Add etcd-quorum-guard manifests and doc

[RobertKrawitz]

- What I did
Add etcd-quorum-guard manifests and documentation describing it.

- How to verify it
oc get pods -n kube-system | grep etcd-quorum-guard

- Description for the changelog
Add etcd-quorum-guard

[openshift-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: RobertKrawitz
To fully approve this pull request, please assign additional approvers.
We suggest the following additional approver: cgwalters

If they are not already assigned, you can assign the PR to them by writing /assign @cgwalters in a comment when ready.

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[RobertKrawitz]

/cc @derekwaynecarr @sjenning

[rphillips]

I suspect the pkg/operator/sync.go needs an update to include the deployment.

perhaps @kikisdeliveryservice or @runcom can confirm.

[abhinavdahiya]

I think it should be possible to teach mco to scale up / decide the replica count based on number of master node.

[RobertKrawitz]

Agreed beyond 4.1; for 4.1, it has been decided to only support 3 masters.

[abhinavdahiya]

This must be plumbed through release image.

[runcom]

"{{.Images.etcdQuorumGuardImage}}"

[RobertKrawitz]

Done.

[abhinavdahiya]

/cc @hexfusion
please use the metrics client certs that were created to connect to etcd

[RobertKrawitz]

Where are those certs located?

[hexfusion]

You could get crt/key with something like

oc -n openshift-config get secrets etcd-metric-client -o yaml 

ca

oc get configmap -n openshift-config etcd-metric-serving-ca -o yaml

[hexfusion]

you can use etcd proxy for /health with these certs. port 9979 vs 2379

[RobertKrawitz]

I can do that inside the pod?

[RobertKrawitz]

I agree with the rationale; my question is how to get the appropriate cert.

[hexfusion]

working on this now

[hexfusion]

#623

[RobertKrawitz]

Note that the etcd-quorum-guard proper does not have any Go code in it; it's simply (right now) a static deployment and disruption budget, with the lone pod being a trivial script.

[hexfusion]

with #623 you should be able to mount the resources and then consume in your bash as local files. Something like.

        volumeMounts:
          - mountPath: "/etc/ssl/certs/etcd"
            name: etcd-metric-client
            readOnly: true
      volumes:
        - name: etcd-metric-client
          secret:
            secretName: etcd-metric-client

[runcom]

I suspect the pkg/operator/sync.go needs an update to include the deployment.

perhaps @kikisdeliveryservice or @runcom can confirm.

yeah, if we're now watching this manifest, we need to sync it up as well

[runcom]

we do have this initialization in e2e, you can reuse

[RobertKrawitz]

Yup.

[kikisdeliveryservice]

@RobertKrawitz added some comments, also could you ensure that your final commits have a brief i sentence "why" summary in the body.

Thank you for adding the doc!!

[RobertKrawitz]

@RobertKrawitz added some comments, also could you ensure that your final commits have a brief i sentence "why" summary in the body.

Thank you for adding the doc!!

Yup.

[kikisdeliveryservice]

talking to @hexfusion , #623 needs to merge before this one, so adding a hold label to make sure they go in correctly.

/hold

[RobertKrawitz]

xref openshift/installer#1597

[runcom]

should this sync also wait for the deployment to correctly roll out? (see waitForDeploymentRollout)

[RobertKrawitz]

Yes. Done.

[runcom]

Ok, this has the usual chicken and egg issue when adding something to bootkube (and a new image).

Abhinav summarized what needs to happen (generally) when adding a new image here: #538 (comment) You can follow that (and should be pretty straightforward, you also already have the installer PR up)

Other than that, by looking at past PR, e.g. adding infraImage, the flow has been like this:

• create the main PR Pick image from release payload for crio.conf pause_image #471
• create the installer PR Add infra-image to MCO bootstrap installer#1292
• in order to merge the installer PR above, we needed this (it's a group of PRs cause we missed some changes):
  • Add infra-image flag to bootstrap.go as no-op #494
  • Add pod image to image-references #500
  • install: Fix reference to pod image #508
• You can see the above as just one change (besides having been 3 PRs for us that time)
• The above (3 PRs) unblock merge on the installer PR, so we merged that
• Installer PR unblock merge of the main PR Pick image from release payload for crio.conf pause_image #471
• Then we just needed to cleanup with bootstrap: Final switch to CVO pod image #518

I hope the above is clear enough (let me know otherwise)

[RobertKrawitz]

@runcom so to be clear, I need a mini PR against the MCO, the installer PR, @hexfusion's PR so I can get the correct cert, this PR, and finally an aditional installer PR for cleanup (five PRs all told)?

[hexfusion]

etcd-metric-serving-ca is a ConfigMap vs Secret

https://github.com/openshift/machine-config-operator/blob/f4d79247db439ae08e2f5e17cf0347c94998e94d/pkg/operator/sync.go#L375-L378

[RobertKrawitz]

/retest

[cgwalters]

The reason it's in kube-system currently is that it needs to mount the host filesystem.

We also have the MCD which is privileged and mounts the host in the openshift-machine-config namespace.

That may not be needed when #623 goes in, but it does need to be able to hit the network etcd listens on,

etcd is just hostNetwork: true right? I don't think the kube namespace affects hostnetwork pods.

[RobertKrawitz]

/retest

[RobertKrawitz]

/retest

[RobertKrawitz]

/retest

[runcom]

This times out in e2e-aws-op meaning that you (for now) just need to raise the test timeout to 70minutes let's say, you can do that here https://github.com/openshift/machine-config-operator/blob/master/Makefile#L101

[RobertKrawitz]

First experiment will be to see whether it behaves differently done the original way.

[RobertKrawitz]

/retest

[RobertKrawitz]

Switching back to using the etcd-quorum-guard standalone, so this is now moot.

[runcom]

Wut