-
Notifications
You must be signed in to change notification settings - Fork 509
OCPBUGS-76530: Fix intermittent etcd peer communication failures #8479
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,81 @@ | ||
| package pki | ||
|
|
||
| import ( | ||
| "crypto/x509" | ||
| "crypto/x509/pkix" | ||
| "testing" | ||
|
|
||
| . "github.com/onsi/gomega" | ||
|
|
||
| "github.com/openshift/hypershift/support/certs" | ||
| "github.com/openshift/hypershift/support/config" | ||
|
|
||
| corev1 "k8s.io/api/core/v1" | ||
| metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" | ||
| ) | ||
|
|
||
| func TestReconcileEtcdPeerSecret(t *testing.T) { | ||
| t.Parallel() | ||
|
|
||
| caCfg := certs.CertCfg{ | ||
| IsCA: true, | ||
| Subject: pkix.Name{CommonName: "etcd-signer", OrganizationalUnit: []string{"openshift"}}, | ||
| } | ||
| caKey, caCert, err := certs.GenerateSelfSignedCertificate(&caCfg) | ||
| if err != nil { | ||
| t.Fatalf("failed to generate CA: %v", err) | ||
| } | ||
| caSecret := &corev1.Secret{ | ||
| Data: map[string][]byte{ | ||
| certs.CASignerCertMapKey: certs.CertToPem(caCert), | ||
| certs.CASignerKeyMapKey: certs.PrivateKeyToPem(caKey), | ||
| }, | ||
| } | ||
|
|
||
| t.Run("When reconciling etcd peer secret it should include etcd-discovery SANs", func(t *testing.T) { | ||
| g := NewWithT(t) | ||
| secret := &corev1.Secret{ | ||
| ObjectMeta: metav1.ObjectMeta{ | ||
| Namespace: "clusters-test", | ||
| }, | ||
| } | ||
|
|
||
| err := ReconcileEtcdPeerSecret(secret, caSecret, config.OwnerRef{}) | ||
| g.Expect(err).ToNot(HaveOccurred()) | ||
|
|
||
| certData := secret.Data[EtcdPeerCrtKey] | ||
| g.Expect(certData).ToNot(BeEmpty()) | ||
|
|
||
| cert, err := certs.PemToCertificate(certData) | ||
| g.Expect(err).ToNot(HaveOccurred()) | ||
|
|
||
| g.Expect(cert.DNSNames).To(ContainElements( | ||
| "*.etcd-discovery.clusters-test.svc", | ||
| "*.etcd-discovery.clusters-test.svc.cluster.local", | ||
| // TODO(OCPBUGS-86648): assert on cert.IPAddresses instead once IPs are moved out of dnsNames. | ||
| "127.0.0.1", | ||
| "::1", | ||
|
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. This is encoding the behavior that should be fixed. Mind after creating the JIRA card reference it here in a comment with a TODO
Contributor
Author
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Hi @sdminonne , |
||
| )) | ||
|
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. NIT:
Contributor
Author
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Thank you @sdminonne , I have updated both the suggestions. |
||
| g.Expect(cert.DNSNames).ToNot(ContainElement(ContainSubstring("etcd-client"))) | ||
| }) | ||
|
|
||
| t.Run("When reconciling etcd peer secret it should have client and server auth usage", func(t *testing.T) { | ||
| g := NewWithT(t) | ||
| secret := &corev1.Secret{ | ||
| ObjectMeta: metav1.ObjectMeta{ | ||
| Namespace: "clusters-test", | ||
| }, | ||
| } | ||
|
|
||
| err := ReconcileEtcdPeerSecret(secret, caSecret, config.OwnerRef{}) | ||
| g.Expect(err).ToNot(HaveOccurred()) | ||
|
|
||
| cert, err := certs.PemToCertificate(secret.Data[EtcdPeerCrtKey]) | ||
| g.Expect(err).ToNot(HaveOccurred()) | ||
|
|
||
| g.Expect(cert.ExtKeyUsage).To(ContainElements( | ||
| x509.ExtKeyUsageClientAuth, | ||
| x509.ExtKeyUsageServerAuth, | ||
| )) | ||
| }) | ||
| } | ||
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -5,7 +5,6 @@ metadata: | |
| app: etcd | ||
| name: etcd-client | ||
| spec: | ||
| clusterIP: None | ||
| ports: | ||
| - name: etcd-client | ||
| port: 2379 | ||
|
|
||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🧩 Analysis chain
🏁 Script executed:
Repository: openshift/hypershift
Length of output: 2726
🏁 Script executed:
Repository: openshift/hypershift
Length of output: 1123
🏁 Script executed:
Repository: openshift/hypershift
Length of output: 1324
🏁 Script executed:
Repository: openshift/hypershift
Length of output: 6056
🏁 Script executed:
Repository: openshift/hypershift
Length of output: 2748
🏁 Script executed:
Repository: openshift/hypershift
Length of output: 1305
Fix IP address handling in etcd peer certificate generation.
Lines 50–51 in
etcd.goincorrectly add IP addresses ("127.0.0.1","::1") to thednsNameslist. Per X.509 standards, IP addresses must be in theIPAddressesfield, notDNSNames. The function signature supports a separateipsparameter for this purpose.Fix the implementation by passing IPs via the dedicated parameter:
Then update the test assertion to check the correct certificate field:
🤖 Prompt for AI Agents