search

kubernetes-retired / cluster-api-bootstrap-provider-kubeadm

LEGACY REPO. NEW CODE IS https://github.com/kubernetes-sigs/cluster-api/tree/master/bootstrap/kubeadm
Apache License 2.0
62 stars 67 forks source link

CA Secret causes cluster to stop provisioning #217

Closed chuckha closed 5 years ago

chuckha commented 5 years ago

/kind bug

Original author: @rbankston

What steps did you take and what happened: https://github.com/kubernetes-sigs/cluster-api-provider-vsphere/issues/557

Provisioned an external etcd cluster for use with a CAPV cluster and loaded the certificate authority key and certificate used for etcd in the namespace with the -ca secret with the same label. The controller fails to move on with the provisioning using the secret and instead outputs:

I0906 22:31:45.913692       1 kubeadmconfig_controller.go:557] reconciler "level"=0 "msg"="Creating secret for certificate"  "name"="external-ca"
E0906 22:31:45.918152       1 kubeadmconfig_controller.go:496] reconciler "msg"="unable to create cluster certificates" "error"="secrets \"external-ca\" already exists"
E0906 22:31:45.918244       1 kubeadmconfig_controller.go:218] reconciler "msg"="unable to lookup or create cluster certificates" "error"="secrets \"external-ca\" already exists" "kubeadmconfig"={"Namespace":"default","Name":"external-controlplane-0"} "machine-name"="external-controlplane-0"

What did you expect to happen: Expected the secret to be used to provision the cluster

Environment:

Cluster-api-provider-vsphere version: 0.5.0 Kubernetes version: (use kubectl version): 1.15.1 OS (e.g. from /etc/os-release): Ubuntu 18.04

chuckha commented 5 years ago

/assign /lifecycle active

fabriziopandini commented 5 years ago

@chuckha @rbanksto A question better understanding expectations for this use case. In case of external etcd kubeadm expect the user should provide a certificate for the API server to access the API server. Are we assuming:

1) the user should pass this certificate using another secret and then CABPK to move it to the cloud init script 2) CABPK should take care of generating this certificate (if not provided by the user) and then CABPK to move it to the cloud init script

or both?

rbankston commented 5 years ago

@fabriziopandini 1) I would expect CABPK to move the secret to the cloud init script and bootstrap the node with that certificate. 2) If an external CA is in use but only the CA secret is set, use the provided CA to generate the rest of the certificates.