magnum does not generate cert files for kubernetes

asked 2019-03-10 06:52:55 -0600

todotani gravatar image

updated 2019-03-12 07:31:08 -0600

I'm strangling with launching Kubernetes on magnum.


  • OpenStack : Rocky
  • Fedora-AtomicHost-29-20190306 (also failed with Fedora-Atomic-27-20180419.0, Fedora-Atomic-26-20171030)
  • Cert manager : barbican
  • Run instance under KVM (not bearmetal)

Magnam template

openstack coe cluster template create fedora-29 \
                     --image fedora-atomic-29 \
                     --external-network ExtNet \
                     --dns-nameserver \
                     --master-flavor m1.small \
                     --flavor m1.small \
                     --docker-volume-size 5 \
                     --network-driver flannel \
                     --docker-storage-driver overlay2 \
                     --coe kubernetes

After creation of master node, etcd and kube-apiserver failed to start with the following error.

embed: peerTLS: cert = /etc/etcd/certs/server.crt, key = /etc/etcd/certs/server.key, ca = , trusted-ca = /etc/etcd/certs/ca.crt, client-cert-auth = true
etcdmain: open /etc/etcd/certs/server.crt: no such file or directory

error: unable to load server certificate: open /etc/kubernetes/certs/server.crt: no such file or directory

Looking at heat template, /usr/lib/python2.7/dist-packages/magnum/drivers/k8s_fedora_atomic_v1/templates/kubemaster.yaml, there are definitions of cert file location, but no code to generate certificate.

It is possible to restart etcd and kube-apiserver by manually generate cert files with the following procedure, but wc-notify.service failed to start.

Generating certificates :

Appreciate any suggestions about how to install certificates on Fedora-atomic instance.

edit retag flag offensive close merge delete

3 answers

Sort by ยป oldest newest most voted

answered 2019-05-09 09:56:37 -0600


I think I got it working with regards to your previously un-edited question, with --labels cert_manager_api=true

As you stated, /usr/lib/python2.7/site-packages/magnum/drivers/common/templates/kubernetes/fragments/ did not run.

For it to run, I edited /usr/lib/python2.7/site-packages/magnum/drivers/k8s_fedora_atomic_v1/templates/kubemaster.yaml and added a SoftwareConfig resource, which is then called in kube_master_init :

    type: OS::Heat::SoftwareConfig
      group: ungrouped
      config: {get_file: ../../common/templates/kubernetes/fragments/}

    type: OS::Heat::MultipartMime
        - config: {get_resource: install_openstack_ca}
        - config: {get_resource: disable_selinux}
        - config: {get_resource: write_heat_params}
        - config: {get_resource: configure_etcd}
        - config: {get_resource: write_kube_os_config}
        - config: {get_resource: configure_docker_storage}
        - config: {get_resource: configure_kubernetes}
        - config: {get_resource: make_cert}
        - config: {get_resource: enable_cert_api_manager}

Then, the waiting for CA api disappeared. Regarding your new question edit... well, maybe try to re-enable certificate api ?

edit flag offensive delete link more

answered 2019-05-16 08:49:04 -0600

todotani gravatar image

updated 2019-05-16 15:49:35 -0600

Hi fschaer,

Thank you for comment. The followings are results of my test according to your advice.

Recently I have upgraded my environment to Stein, but still I could not get Kubernetes up and running with Magnum...

In my case, I still got repeated message "waiting for CA to be made available for certificate manager api" even if added as you advised. Although from cloud-init-output.log, this script did not run, but I also see problem is the following Heat template parameters are not passed from Magnum:

  • CA_KEY

CA_KEY is used to store /etc/kubernetes/certs/ca.key file by So, if CA_KEY parameter is not fed like my case, heat template will not be successfully completed.

Did you manually create and feed CA_KEY data to Heat template with some means?

edit flag offensive delete link more

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower


Asked: 2019-03-10 06:52:55 -0600

Seen: 774 times

Last updated: May 16 '19