-
Notifications
You must be signed in to change notification settings - Fork 40k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
kubeadm: etcd certs missing in self-hosted deploy #61322
Comments
/area etcd |
This bug was first introduced with #57415 |
For the record, discussed on slack in #sig-cluster-lifecycle and @liggitt summarizes as "It is very late in 1.10 cycle to be adding things into the milestone… I wouldn't expect anything on an alpha feature to make the cut unless it was breaking CI in a way that lost signal on other non-alpha features." So, not expecting this in 1.10, but should fix in subsequent point release. |
/assign @stealthybox @detiber |
@stealthybox @detiber close? |
@timothysc this is still a valid bug -- we haven't put more cycles toward it. |
Issues go stale after 90d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
still valid: |
Closing here (WRT) StoreCertsInSecrets I have ideas on how to better approach this for to encrypt the secret on init and only give the shared secret on output of init. Also self-hosting is going to remain as an unsupported feature due to the security implications around check pointing certain data. |
Is this a BUG REPORT or FEATURE REQUEST?:
/kind bug
What happened:
In #60385, certs for etcd get created but are not projected into the apiserver pod when
StoreCertsInSecrets
is set totrue
.What you expected to happen:
The certs should be created as secrets when
StoreCertsInSecrets
is set totrue
, and then they should be projected in the apiserver.How to reproduce it (as minimally and precisely as possible):
kubeadm init --feature-gates=SelfHosting=true,StoreCertsInSecrets=true
Anything else we need to know?:
Environment:
kubectl version
):uname -a
):/cc @stealthybox
The text was updated successfully, but these errors were encountered: