• Ed Bartosh's avatar
    kubeadm: add required etcd certs to selfhosting api-server · 7b058c43
    Ed Bartosh authored
    Selfhosting pivoting fails when using --store-certs-in-secrets
    as api-server fails to start because of missing etcd/ca and
    apiserver-etcd-client certificates:
       F1227 16:01:52.237352 1 storage_decorator.go:57] Unable to create storage backend:
       config (&{ /registry [https://127.0.0.1:2379]
                  /etc/kubernetes/pki/apiserver-etcd-client.key
                  /etc/kubernetes/pki/apiserver-etcd-client.crt
                  /etc/kubernetes/pki/etcd/ca.crt true 0xc000884120 <nil> 5m0s 1m0s}),
       err (open /etc/kubernetes/pki/apiserver-etcd-client.crt: no such file or directory)
    
    Added required certificates to fix this.
    
    Secret name for etc/ca certifcate has been converted to conform RFC-1123 subdomain
    naming conventions to prevent this TLS secret creation failure:
        unable to create secret: Secret "etcd/ca" is invalid: metadata.name:
        Invalid value: "etcd/ca": a DNS-1123 subdomain must consist of lower
        case alphanumeric characters, '-' or '.', and must start and end with an
        alphanumeric character (e.g. 'example.com', regex used for validation is
        '[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*')
    
    Related issue: kubernetes/kubeadm#1281
    7b058c43
selfhosting_volumes.go 8.59 KB