search

bitnami / charts

Bitnami Helm Charts
https://bitnami.com
Other
8.83k stars 9.12k forks source link

[bitnami/etcd] enable tls, livenessProbe is Unhealthy: remote error: tls: certificate required #29096

Open kevinadmin opened 2 weeks ago

kevinadmin commented 2 weeks ago

Name and Version

bitnami/etcd 10.2.13

What architecture are you using?

None

What steps will reproduce the bug?

  1. kubernetes 1.26+
  2. config with extraEnvVars:
    • name: "ETCDCTL_INSECURE_SKIP_TLS_VERIFY" value: "true"
  3. run with 
    helm install bk-etcd bitnami/etcd \
--namespace bk-test \
--set replicaCount=3 \
--set auth.rbac.create=false \
--set auth.client.secureTransport=true \
--set auth.client.enableAuthentication=false \
--set auth.client.existingSecret=bk-etcd-certs \
--set auth.client.certFilename=tls.crt  \
--set auth.client.certKeyFilename=tls.key \
--set auth.client.caFilename=ca.crt \
--set persistence.enabled=true \
--set persistence.size=12Gi \
--set auth.peer.secureTransport=true \
--set auth.peer.useAutoTLS=true \
-f values.yaml
  4. error with kubernetes describe: Warning Unhealthy 18m (x161 over 3h52m) kubelet Liveness probe failed: Get "https://9.165.224.119:2379/livez": remote error: tls: certificate required Warning Unhealthy 3m37s (x27 over 3h7m) kubelet (combined from similar events): Liveness probe failed: Get "https://9.165.224.119:2379/livez": write tcp 9.165.224.97:53675->9.165.224.119:2379: write: connection reset by peer

with log: {"level":"warn","ts":"2024-08-29T03:02:35.750697Z","caller":"embed/config_logging.go:170","msg":"rejected connection on client endpoint","remote-addr":"9.165.224.97:57780","server-name":"","error":"tls: client didn't provide a certificate"}

Are you using any custom parameters or values?

No response

What is the expected behavior?

No response

What do you see instead?

pod staus is CrashLoopBackOff and running , always restart

Additional information

No response

kevinadmin commented 2 weeks ago

i want to use httpHeaders with livenessProbe, but the bitnami/etcd/templates/statefulset.yaml not contain httpHeaders

    {{- if .Values.customLivenessProbe }}
      livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.customLivenessProbe "context" $) | nindent 12 }}
      {{- else if .Values.livenessProbe.enabled }}
      livenessProbe:
        httpGet:
          port: {{ .Values.containerPorts.client }} 
          path: /livez
          scheme: {{ ternary "HTTPS" "HTTP" .Values.auth.client.secureTransport | quote }}
        initialDelaySeconds: {{ .Values.livenessProbe.initialDelaySeconds }}
        periodSeconds: {{ .Values.livenessProbe.periodSeconds }}
        timeoutSeconds: {{ .Values.livenessProbe.timeoutSeconds }}
        successThreshold: {{ .Values.livenessProbe.successThreshold }}
        failureThreshold: {{ .Values.livenessProbe.failureThreshold }}
      {{- end }}
javsalgar commented 2 weeks ago

Hi!

Thank you so much for reporting. I will forward it to the team but as it is not a critical feature we cannot guarantee an ETA. If you want to speed up the process, would you like to submit a PR adding a livenessProbe.httpHeaders value?

Kai-Zhang commented 1 week ago

I encountered the same issue. I tried the solution mentioned in https://github.com/bitnami/charts/issues/27872#issuecomment-2225063036, and it worked well for me. It needs more settings but is still straightforward.