Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] Task 'Join to Kubernetes cluster' may fail when Ansible vault already exists #1175

Closed
8 of 10 tasks
to-bar opened this issue Apr 21, 2020 · 3 comments
Closed
8 of 10 tasks

[BUG] Task 'Join to Kubernetes cluster' may fail when Ansible vault already exists #1175

to-bar opened this issue Apr 21, 2020 · 3 comments
Assignees
@atsikham @przemyslavic
Labels
area/kubernetes provider/any type/bug

Comments

@to-bar
Copy link
Contributor

to-bar commented Apr 21, 2020
edited by seriva
Loading

Describe the bug
Task 'Join to Kubernetes cluster' may fail when Ansible vault already exists.

How to reproduce
Repro steps:

  1. Create cluster (build directory: offline-rhel-1)
  2. Run kubeadm reset on master or restore VM with master
  3. Run kubernetes_master playbook: ansible-playbook -i /workspaces/epiphany/core/src/epicli/clusters/build/offline-rhel-1/inventory --vault-password-file /home/vscode/.epicli/vault.cfg /workspaces/epiphany/core/src/epicli/clusters/build/offline-rhel-1/ansible/kubernetes_master.yml
  4. Run kubernetes_node playbook

Analysis:

[root@vm2 ~]# cat /etc/kubeadm/kubeadm-join-node.yml
apiVersion: kubeadm.k8s.io/v1beta2
kind: JoinConfiguration
discovery:
  bootstrapToken:
    apiServerEndpoint: 192.168.10.11:6443
    token: ev00qa.ow2vxl8aroii1vb6
    caCertHashes:
    - sha256:503e9331e74bbdf9f270f986c3ca97e46dc493380ec13d5630d6688daf4d0918
nodeRegistration:
  kubeletExtraArgs:
    enable-controller-attach-detach: "false"
    node-labels: node-type=epiphany

[root@vm2 ~]# kubeadm join --token=ev00qa.ow2vxl8aroii1vb6 --discovery-token-ca-cert-hash sha256:503e9331e74bbdf9f270f986c3ca97e46dc493380ec13d5630d6688daf4d0918 --v=9 192.168.10.11:6443

[...]

I0417 20:04:40.095847   12359 token.go:191] [discovery] Failed to connect to API Server "192.168.10.11:6443": cluster CA found in cluster-info configmap is invalid: none of the public keys "sha256:f461f70f03163054e12db5b991c7bc25a97ac0060ce304c9211b85b274a0d689" are pinned

Hash of /etc/kubernetes/pki/ca.crt after kubeadm init:
f461f70f03163054e12db5b991c7bc25a97ac0060ce304c9211b85b274a0d689

Hash of /etc/kubernetes/pki/ca.crt after running tasks from copy-kubernetes-pki.yml:
503e9331e74bbdf9f270f986c3ca97e46dc493380ec13d5630d6688daf4d0918

vscode@580e9522a24d:/workspaces/epiphany/core/src/epicli$ date
Tue Apr 21 09:31:09 UTC 2020
vscode@580e9522a24d:/workspaces/epiphany/core/src/epicli$ date -r /workspaces/epiphany/core/src/epicli/clusters/build/offline-rhel-1/vault/kubernetes-pki.yml
Tue Apr  7 17:15:09 UTC 2020

Expected behavior
Task 'Join to Kubernetes cluster' should join cluster without any problems when Ansible vault already exists.

Environment
All

Additional context
#2669

DoD checklist

  • Changelog updated (if affected version was released)
  • COMPONENTS.md updated / doesn't need to be updated
  • Automated tests passed (QA pipelines)
    • apply
    • upgrade
  • Case covered by automated test (if possible)
  • Idempotency tested
  • Documentation updated / doesn't need to be updated
  • All conversations in PR resolved
  • Backport tasks created / doesn't need to be backported
@to-bar to-bar changed the title Task 'Join to Kubernetes cluster' fails on-prem when Ansible vault already exists Task 'Join to Kubernetes cluster' may fail when Ansible vault already exists Apr 21, 2020
@mkyc
Copy link
Contributor

mkyc commented Dec 3, 2021
edited by atsikham
Loading

@przemyslavic please also check it as well.

@przemyslavic przemyslavic mentioned this issue Dec 8, 2021
Closed
10 tasks
@przemyslavic
Copy link
Collaborator

przemyslavic commented Dec 8, 2021
edited
Loading

Seems to be related to #2669.
New PKI from the master node are probably not copied to Ephiphany's vault due to this condition:

when: not stat_kubernetes_pki.stat.exists

Certificates should be copied if the checksum does not match.

@przemyslavic przemyslavic removed their assignment Dec 8, 2021
@erzetpe erzetpe changed the title Task 'Join to Kubernetes cluster' may fail when Ansible vault already exists [BUG] Task 'Join to Kubernetes cluster' may fail when Ansible vault already exists Dec 9, 2021
@cicharka cicharka assigned cicharka and unassigned cicharka Dec 10, 2021
@atsikham atsikham self-assigned this Dec 20, 2021
@przemyslavic przemyslavic self-assigned this Dec 29, 2021
@przemyslavic przemyslavic mentioned this issue Dec 29, 2021
Merged
@przemyslavic
Copy link
Collaborator

Commented on a PR #2805.

@seriva seriva closed this as completed Jan 3, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@atsikham atsikham

@przemyslavic przemyslavic

Labels
area/kubernetes provider/any type/bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@erzetpe @atsikham @seriva @mkyc @przemyslavic @to-bar @cicharka