search

kubernetes-sigs / kubespray

Deploy a Production Ready Kubernetes Cluster
Apache License 2.0
16.14k stars 6.47k forks source link

Control plane certificates auto renewal is not working on Flatcar Container Linux OS #11011

Open loictro opened 7 months ago

loictro commented 7 months ago

What happened?

The control plane certificate auto renewal is enabled by setting the following variables in k8s_cluster.yml file

## Automatically renew K8S control plane certificates on first Monday of each month
auto_renew_certificates: true

The certificate is not renewed because the script k8s-certs-renew.sh in charge of this renewal never ends on Flatcar:

The command on line 20

until printf "" 2>>/dev/null >>/dev/tcp/127.0.0.1/6443; do sleep 1; done

does not end because Bash available on Flatcar is not compiled with the --enable-net-redirections flag.

Thus the command printf "" >>/dev/tcp/127.0.0.1/6443 failed and output bash: /dev/tcp/127.0.0.1/6443: No such file or directory

As the renewal is triggered by systemd timer, the next renewal triggering never occurs because the script is still running.

What did you expect to happen?

The control plane certificates are auto renewed on Flatcar Container Linux OS.

How can we reproduce it (as minimally and precisely as possible)?

On Flatcar OS, on a control plane node run the script /opt/bin/k8s-certs-renew.sh, the script does not end.

OS

Linux 5.15.148-flatcar x86_64 NAME="Flatcar Container Linux by Kinvolk" ID=flatcar ID_LIKE=coreos VERSION=3510.3.2 VERSION_ID=3510.3.2 BUILD_ID=2024-02-12-1836 SYSEXT_LEVEL=1.0 PRETTY_NAME="Flatcar Container Linux by Kinvolk 3510.3.2 (LTS 2023)" ANSI_COLOR="38;5;75" HOME_URL="https://flatcar.org/" BUG_REPORT_URL="https://issues.flatcar.org" FLATCAR_BOARD="amd64-usr" CPE_NAME="cpe:2.3:o:flatcar-linux:flatcar_linux:3510.3.2:::::::*"

Version of Ansible

ansible-playbook [core 2.14.2] config file = ansible.cfg ansible python module location = /venv_ansible/lib/python3.11/site-packages/ansible ansible collection location = /root/.ansible/collections:/usr/share/ansible/collections executable location = /venv_ansible/bin/ansible-playbook python version = 3.11.1 (main, Jan 23 2023, 22:01:48) [GCC 12.2.1 20220924] (/venv_ansible/bin/python3) jinja version = 3.1.2 libyaml = False

Version of Python

Python 3.11.1

Version of Kubespray (commit)

07e19e546

Network plugin used

calico

Full inventory with variables

N/A

Command used to invoke ansible

N/A

Output of ansible run

N/A

Anything else we need to know

A suggestion to fix the script on Flatcar can be to use the netcat command instead of bash net redirection to test the API port, the tool is available on Flatcar Container Linux.

k8s-triage-robot commented 4 months ago

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

You can:

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

k8s-triage-robot commented 3 months ago

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

You can:

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten

loictro commented 3 months ago

/remove-lifecycle rotten

champtar commented 3 months ago

@loictro can you try:

until kubectl --kubeconfig=/etc/kubernetes/admin.conf -n kube-system get cm kubeadm-config &>/dev/null; do sleep 1; done
k8s-triage-robot commented 1 week ago

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

You can:

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale