[bitnami/etcd] bug: preupgrade will failed when startup etcd with one-way tls authentication #78362
Assignees
Labels
Comments
chenraoCR
added
the
tech-issues
|
Hi @chenraoCR The I tried to reproduce the issue installing the Bitnami etcd chart using the command and chart values below:
helm install etcd oci://registry-1.docker.io/bitnamicharts/etcd -f values.yaml
replicaCount: 3
auth:
rbac:
create: true
rootPassword: some-root-password
token:
enabled: false
client:
secureTransport: true
useAutoTLS: false
existingSecret: etcd-client-crt
certFilename: tls.crt
certKeyFilename: tls.key
caFilename: ca.crt
extraDeploy:
- |
apiVersion: v1
kind: Secret
metadata:
name: etcd-client-crt
namespace: {{ include "common.names.namespace" . | quote }}
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
type: kubernetes.io/tls
data:
{{- $ca := genCA "etcd-ca" 365 }}
{{- $etcdFullname := include "common.names.fullname" . }}
{{- $etcdHeadlessSvcName := printf "%s-headless" (include "common.names.fullname" .) | trunc 63 | trimSuffix "-" }}
{{- $releaseNamespace := include "common.names.namespace" . }}
{{- $clusterDomain := .Values.clusterDomain }}
{{- $etcdAltNames := list (printf "*.%s.%s.svc.%s" $etcdHeadlessSvcName $releaseNamespace $clusterDomain) (printf "%s.%s.svc.%s" $etcdHeadlessSvcName $releaseNamespace $clusterDomain) $etcdHeadlessSvcName (printf "%s.%s.svc.%s" $etcdFullname $releaseNamespace $clusterDomain) $etcdFullname "127.0.0.1" "localhost" }}
{{- $clientCert := genSignedCert $etcdFullname nil $etcdAltNames 365 $ca }}
ca.crt: {{ $ca.Cert | b64enc | quote }}
tls.crt: {{ $clientCert.Cert | b64enc | quote }}
tls.key: {{ $clientCert.Key | b64enc | quote }}Here some proofs that setup is working using TLS: $ kubectl get pods
NAME READY STATUS RESTARTS AGE
etcd-0 1/1 Running 0 3m27s
etcd-1 1/1 Running 0 3m27s
etcd-2 1/1 Running 0 3m27s
$ kubectl logs etcd-0
(...)
{"level":"info","ts":"2025-02-26T09:54:06.051430Z","caller":"embed/etcd.go:762","msg":"starting with client TLS","tls-info":"cert = /bitnami/etcd/data/fixtures/client/cert.pem, key = /bitnami/etcd/data/fixtures/client/key.pem, client-cert=/bitnami/etcd/data/fixtures/client/cert.pem, client-key=/bitnami/etcd/data/fixtures/client/key.pem, trusted-ca = , client-cert-auth = false, crl-file = ","cipher-suites":[]}Then, I upgrade the chart release decreasing the number of replicas: helm upgrade etcd oci://registry-1.docker.io/bitnamicharts/etcd -f values.yaml --set replicaCount=2And here you have the "pre-upgrade" logs: $ kubectl logs job/etcd-pre-upgrade
(...)
etcd 10:26:48.69 INFO ==> Current cluster members are: etcd-2,etcd-1,etcd-0
etcd 10:26:48.69 INFO ==> Expected cluster members are: etcd-0,etcd-1
etcd 10:26:48.69 INFO ==> Removing obsolete member etcd-2
Member 45a18acb10aa275e removed from cluster 9e98e654be1e22d7
etcd 10:26:48.89 INFO ==> Pre-upgrade checks completed!
$ kubectl get pods
NAME READY STATUS RESTARTS AGE
etcd-0 1/1 Running 0 65s
etcd-1 1/1 Running 0 2m9s
etcd-pre-upgrade-wtsq9 0/1 Completed 0 2m15s |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Name and Version
bitnami/etcd:3.5.18
What architecture are you using?
None
What steps will reproduce the bug?
What is the expected behavior?
preupgrade.sh should still succeed when startup etcd with one-way tls authentication
What do you see instead?
/opt/bitnami/scripts/etcd/preupgrade.sh failed
Additional information
same issue with #70554
The text was updated successfully, but these errors were encountered: