*: use HTTPS when serving Ignition configs #3294
Conversation
|
Can one of the admins verify this patch? |
|
retest this please |
|
retest this please. |
| kube_ca_key_pem = "${local.kube_ca_key_pem}" | ||
| kubelet_cert_pem = "${local.kubelet_cert_pem}" | ||
| kubelet_key_pem = "${local.kubelet_key_pem}" | ||
| tnc_cert_pem = "${local.tnc_cert_pem}" |
There was a problem hiding this comment.
where are these locals being defined?
| } | ||
| u = func() *url.URL { | ||
| return &url.URL{ | ||
| Scheme: "https", |
There was a problem hiding this comment.
this won't work for the bootstrap node request resolved to s3 as the tls aws certs does not know about this domain
There was a problem hiding this comment.
Christ, we need to kill off this S3-pivot insanity.
|
The masters are still trying to use HTTPS to fetch the config. I have no idea why. This works on my local system. |
| // XXX: The bootstrap node on AWS uses a CNAME to redirect TNC-bound | ||
| // traffic to S3. Because of this, HTTPS cannot be used. | ||
| scheme := "https" | ||
| if c.Platform == "AWS" && role == "master" { |
There was a problem hiding this comment.
There was a problem hiding this comment.
Also calling I think it's advised to c.Platform.String()
| i=$((i+1)) | ||
| [ $i -eq 10 ] && echo "etcdctl failed too many times." && exit 1 | ||
|
|
||
| echo "etcdctl failed. Retrying in 5 seconds..." |
There was a problem hiding this comment.
Doesn't etcdctl endpoint health have its own retry logic?
cc @gyuho
There was a problem hiding this comment.
I observed it failing to retry.
There was a problem hiding this comment.
The retry logic would depend on the error types. Since endpoint health is just a simple get request, it's safe to retry here.
For some reason, bcrypt and blowfish were left around the last time glide was run.
This version implements the v2.2.0 config spec, which is needed in order to customize the certificate authorities. There were a number of code changes that needed to be made as well due to the change in types.
Instead of comparing against strings, this should use the platform constants.
This injects the root certificate authority into the stub configs and switches the TNC URL to HTTPS.
The new TNCO now uses HTTPS after bootstrap.
When this secret was created by tectonic.service, there was a race condition triggered when TNCO created TNC too quickly. tectonic.sh would get stuck waiting for all pods to get to the Running state because TNC would never leave the ContainerCreating state. TNC needed the TLS assets in order to complete, but those aren't created by tectonic.sh until after all of the pods are running. This moves the secret creation earlier in the process to avoid the race.
The call to etcdctl sometimes fails with a TCP error. Retry this operation a few times before giving up.
|
retest this please |
3 similar comments
|
retest this please |
|
retest this please |
|
retest this please |
Catching up with c71394d (vendor: bump Ignition to v0.26.0, 2018-06-14, coreos/tectonic-installer#3294). It would be nice if we could prune the vendored Go for older ignition config versions, but they're currently chained for translation: $ git grep coreos/ignition/config/v2_1 | grep '/v2_2/.*.go:' vendor/github.com/coreos/ignition/config/v2_2/config.go: "github.com/coreos/ignition/config/v2_1" vendor/github.com/coreos/ignition/config/v2_2/translate.go: v2_1 "github.com/coreos/ignition/config/v2_1/types" I've filed [1] to ask for that. [1]: coreos/ignition#602
5 participants
No description provided.