Skip to content

*: add missing etcd-client-ca secret #1719

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
hexfusion wants to merge 1 commit into from
Closed

*: add missing etcd-client-ca secret #1719

hexfusion wants to merge 1 commit into from

Conversation

@hexfusion
Copy link
Contributor

@hexfusion hexfusion commented May 7, 2019

For disaster recovery, we need to persist the etcd-client-ca.{crt,key} which allows us to regenerate etcd certificates. While the cert is persisted to disk we do not have the key. For now, this adds the secret to openshift-config along with the other etcd related TLS assets.

installer/data/data/bootstrap/files/usr/local/bin/bootkube.sh.template

Lines 230 to 232 in 9d17730

serve \
--cacrt=/opt/openshift/tls/etcd-client-ca.crt \
--cakey=/opt/openshift/tls/etcd-client-ca.key \

installer/pkg/asset/manifests/operators.go

Lines 176 to 177 in ad87acc

EtcdClientCaCert: base64.StdEncoding.EncodeToString(etcdCA.Cert()),
EtcdClientCaKey: base64.StdEncoding.EncodeToString(etcdCA.Key()),

@openshift-ci-robot openshift-ci-robot added the size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. label May 7, 2019
vrutkovs
vrutkovs approved these changes May 7, 2019
View reviewed changes
Copy link
Contributor

@vrutkovs vrutkovs left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@openshift-ci-robot openshift-ci-robot added the lgtm Indicates that a PR is ready to be merged. label May 7, 2019
@abhinavdahiya
Copy link
Contributor

abhinavdahiya commented May 7, 2019

/approve

@openshift-ci-robot
Copy link
Contributor

openshift-ci-robot commented May 7, 2019

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: abhinavdahiya, hexfusion, vrutkovs

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci-robot openshift-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label May 7, 2019
@wking
Copy link
Member

wking commented May 7, 2019

We already have the keys in the template because they used to be used by the similar, but differently namespaced, secret removed here. That secret was born deprecated here. Do we still believe it's deprecated?

/hold

@openshift-ci-robot openshift-ci-robot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label May 7, 2019
@abhinavdahiya
Copy link
Contributor

abhinavdahiya commented May 7, 2019

We already have the keys in the template because they used to be used by the similar, but differently namespaced, secret removed here. That secret was born deprecated here. Do we still believe it's deprecated?

/hold

@hexfusion is going to file a follow up to clean up the deprecated CA consolidating to one.
This unblocks DR for etcd
/hold cancel

@abhinavdahiya
Copy link
Contributor

abhinavdahiya commented May 7, 2019

#1719 (comment)

Please @openshift-bot

/hold cancel

@openshift-ci-robot openshift-ci-robot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label May 7, 2019
@hexfusion
Copy link
Contributor Author

hexfusion commented May 7, 2019

/hold

@openshift-ci-robot openshift-ci-robot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label May 7, 2019
@openshift-ci-robot
Copy link
Contributor

openshift-ci-robot commented May 7, 2019

@hexfusion: The following tests failed, say /retest to rerun them all:

Test name Commit Details Rerun command
ci/prow/e2e-aws-upgrade efcfe8a link /test e2e-aws-upgrade
ci/prow/e2e-aws efcfe8a link /test e2e-aws

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

@hexfusion
Copy link
Contributor Author

hexfusion commented May 7, 2019

If I keep trying I will get it right eventually work carried forward via #1720

/joke

@hexfusion hexfusion closed this May 7, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@patrickdillon patrickdillon Awaiting requested review from patrickdillon

1 more reviewer

@vrutkovs vrutkovs vrutkovs approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@vrutkovs vrutkovs

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. lgtm Indicates that a PR is ready to be merged. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@hexfusion @abhinavdahiya @openshift-ci-robot @wking @vrutkovs