kubeConfigVolumeSource(kubeconfigSecretName string) v1.VolumeSource { return v1.VolumeSource{ Secret: &v1.SecretVolumeSource{ - SecretName: kubeconfigSecretName, + SecretName: strings.Replace(kubeconfigSecretName, "/", "-", -1), }, } } @@ -294,5 +329,15 @@ func getTLSKeyPairs() []*tlsKeyPair { cert: kubeadmconstants.FrontProxyClientCertName, key: kubeadmconstants.FrontProxyClientKeyName, }, + { + name: strings.Replace(kubeadmconstants.EtcdCACertAndKeyBaseName, "/", "-", -1), + cert: kubeadmconstants.EtcdCACertName, + key: kubeadmconstants.EtcdCAKeyName, + }, + { + name: kubeadmconstants.APIServerEtcdClientCertAndKeyBaseName, + cert: kubeadmconstants.APIServerEtcdClientCertName, + key: kubeadmconstants.APIServerEtcdClientKeyName, + }, } }