single-node restart: setup-files.sh generates new cert, breaking containers with "the old" ca.crt files #20058
Labels
priority/backlog
Higher priority than priority/awaiting-more-evidence.
Comments
davidopp
added
the
priority/backlog
|
Came across this now, and we've discussed it in other issues. |
openshift-publish-robot
pushed a commit
to openshift/kubernetes
that referenced
this issue
Jun 22, 2018
UPSTREAM: 64447: Add block volume support to internal provisioners Origin-commit: f664428a1ed704279b3ee69300318eb89e59f168
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hello,
This might be rather unimportant, especially if single-node deployments are not meant to be durable at all, but I think fixing it is easy, and it'd help with developing things for/on a local node. (Especially with a containerized hyperkube, which is very easy to "turn up".)
If my assessment is correct, the problem is that killing all docker containers and then restarting the kubelet container basically results in a re-run of
master.json, which means starting docker containers for k8s-master. And generating new certs. Which is a race condition. Usually the apiserver picks up the old cert, but then pods that should be running are started and they get the new cert.Or if there are pods in /var/lib/kubelet kubelet starts them too (though my understanding of these parts of k8s is rather fuzzy), and they get their already existing ca.crt, but then new pods get a new one.
It seems simple enough to check if there are already files (token CSV and certs) in /data, and skip generating them if they are there.
Thanks for considering!
The text was updated successfully, but these errors were encountered: