Ask Your Question
1

magnum does not generate cert files for kubernetes

asked 2019-03-10 06:52:55 -0500

todotani gravatar image

updated 2019-03-12 07:31:08 -0500

I'm strangling with launching Kubernetes on magnum.

Environments:

  • OpenStack : Rocky
  • Fedora-AtomicHost-29-20190306 (also failed with Fedora-Atomic-27-20180419.0, Fedora-Atomic-26-20171030)
  • Cert manager : barbican
  • Run instance under KVM (not bearmetal)

Magnam template

openstack coe cluster template create fedora-29 \
                     --image fedora-atomic-29 \
                     --external-network ExtNet \
                     --dns-nameserver 192.168.0.100 \
                     --master-flavor m1.small \
                     --flavor m1.small \
                     --docker-volume-size 5 \
                     --network-driver flannel \
                     --docker-storage-driver overlay2 \
                     --coe kubernetes

After creation of master node, etcd and kube-apiserver failed to start with the following error.

[etcd]
embed: peerTLS: cert = /etc/etcd/certs/server.crt, key = /etc/etcd/certs/server.key, ca = , trusted-ca = /etc/etcd/certs/ca.crt, client-cert-auth = true
etcdmain: open /etc/etcd/certs/server.crt: no such file or directory

[kube-apiserver]
error: unable to load server certificate: open /etc/kubernetes/certs/server.crt: no such file or directory

Looking at heat template, /usr/lib/python2.7/dist-packages/magnum/drivers/k8s_fedora_atomic_v1/templates/kubemaster.yaml, there are definitions of cert file location, but no code to generate certificate.

It is possible to restart etcd and kube-apiserver by manually generate cert files with the following procedure, but wc-notify.service failed to start.

Generating certificates : http://www.projectatomic.io/docs/gett...

Appreciate any suggestions about how to install certificates on Fedora-atomic instance.

edit retag flag offensive close merge delete

3 answers

Sort by » oldest newest most voted
0

answered 2019-05-09 09:56:37 -0500

Hi,

I think I got it working with regards to your previously un-edited question, with --labels cert_manager_api=true

As you stated, /usr/lib/python2.7/site-packages/magnum/drivers/common/templates/kubernetes/fragments/enable-cert-api-manager.sh did not run.

For it to run, I edited /usr/lib/python2.7/site-packages/magnum/drivers/k8s_fedora_atomic_v1/templates/kubemaster.yaml and added a SoftwareConfig resource, which is then called in kube_master_init :

  enable_cert_api_manager:
    type: OS::Heat::SoftwareConfig
    properties:
      group: ungrouped
      config: {get_file: ../../common/templates/kubernetes/fragments/enable-cert-api-manager.sh}

  kube_master_init:
    type: OS::Heat::MultipartMime
    properties:
      parts:
        - config: {get_resource: install_openstack_ca}
        - config: {get_resource: disable_selinux}
        - config: {get_resource: write_heat_params}
        - config: {get_resource: configure_etcd}
        - config: {get_resource: write_kube_os_config}
        - config: {get_resource: configure_docker_storage}
        - config: {get_resource: configure_kubernetes}
        - config: {get_resource: make_cert}
        - config: {get_resource: enable_cert_api_manager}

Then, the waiting for CA api disappeared. Regarding your new question edit... well, maybe try to re-enable certificate api ?

edit flag offensive delete link more
0

answered 2019-05-16 08:49:04 -0500

todotani gravatar image

updated 2019-05-16 15:49:35 -0500

Hi fschaer,

Thank you for comment. The followings are results of my test according to your advice.

Recently I have upgraded my environment to Stein, but still I could not get Kubernetes up and running with Magnum...

In my case, I still got repeated message "waiting for CA to be made available for certificate manager api" even if added enable-cert-api-manager.sh as you advised. Although from cloud-init-output.log, this script did not run, but I also see problem is the following Heat template parameters are not passed from Magnum:

  • CA_KEY
  • OPENSTACK_CA

CA_KEY is used to store /etc/kubernetes/certs/ca.key file by enable-cert-api-manager.sh. So, if CA_KEY parameter is not fed like my case, heat template will not be successfully completed.

Did you manually create and feed CA_KEY data to Heat template with some means?

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

Stats

Asked: 2019-03-10 06:52:55 -0500

Seen: 352 times

Last updated: May 16