kubeadm: Selfhosting pivoting fails when using --store-certs-in-secrets
kubeadm alpha selfhosting pivot (kubeadm v1.13.0-beta.2) fails when invoked with --store-certs-in-secrets with the following error message:
[pivot] pivoting cluster to self-hosted
[self-hosted] Created TLS secret "ca" from ca.crt and ca.key
[self-hosted] Created TLS secret "apiserver" from apiserver.crt and apiserver.key
[self-hosted] Created TLS secret "apiserver-kubelet-client" from apiserver-kubelet-client.crt and apiserver-kubelet-client.key
[self-hosted] Created TLS secret "sa" from sa.pub and sa.key
[self-hosted] Created TLS secret "front-proxy-ca" from front-proxy-ca.crt and front-proxy-ca.key
[self-hosted] Created TLS secret "front-proxy-client" from front-proxy-client.crt and front-proxy-client.key
[self-hosted] Created secret for kubeconfig file "scheduler.conf"
[self-hosted] Created secret for kubeconfig file "controller-manager.conf"
[apiclient] Found 1 Pods for label selector k8s-app=self-hosted-kube-apiserver
timed out waiting for the condition
About this issue
- Original URL
- State: closed
- Created 6 years ago
- Comments: 18 (9 by maintainers)
Commits related to this issue
- kubeadm: add required etcd certs to selfhosting api-server Selfhosting pivoting fails when using --store-certs-in-secrets as api-server fails to start because of missing etcd/ca and apiserver-etcd-cl... — committed to bart0sh/kubernetes by bart0sh 5 years ago
- kubeadm selfhosting: fix pod spec mutation for controller-manager Modified command line options --authentication-kubeconfig and --authorization-kubeconfig to point out to the correct location of the ... — committed to bart0sh/kubernetes by bart0sh 5 years ago
- kubeadm: add front-proxy CA certificate to selfhosting controller-manager Selfhosting pivoting fails when using --store-certs-in-secrets as controller-manager fails to start because of missing front-... — committed to bart0sh/kubernetes by bart0sh 5 years ago
I did change it in both places, but this was not enough. Changes that you’ve proposed would trigger errors in generating secrets, as secret names should not contain slashes. Changing name in constants from etc/ca to etc-ca would make api server stuck on start.
@andrewrynhard thanks for pointing this out!
self-hosting was removed from kubeadm init and kubeadm upgrade workflows (both of them in some way not working properly), but it was agreed to leave an alpha command with the pivoting logic that you can call after init; however, be aware that once the cluster is turned to self-hosting you are on your own (e.g. for solving checkpointing / cold restart).