Magnum

Explicitly set etcd authentication

Bug #1759813 reported by Spyros Trigazis
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Magnum
Status tracked in Rocky
Queens
Fix Committed
Critical
Spyros Trigazis
Rocky
Fix Released
Critical
Spyros Trigazis

Bug Description

Update etcd configuration:
Set authentication to true for both client and peer connections, set trusted_ca for both client and peer.

Without client and peer auth, etcd listens over ssl but it is not using the certs for authentication.

curl -k https://<IP>:2379/v2/keys/ was working and with the v3 api you can access the kubernetes objects.

Before running etcd in a container, the auth was set to true by etcd, the default change from the syscontainer:
https://github.com/projectatomic/atomic-system-containers/blob/master/etcd/manifest.json#L33

See original description
Spyros Trigazis (strigazi)
Changed in magnum:
status: New → Triaged
importance: Undecided → Critical
description: updated
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to magnum (master)

Fix proposed to branch: master
Review: https://review.openstack.org/557677

Changed in magnum:
status: Triaged → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to magnum (stable/queens)

Fix proposed to branch: stable/queens
Review: https://review.openstack.org/557679

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to magnum (master)

Reviewed: https://review.openstack.org/557677
Committed: https://git.openstack.org/cgit/openstack/magnum/commit/?id=a1fb448c3a2a1761ba337c67cd38d11a74ab15f9
Submitter: Zuul
Branch: master

commit a1fb448c3a2a1761ba337c67cd38d11a74ab15f9
Author: Spyros Trigazis <email address hidden>
Date: Thu Mar 29 10:03:12 2018 +0000

    k8s_fedora: Explicitly set etcd authentication

    Set client and peer auth to true and add
    trusted_ca configuration to enable authentication
    via certs for both clients and other etcd members.

    Change-Id: I1d0fbd6f89dc2e95e016299c5ce0c68eb4fe8e1a
    Closes-Bug: #1759813

Changed in magnum:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to magnum (stable/queens)

Reviewed: https://review.openstack.org/557679
Committed: https://git.openstack.org/cgit/openstack/magnum/commit/?id=beb124e81ead85dd04b2e839a68c941222b945c5
Submitter: Zuul
Branch: stable/queens

commit beb124e81ead85dd04b2e839a68c941222b945c5
Author: Spyros Trigazis <email address hidden>
Date: Thu Mar 29 10:03:12 2018 +0000

    k8s_fedora: Explicitly set etcd authentication

    Set client and peer auth to true and add
    trusted_ca configuration to enable authentication
    via certs for both clients and other etcd members.

    Change-Id: I1d0fbd6f89dc2e95e016299c5ce0c68eb4fe8e1a
    Closes-Bug: #1759813

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/magnum 6.1.1

This issue was fixed in the openstack/magnum 6.1.1 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/magnum 7.0.0

This issue was fixed in the openstack/magnum 7.0.0 release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.