From c9386abd5f8c344f585f9bf4b46e39c777fe74b5 Mon Sep 17 00:00:00 2001 From: "Lubomir I. Ivanov" Date: Mon, 28 Mar 2022 20:47:49 +0300 Subject: [PATCH] kubeadm: add etcd flag for member data consistency Include the flag "--experimental-initial-corrupt-check" in etcd static pod manifests to ensure etcd member data consistency. The etcd feature is planned for graduation in 3.6, at which point we should switch to using the flag without the "experimental" prefix. --- cmd/kubeadm/app/phases/etcd/local.go | 35 ++++++++++++----------- cmd/kubeadm/app/phases/etcd/local_test.go | 4 +++ 2 files changed, 23 insertions(+), 16 deletions(-) diff --git a/cmd/kubeadm/app/phases/etcd/local.go b/cmd/kubeadm/app/phases/etcd/local.go index 14ca6bd8298..4e077fe3534 100644 --- a/cmd/kubeadm/app/phases/etcd/local.go +++ b/cmd/kubeadm/app/phases/etcd/local.go @@ -220,22 +220,25 @@ func getEtcdCommand(cfg *kubeadmapi.ClusterConfiguration, endpoint *kubeadmapi.A etcdLocalhostAddress = "::1" } defaultArguments := map[string]string{ - "name": nodeName, - "listen-client-urls": fmt.Sprintf("%s,%s", etcdutil.GetClientURLByIP(etcdLocalhostAddress), etcdutil.GetClientURL(endpoint)), - "advertise-client-urls": etcdutil.GetClientURL(endpoint), - "listen-peer-urls": etcdutil.GetPeerURL(endpoint), - "initial-advertise-peer-urls": etcdutil.GetPeerURL(endpoint), - "data-dir": cfg.Etcd.Local.DataDir, - "cert-file": filepath.Join(cfg.CertificatesDir, kubeadmconstants.EtcdServerCertName), - "key-file": filepath.Join(cfg.CertificatesDir, kubeadmconstants.EtcdServerKeyName), - "trusted-ca-file": filepath.Join(cfg.CertificatesDir, kubeadmconstants.EtcdCACertName), - "client-cert-auth": "true", - "peer-cert-file": filepath.Join(cfg.CertificatesDir, kubeadmconstants.EtcdPeerCertName), - "peer-key-file": filepath.Join(cfg.CertificatesDir, kubeadmconstants.EtcdPeerKeyName), - "peer-trusted-ca-file": filepath.Join(cfg.CertificatesDir, kubeadmconstants.EtcdCACertName), - "peer-client-cert-auth": "true", - "snapshot-count": "10000", - "listen-metrics-urls": fmt.Sprintf("http://%s", net.JoinHostPort(etcdLocalhostAddress, strconv.Itoa(kubeadmconstants.EtcdMetricsPort))), + "name": nodeName, + // TODO: start using --initial-corrupt-check once the graduated flag is available: + // https://github.com/kubernetes/kubeadm/issues/2676 + "experimental-initial-corrupt-check": "true", + "listen-client-urls": fmt.Sprintf("%s,%s", etcdutil.GetClientURLByIP(etcdLocalhostAddress), etcdutil.GetClientURL(endpoint)), + "advertise-client-urls": etcdutil.GetClientURL(endpoint), + "listen-peer-urls": etcdutil.GetPeerURL(endpoint), + "initial-advertise-peer-urls": etcdutil.GetPeerURL(endpoint), + "data-dir": cfg.Etcd.Local.DataDir, + "cert-file": filepath.Join(cfg.CertificatesDir, kubeadmconstants.EtcdServerCertName), + "key-file": filepath.Join(cfg.CertificatesDir, kubeadmconstants.EtcdServerKeyName), + "trusted-ca-file": filepath.Join(cfg.CertificatesDir, kubeadmconstants.EtcdCACertName), + "client-cert-auth": "true", + "peer-cert-file": filepath.Join(cfg.CertificatesDir, kubeadmconstants.EtcdPeerCertName), + "peer-key-file": filepath.Join(cfg.CertificatesDir, kubeadmconstants.EtcdPeerKeyName), + "peer-trusted-ca-file": filepath.Join(cfg.CertificatesDir, kubeadmconstants.EtcdCACertName), + "peer-client-cert-auth": "true", + "snapshot-count": "10000", + "listen-metrics-urls": fmt.Sprintf("http://%s", net.JoinHostPort(etcdLocalhostAddress, strconv.Itoa(kubeadmconstants.EtcdMetricsPort))), } if len(initialCluster) == 0 { diff --git a/cmd/kubeadm/app/phases/etcd/local_test.go b/cmd/kubeadm/app/phases/etcd/local_test.go index edb3962e120..8f834b6dbab 100644 --- a/cmd/kubeadm/app/phases/etcd/local_test.go +++ b/cmd/kubeadm/app/phases/etcd/local_test.go @@ -176,6 +176,7 @@ func TestGetEtcdCommand(t *testing.T) { expected: []string{ "etcd", "--name=foo", + "--experimental-initial-corrupt-check=true", fmt.Sprintf("--listen-client-urls=https://127.0.0.1:%d,https://1.2.3.4:%d", kubeadmconstants.EtcdListenClientPort, kubeadmconstants.EtcdListenClientPort), fmt.Sprintf("--listen-metrics-urls=http://127.0.0.1:%d", kubeadmconstants.EtcdMetricsPort), fmt.Sprintf("--advertise-client-urls=https://1.2.3.4:%d", kubeadmconstants.EtcdListenClientPort), @@ -205,6 +206,7 @@ func TestGetEtcdCommand(t *testing.T) { expected: []string{ "etcd", "--name=foo", + "--experimental-initial-corrupt-check=true", fmt.Sprintf("--listen-client-urls=https://127.0.0.1:%d,https://1.2.3.4:%d", kubeadmconstants.EtcdListenClientPort, kubeadmconstants.EtcdListenClientPort), fmt.Sprintf("--listen-metrics-urls=http://127.0.0.1:%d", kubeadmconstants.EtcdMetricsPort), fmt.Sprintf("--advertise-client-urls=https://1.2.3.4:%d", kubeadmconstants.EtcdListenClientPort), @@ -235,6 +237,7 @@ func TestGetEtcdCommand(t *testing.T) { expected: []string{ "etcd", "--name=bar", + "--experimental-initial-corrupt-check=true", "--listen-client-urls=https://10.0.1.10:2379", fmt.Sprintf("--listen-metrics-urls=http://127.0.0.1:%d", kubeadmconstants.EtcdMetricsPort), "--advertise-client-urls=https://10.0.1.10:2379", @@ -260,6 +263,7 @@ func TestGetEtcdCommand(t *testing.T) { expected: []string{ "etcd", "--name=foo", + "--experimental-initial-corrupt-check=true", fmt.Sprintf("--listen-client-urls=https://[::1]:%d,https://[2001:db8::3]:%d", kubeadmconstants.EtcdListenClientPort, kubeadmconstants.EtcdListenClientPort), fmt.Sprintf("--listen-metrics-urls=http://[::1]:%d", kubeadmconstants.EtcdMetricsPort), fmt.Sprintf("--advertise-client-urls=https://[2001:db8::3]:%d", kubeadmconstants.EtcdListenClientPort),