rancher/rke
1
0
Fork 0
mirror of https://github.com/rancher/rke.git synced 2025-09-05 17:00:20 +00:00
Code Issues Releases Wiki Activity

Handle missing backup kube-etcd gracefully

Browse Source
This commit is contained in:
moelsayed
2018-04-25 07:11:57 +02:00
committed by Darren Shepherd
parent 0715323263
commit a2d985ef46
3 changed files with 48 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
cluster/certificates.go
View File

@@ -4,6 +4,7 @@ import (
"context" "context"
"crypto/rsa" "crypto/rsa"
"fmt" "fmt"
"strings"
"time" "time"
"github.com/rancher/rke/hosts" "github.com/rancher/rke/hosts"
@@ -38,7 +39,22 @@ func SetUpAuthentication(ctx context.Context, kubeCluster, currentCluster *Clust
return err return err
} }
if kubeCluster.Certificates != nil { if kubeCluster.Certificates != nil {
log.Infof(ctx, "[certificates] Certificate backup found on[%s] hosts", backupPlane) log.Infof(ctx, "[certificates] Certificate backup found on [%s] hosts", backupPlane)
// make sure I have all the etcd certs, We need handle dialer failure for etcd nodes https://github.com/rancher/rancher/issues/12898
for _, host := range kubeCluster.EtcdHosts {
certName := pki.GetEtcdCrtName(host.InternalAddress)
if kubeCluster.Certificates[certName].Certificate == nil {
if kubeCluster.Certificates, err = pki.RegenerateEtcdCertificate(ctx,
kubeCluster.Certificates,
host,
kubeCluster.EtcdHosts,
kubeCluster.ClusterDomain,
kubeCluster.KubernetesServiceIP); err != nil {
return err
}
}
}
// this is the case of adding controlplane node on empty cluster with only etcd nodes // this is the case of adding controlplane node on empty cluster with only etcd nodes
if kubeCluster.Certificates[pki.KubeAdminCertName].Config == "" && len(kubeCluster.ControlPlaneHosts) > 0 { if kubeCluster.Certificates[pki.KubeAdminCertName].Config == "" && len(kubeCluster.ControlPlaneHosts) > 0 {
if err := rebuildLocalAdminConfig(ctx, kubeCluster); err != nil { if err := rebuildLocalAdminConfig(ctx, kubeCluster); err != nil {
@@ -102,9 +118,15 @@ func getClusterCerts(ctx context.Context, kubeClient *kubernetes.Clientset, etcd
certMap := make(map[string]pki.CertificatePKI) certMap := make(map[string]pki.CertificatePKI)
for _, certName := range certificatesNames { for _, certName := range certificatesNames {
secret, err := k8s.GetSecret(kubeClient, certName) secret, err := k8s.GetSecret(kubeClient, certName)
if err != nil { if err != nil && !strings.HasPrefix(certName, "kube-etcd") {
return nil, err return nil, err
} }
// If I can't find an etcd cert, I will not fail and will create it later.
if secret == nil && strings.HasPrefix(certName, "kube-etcd") {
certMap[certName] = pki.CertificatePKI{}
continue
}
secretCert, _ := cert.ParseCertsPEM(secret.Data["Certificate"]) secretCert, _ := cert.ParseCertsPEM(secret.Data["Certificate"])
secretKey, _ := cert.ParsePrivateKeyPEM(secret.Data["Key"]) secretKey, _ := cert.ParsePrivateKeyPEM(secret.Data["Key"])
secretConfig := string(secret.Data["Config"]) secretConfig := string(secret.Data["Config"])

16
cluster/state.go
View File

@@ -8,6 +8,7 @@ import (
"github.com/rancher/rke/k8s" "github.com/rancher/rke/k8s"
"github.com/rancher/rke/log" "github.com/rancher/rke/log"
"github.com/rancher/rke/pki"
"github.com/rancher/types/apis/management.cattle.io/v3" "github.com/rancher/types/apis/management.cattle.io/v3"
"github.com/sirupsen/logrus" "github.com/sirupsen/logrus"
"gopkg.in/yaml.v2" "gopkg.in/yaml.v2"
@@ -73,6 +74,21 @@ func (c *Cluster) GetClusterState(ctx context.Context) (*Cluster, error) {
if err != nil { if err != nil {
return nil, fmt.Errorf("Failed to Get Kubernetes certificates: %v", err) return nil, fmt.Errorf("Failed to Get Kubernetes certificates: %v", err)
} }
// make sure I have all the etcd certs, We need handle dialer failure for etcd nodes https://github.com/rancher/rancher/issues/12898
for _, host := range activeEtcdHosts {
certName := pki.GetEtcdCrtName(host.InternalAddress)
if (currentCluster.Certificates[certName] == pki.CertificatePKI{}) {
if currentCluster.Certificates, err = pki.RegenerateEtcdCertificate(ctx,
currentCluster.Certificates,
host,
activeEtcdHosts,
currentCluster.ClusterDomain,
currentCluster.KubernetesServiceIP); err != nil {
return nil, err
}
}
}
// setting cluster defaults for the fetched cluster as well // setting cluster defaults for the fetched cluster as well
currentCluster.setClusterDefaults(ctx) currentCluster.setClusterDefaults(ctx)

9
pki/deploy.go
View File

@@ -135,12 +135,19 @@ func FetchCertificatesFromHost(ctx context.Context, extraHosts []*hosts.Host, ho
for certName, config := range crtList { for certName, config := range crtList {
certificate := CertificatePKI{} certificate := CertificatePKI{}
crt, err := fetchFileFromHost(ctx, GetCertTempPath(certName), image, host, prsMap) crt, err := fetchFileFromHost(ctx, GetCertTempPath(certName), image, host, prsMap)
if err != nil { // I will only exit with an error if it's not a not-found-error and this is not an etcd certificate
if err != nil && !strings.HasPrefix(certName, "kube-etcd") {
if strings.Contains(err.Error(), "no such file or directory") || if strings.Contains(err.Error(), "no such file or directory") ||
strings.Contains(err.Error(), "Could not find the file") { strings.Contains(err.Error(), "Could not find the file") {
return nil, nil return nil, nil
} }
return nil, err return nil, err
}
// If I can't find an etcd cert, I will not fail and will create it later.
if crt == "" && strings.HasPrefix(certName, "kube-etcd") {
tmpCerts[certName] = CertificatePKI{}
continue
} }
key, err := fetchFileFromHost(ctx, GetKeyTempPath(certName), image, host, prsMap) key, err := fetchFileFromHost(ctx, GetKeyTempPath(certName), image, host, prsMap)