Last master's IP is not added to kubernetes SSL keysΒ #4120
Description
Is this a BUG REPORT or FEATURE REQUEST? (choose one):
It's a bug report.
In short, I'm trying to install a new kubernetes v.1.12.5 cluster using kubespray v2.8.2. What I see is a timeout when it's trying to use kubeadm to initialize the last master in kubeadm | Init other uninitialized masters stage.
Timeout seems to be caused by the last master's IP not to present in SSL keys since every control plane component is logging ... x509: certificate is valid for master-1-ip, master-2-ip, master-x-ip, but not master-last.
I tried taking out the last master node from hosts.ini and it started to fail on the new last master. It seems like the counter broken somewhere and it's not adding the last host to SSL keys. Could be another reason, I'm not sure.
I've tried it on different sets of hosts and also tried both Ansible 2.7.1 and 2.7.6. It's failing with the same issue - last master's IP is not added to SSL certs. I've also tried restarting kubelet on that last master, it didn't help.
Environment:
- Cloud provider or hardware configuration:
Bare metal cluster.
- OS:
OracleLinux7.
- Version of Ansible (
ansible --version):
2.7.6
Kubespray version (commit) (git rev-parse --short HEAD):
tag 2.8.2
Network plugin used:
Calico
Copy of your inventory file:
[all]
host1 ansible_host=host1.mydomain etcd_member_name=etcd1
host2 ansible_host=host2.mydomain etcd_member_name=etcd2
host3 ansible_host=host3.mydomain etcd_member_name=etcd3
mybastion ansible_host=bastion.mydomain
[kube-master]
host1
host2
host3
[etcd]
host1
host2
host3
[kube-node]
host1
host2
host3
[k8s-cluster:children]
kube-master
kube-node
[bastion]
mybastion
Command used to invoke ansible:
ansible-playbook -i inventory/mycluster/hosts.ini --become --become-user=root -vvvv cluster.yml
Output of ansible run:
- Ansible: https://gist.github.com/iroller/ffb30d317d7bf8d3a6894bc7b2c62371
- Kubelet:
t_node_status.go:92] Unable to register node "node3" with API server: Post https://10.10.1.22:6443/api/v1/nodes: x509: certificate is valid for 172.31.0.1, 10.10.1.20, 10.10.1.21, not 10.10.1.22