Skip to content
This repository has been archived by the owner on Jun 29, 2022. It is now read-only.

etcd systemd unit should wait for certificate files to become available #1066

Closed
invidian opened this issue Oct 12, 2020 · 7 comments · Fixed by #1518
Closed

etcd systemd unit should wait for certificate files to become available #1066

invidian opened this issue Oct 12, 2020 · 7 comments · Fixed by #1518
Labels
area/ci Items related to CI area/stability Stability bug Something isn't working

Comments

@invidian
Copy link
Member

Otherwise etcd start right after booting and fails several time before we copy certificates over SSH, then it converges.

This produces logs like:

Oct 12 13:14:07 tink-controller-0 96c53009bb40[846]: 2020-10-12 13:14:07.754655 I | etcdmain: etcd Version: 3.4.13
Oct 12 13:14:07 tink-controller-0 96c53009bb40[846]: 2020-10-12 13:14:07.754682 I | etcdmain: Git SHA: ae9734ed2
Oct 12 13:14:07 tink-controller-0 96c53009bb40[846]: 2020-10-12 13:14:07.754692 I | etcdmain: Go Version: go1.12.17
Oct 12 13:14:07 tink-controller-0 96c53009bb40[846]: 2020-10-12 13:14:07.754967 I | etcdmain: Go OS/Arch: linux/amd64
Oct 12 13:14:07 tink-controller-0 96c53009bb40[846]: 2020-10-12 13:14:07.755005 I | etcdmain: setting maximum number of CPUs to 4, total number of available CPUs is 4
Oct 12 13:14:07 tink-controller-0 96c53009bb40[846]: [WARNING] Deprecated '--logger=capnslog' flag is set; use '--logger=zap' flag instead
Oct 12 13:14:07 tink-controller-0 96c53009bb40[846]: 2020-10-12 13:14:07.755325 I | embed: peerTLS: cert = /etc/ssl/etcd/etcd/peer.crt, key = /etc/ssl/etcd/etcd/peer.key, trusted-ca = /etc/ssl/etcd/etcd/peer-ca.crt, client-cert-auth = true>
Oct 12 13:14:07 tink-controller-0 96c53009bb40[846]: 2020-10-12 13:14:07.755756 C | etcdmain: open /etc/ssl/etcd/etcd/peer.crt: no such file or directory

And adds unnecessary noise tot he system.

@invidian invidian added area/ci Items related to CI area/stability Stability bug Something isn't working labels Dec 2, 2020
@pothos
Copy link
Member

pothos commented Jun 22, 2021

assets/terraform-modules/controller/templates/etcd.yaml.tmpl has this already added a day after this issue got created:

        ConditionPathExists=/etc/ssl/etcd/etcd/server-ca.crt
        ConditionPathExists=/etc/ssl/etcd/etcd/server.crt
        ConditionPathExists=/etc/ssl/etcd/etcd/server.key
        ConditionPathExists=/etc/ssl/etcd/etcd/peer-ca.crt
        ConditionPathExists=/etc/ssl/etcd/etcd/peer.crt
        ConditionPathExists=/etc/ssl/etcd/etcd/peer.key

It's just a matter of aligning the remaining platforms to use the common controller/worker modules.

@invidian
Copy link
Member Author

It's just a matter of aligning the remaining platforms to use the common controller/worker modules.

I wouldn't say "just", but yeah 😄

@pothos
Copy link
Member

pothos commented Jun 22, 2021

Ported the conditions over in #1511

@invidian
Copy link
Member Author

invidian commented Jun 29, 2021

Hmm, it seems #1511 (f66d9f3) does not work as expected. See https://yard.lokomotive-k8s.net/builds/4690979 😞

@iaguis
Copy link
Contributor

iaguis commented Jun 29, 2021

Those conditions weren't doing anything because they have to be specified in the [Unit] section.

@pothos
Copy link
Member

pothos commented Jun 29, 2021

Good find^^ In assets/terraform-modules/controller/templates/etcd.yaml.tmpl they are also under [Service].

@iaguis
Copy link
Contributor

iaguis commented Jun 29, 2021

I'll file a PR fixing them everywhere. I hope this doesn't break things 😅

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
area/ci Items related to CI area/stability Stability bug Something isn't working
Projects
None yet
Development

Successfully merging a pull request may close this issue.

3 participants