From 0202f71f017aa8183644c819431ef79c26c37236 Mon Sep 17 00:00:00 2001 From: Dan Mace Date: Fri, 31 Jul 2020 14:35:12 -0400 Subject: [PATCH] Clean up bootstrap member cert references Adjusts the bootstrap member pod's certificate references to use the bootkube render output paths now that the installer has been updated to put the rendered output in the expected locations. Remove deprecated metrics CA flag. --- .../bootstrap-manifests/etcd-member-pod.yaml | 13 +++---------- pkg/cmd/render/render.go | 5 +---- 2 files changed, 4 insertions(+), 14 deletions(-) diff --git a/bindata/bootkube/bootstrap-manifests/etcd-member-pod.yaml b/bindata/bootkube/bootstrap-manifests/etcd-member-pod.yaml index 9d139b098d..3a3299fc9d 100644 --- a/bindata/bootkube/bootstrap-manifests/etcd-member-pod.yaml +++ b/bindata/bootkube/bootstrap-manifests/etcd-member-pod.yaml @@ -20,11 +20,11 @@ spec: --initial-advertise-peer-urls=https://{{ .EtcdAddress.EscapedBootstrapIP }}:2380 \ --cert-file=/etc/ssl/etcd/etcd-all-serving/etcd-serving-{{ .Hostname }}.crt \ --key-file=/etc/ssl/etcd/etcd-all-serving/etcd-serving-{{ .Hostname }}.key \ - --trusted-ca-file=/etc/openshift-tls/etcd-ca-bundle.crt \ + --trusted-ca-file=/etc/ssl/etcd/ca.crt \ --client-cert-auth=true \ --peer-cert-file=/etc/ssl/etcd/etcd-all-peer/etcd-peer-{{ .Hostname }}.crt \ --peer-key-file=/etc/ssl/etcd/etcd-all-peer/etcd-peer-{{ .Hostname }}.key \ - --peer-trusted-ca-file=/etc/openshift-tls/etcd-ca-bundle.crt \ + --peer-trusted-ca-file=/etc/ssl/etcd/ca.crt \ --peer-client-cert-auth=true \ --advertise-client-urls=https://{{ .EtcdAddress.EscapedBootstrapIP }}:2379 \ --listen-client-urls=https://{{ .EtcdAddress.ListenClient }} \ @@ -42,8 +42,6 @@ spec: mountPath: /run/etcd/ - name: certs mountPath: /etc/ssl/etcd/ - - name: openshift-tls - mountPath: /etc/openshift-tls - name: data-dir mountPath: /var/lib/etcd/ - name: conf @@ -64,14 +62,9 @@ spec: - operator: "Exists" restartPolicy: Always volumes: - # TODO: update installer to copy the certs into /etc/kubernetes/static-pod-resources/etcd-member - name: certs hostPath: - path: /opt/openshift/etcd-bootstrap/bootstrap-manifests/secrets - # TODO: update installer to copy the ca into /etc/kubernetes/static-pod-resources/etcd-member - - name: openshift-tls - hostPath: - path: /opt/openshift/tls + path: /etc/kubernetes/static-pod-resources/etcd-member - name: kubeconfig hostPath: path: /etc/kubernetes/kubeconfig diff --git a/pkg/cmd/render/render.go b/pkg/cmd/render/render.go index 48e684c8d9..593a10b64b 100644 --- a/pkg/cmd/render/render.go +++ b/pkg/cmd/render/render.go @@ -38,7 +38,6 @@ type renderOpts struct { errOut io.Writer etcdCAFile string etcdCAKeyFile string - unusedEtcdMetricCAFile string etcdDiscoveryDomain string etcdImage string clusterEtcdOperatorImage string @@ -125,10 +124,8 @@ func (r *renderOpts) AddFlags(fs *pflag.FlagSet) { r.manifest.AddFlags(fs, "etcd") r.generic.AddFlags(fs) - fs.StringVar(&r.etcdCAFile, "etcd-ca", r.etcdCAFile, "path to etcd CA certificate") + fs.StringVar(&r.etcdCAFile, "etcd-ca", "/assets/tls/etcd-ca-bundle.crt", "path to etcd CA certificate") fs.StringVar(&r.etcdCAKeyFile, "etcd-ca-key", "/assets/tls/etcd-signer.key", "path to etcd CA certificate key") - // deprecated - fs.StringVar(&r.unusedEtcdMetricCAFile, "etcd-metric-ca", r.unusedEtcdMetricCAFile, "path to etcd metric CA certificate") fs.StringVar(&r.etcdImage, "manifest-etcd-image", r.etcdImage, "etcd manifest image") fs.StringVar(&r.clusterEtcdOperatorImage, "manifest-cluster-etcd-operator-image", r.clusterEtcdOperatorImage, "cluster-etcd-operator manifest image") fs.StringVar(&r.kubeClientAgentImage, "manifest-kube-client-agent-image", r.kubeClientAgentImage, "kube-client-agent manifest image")