From 852577d68f2d281b796ec4aa79434c19269b2645 Mon Sep 17 00:00:00 2001 From: Levi Blackstone Date: Mon, 29 Jan 2018 12:00:41 -0700 Subject: [PATCH 1/6] modules/openstack/nodes/ignition: Remove deprecated sshd option Recent versions of sshd already set `UsePrivilegeSeparation sandbox` by default, and this option is deprecated. --- modules/openstack/nodes/ignition.tf | 1 - 1 file changed, 1 deletion(-) diff --git a/modules/openstack/nodes/ignition.tf b/modules/openstack/nodes/ignition.tf index 7abb4fb131..cab87d9eb9 100644 --- a/modules/openstack/nodes/ignition.tf +++ b/modules/openstack/nodes/ignition.tf @@ -80,7 +80,6 @@ data "ignition_file" "sshd" { content { content = < Date: Fri, 16 Feb 2018 10:00:32 -0700 Subject: [PATCH 2/6] modules/ignition/resources/dropins/40-etcd-cluster.conf: Fix run args The dropin file for the etcd-member service was inadvertently overwriting the existing RKT_RUN_ARGS set in the service unit file. This prevented the uuid-file-save from being set, which then prevented the service from being restarted correctly on reboot, etc. --- modules/ignition/resources/dropins/40-etcd-cluster.conf | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/modules/ignition/resources/dropins/40-etcd-cluster.conf b/modules/ignition/resources/dropins/40-etcd-cluster.conf index 078b7612ff..e64899d10e 100644 --- a/modules/ignition/resources/dropins/40-etcd-cluster.conf +++ b/modules/ignition/resources/dropins/40-etcd-cluster.conf @@ -5,7 +5,8 @@ ${metadata_deps} Environment="ETCD_IMAGE=${container_image}" ${metadata_env} Environment="RKT_RUN_ARGS=--volume etcd-ssl,kind=host,source=/etc/ssl/etcd \ - --mount volume=etcd-ssl,target=/etc/ssl/etcd" + --mount volume=etcd-ssl,target=/etc/ssl/etcd \ + --uuid-file-save=/var/lib/coreos/etcd-member-wrapper.uuid" ExecStart= ExecStart=/usr/lib/coreos/etcd-wrapper \ --name=${name} \ From 0b6f991bfe8d717f2757d5182ec4cc2d3656f9be Mon Sep 17 00:00:00 2001 From: Levi Blackstone Date: Fri, 16 Feb 2018 10:06:00 -0700 Subject: [PATCH 3/6] modules/bootkube/resources/bootkube.sh: Fix SHE check The conditional check for self-hosted etcd was not handling the disabled case correctly (using external etcd). --- modules/bootkube/resources/bootkube.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/bootkube/resources/bootkube.sh b/modules/bootkube/resources/bootkube.sh index 96d0aef2e9..abbf878f25 100644 --- a/modules/bootkube/resources/bootkube.sh +++ b/modules/bootkube/resources/bootkube.sh @@ -12,7 +12,7 @@ rm -rf /etc/kubernetes/manifests mkdir -p /etc/kubernetes/manifests/ # Move optional self hosted etcd manifests into bootkube friendly locations -if [ -d /opt/tectonic/etcd ]; then +if [ -d /opt/tectonic/etcd/bootstrap-manifests ]; then mv /opt/tectonic/etcd/manifests/* /opt/tectonic/manifests/ rm -r /opt/tectonic/etcd/manifests mv /opt/tectonic/etcd/bootstrap-manifests/* /opt/tectonic/bootstrap-manifests/ From d72aeae04cf6670a522045af38a7393a76d5dd3a Mon Sep 17 00:00:00 2001 From: Levi Blackstone Date: Fri, 16 Feb 2018 10:06:56 -0700 Subject: [PATCH 4/6] modules/bootkube/resources/bootkube.sh: Fix etcd TLS The required TLS assets were not being copied to the location expected by the control plane manifests, so external etcd was not working if tectonic_etcd_tls_enabled was true. --- modules/bootkube/resources/bootkube.sh | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/modules/bootkube/resources/bootkube.sh b/modules/bootkube/resources/bootkube.sh index abbf878f25..e389cc0875 100644 --- a/modules/bootkube/resources/bootkube.sh +++ b/modules/bootkube/resources/bootkube.sh @@ -25,6 +25,11 @@ if [ -d /opt/tectonic/net-manifests ]; then rm -r /opt/tectonic/net-manifests fi +mkdir -p /etc/kubernetes/bootstrap-secrets +cp /opt/tectonic/tls/etcd-* /etc/kubernetes/bootstrap-secrets +mkdir -p /etc/kubernetes/secrets +cp /opt/tectonic/tls/etcd-* /etc/kubernetes/secrets + # shellcheck disable=SC2154 /usr/bin/docker run \ --volume "$(pwd)":/assets \ From d6a0b23ffdc598456195eb7ae62942c9d712d9d9 Mon Sep 17 00:00:00 2001 From: Levi Blackstone Date: Fri, 16 Feb 2018 10:11:25 -0700 Subject: [PATCH 5/6] platforms/openstack/neutron/main.tf: Disable metadata provider The coreos-metadata service was failing to restart correctly on reboot, preventing the etcd-member service from restarting. It doesn't look like the etcd-member service was actually using metadata, and disabling the service appears to fix the problem. --- platforms/openstack/neutron/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/platforms/openstack/neutron/main.tf b/platforms/openstack/neutron/main.tf index bcb795d7dc..3d968bc78a 100644 --- a/platforms/openstack/neutron/main.tf +++ b/platforms/openstack/neutron/main.tf @@ -198,12 +198,12 @@ module "ignition_masters" { kubelet_debug_config = "${var.tectonic_kubelet_debug_config}" kubelet_node_label = "node-role.kubernetes.io/master" kubelet_node_taints = "node-role.kubernetes.io/master=:NoSchedule" - metadata_provider = "openstack-metadata" nfs_config_file = "${local._tectonic_nfs_config_file}" no_proxy = "${var.tectonic_no_proxy}" ntp_servers = "${var.tectonic_ntp_servers}" proxy_exclusive_units = "${var.tectonic_proxy_exclusive_units}" tectonic_vanilla_k8s = "${var.tectonic_vanilla_k8s}" + use_metadata = "false" } module "master_nodes" { From 45b7c611818f2de0f7ad368153f662ce810fbd1f Mon Sep 17 00:00:00 2001 From: Levi Blackstone Date: Fri, 16 Feb 2018 10:14:29 -0700 Subject: [PATCH 6/6] platforms/openstack/neutron/main.tf: Use DNS names for etcd endpoints TLS certs for etcd are generated based on this variable. Previously, this was using the bare IP addresses rather than DNS names, which is less robust, and was causing TLS failures for external etcd. --- platforms/openstack/neutron/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/platforms/openstack/neutron/main.tf b/platforms/openstack/neutron/main.tf index 3d968bc78a..404c7b9f08 100644 --- a/platforms/openstack/neutron/main.tf +++ b/platforms/openstack/neutron/main.tf @@ -89,7 +89,7 @@ module "bootkube" { etcd_backup_size = "${var.tectonic_etcd_backup_size}" etcd_backup_storage_class = "${var.tectonic_etcd_backup_storage_class}" - etcd_endpoints = "${module.dns.etcd_a_nodes}" + etcd_endpoints = "${data.template_file.etcd_hostname_list.*.rendered}" self_hosted_etcd = "${var.tectonic_self_hosted_etcd}" master_count = "${var.tectonic_master_count}"