EasyRSA scale out broken
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
CDK Addons |
Fix Released
|
High
|
George Kraft | ||
Calico Charm |
Fix Released
|
High
|
George Kraft | ||
Canal Charm |
Fix Released
|
High
|
George Kraft | ||
EasyRSA Charm |
Won't Fix
|
High
|
Cory Johns | ||
Etcd Charm |
Fix Released
|
High
|
George Kraft | ||
Flannel Charm |
Fix Released
|
High
|
George Kraft | ||
Kubernetes API Load Balancer |
Fix Released
|
High
|
George Kraft | ||
Kubernetes Control Plane Charm |
Fix Released
|
High
|
George Kraft | ||
Kubernetes Worker Charm |
Fix Released
|
High
|
George Kraft | ||
Tigera Secure EE Charm |
Fix Released
|
High
|
George Kraft |
Bug Description
Opened by jacekn on 2017-03-23 10:05:00+00:00 at https:/
-------
I use easyrsa with k8s charms. I wanted to scale it out for HA but juju-add-unit easyrsa caused the following hook error:
# ./hooks/
Easy-RSA error:
Missing expected CA file: serial (perhaps you need to run build-ca?)
Run without commands for usage and command help.
Traceback (most recent call last):
File "./hooks/
main()
File "/usr/local/
bus.dispatch()
File "/usr/local/
_invoke(
File "/usr/local/
handler.
File "/usr/local/
self.
File "/var/lib/
server_cert, server_key = create_
File "/var/lib/
check_
File "/usr/lib/
raise CalledProcessEr
subprocess.
=======
Comment created by mbruzek on 2017-03-23 16:07:29+00:00
It looks like the other easyrsa unit does not have the CA. We may need to change the code so only the leader signs the keys and certs and the other easyrsa units are ready in standby mode. However I do not know if easyrsa supports importing other server's PKI and signing certs. We need to come up with a strategy of how it should work and more testing and investigation are needed here.
@jacekn If you have more experience with easyrsa or have an architectural design that could help this issue, please leave a comment that would be appreciated.
-------
Comment created by hansbogert on 2018-01-01 22:49:34+00:00
In my case the common name of the CA is an ip address of the initial host which create the CA certificate, so if that's correct, then high-availability is even more problematic. In fact I experienced a "unknown certificate authority" when trying to do a manual switch from one easyrsa unit to a different one, on a different MAAS node.
tags: | added: canonical-bootstack |
Changed in charm-calico: | |
status: | New → In Progress |
assignee: | nobody → George Kraft (cynerva) |
Changed in charm-canal: | |
assignee: | nobody → George Kraft (cynerva) |
Changed in charm-etcd: | |
assignee: | nobody → George Kraft (cynerva) |
Changed in charm-flannel: | |
assignee: | nobody → George Kraft (cynerva) |
Changed in charm-kubeapi-load-balancer: | |
assignee: | nobody → George Kraft (cynerva) |
Changed in charm-kubernetes-master: | |
assignee: | nobody → George Kraft (cynerva) |
Changed in charm-kubernetes-worker: | |
assignee: | nobody → George Kraft (cynerva) |
Changed in charm-tigera-secure-ee: | |
assignee: | nobody → George Kraft (cynerva) |
Changed in charm-canal: | |
status: | New → Incomplete |
status: | Incomplete → In Progress |
Changed in charm-etcd: | |
status: | New → In Progress |
Changed in charm-flannel: | |
status: | New → In Progress |
Changed in charm-kubeapi-load-balancer: | |
status: | New → In Progress |
Changed in charm-kubernetes-master: | |
status: | New → In Progress |
Changed in charm-kubernetes-worker: | |
status: | New → In Progress |
Changed in charm-tigera-secure-ee: | |
status: | New → In Progress |
Changed in charm-calico: | |
importance: | Undecided → High |
Changed in charm-canal: | |
importance: | Undecided → High |
Changed in charm-etcd: | |
importance: | Undecided → High |
Changed in charm-flannel: | |
importance: | Undecided → High |
Changed in charm-kubeapi-load-balancer: | |
importance: | Undecided → High |
Changed in charm-kubernetes-master: | |
importance: | Undecided → High |
Changed in charm-kubernetes-worker: | |
importance: | Undecided → High |
Changed in charm-tigera-secure-ee: | |
importance: | Undecided → High |
Changed in charm-easyrsa: | |
status: | Fix Committed → Won't Fix |
Changed in cdk-addons: | |
assignee: | nobody → George Kraft (cynerva) |
importance: | Undecided → High |
status: | New → In Progress |
Changed in cdk-addons: | |
status: | In Progress → Fix Committed |
Changed in charm-calico: | |
status: | In Progress → Fix Committed |
Changed in charm-canal: | |
status: | In Progress → Fix Committed |
Changed in charm-etcd: | |
status: | In Progress → Fix Committed |
Changed in charm-flannel: | |
status: | In Progress → Fix Committed |
Changed in charm-kubeapi-load-balancer: | |
status: | In Progress → Fix Committed |
Changed in charm-kubernetes-master: | |
status: | In Progress → Fix Committed |
Changed in charm-kubernetes-worker: | |
status: | In Progress → Fix Committed |
Changed in charm-tigera-secure-ee: | |
status: | In Progress → Fix Committed |
Changed in charm-etcd: | |
milestone: | none → 1.15+ck1 |
Changed in cdk-addons: | |
milestone: | none → 1.15+ck1 |
Changed in charm-calico: | |
milestone: | none → 1.15+ck1 |
Changed in charm-canal: | |
milestone: | none → 1.15+ck1 |
Changed in charm-flannel: | |
milestone: | none → 1.15+ck1 |
Changed in charm-kubeapi-load-balancer: | |
milestone: | none → 1.15+ck1 |
Changed in charm-kubernetes-master: | |
milestone: | none → 1.15+ck1 |
Changed in charm-kubernetes-worker: | |
milestone: | none → 1.15+ck1 |
Changed in charm-tigera-secure-ee: | |
milestone: | none → 1.15+ck1 |
Changed in charm-calico: | |
milestone: | 1.15+ck1 → none |
status: | Fix Committed → Fix Released |
Changed in charm-calico: | |
milestone: | none → 1.15+ck1 |
Changed in cdk-addons: | |
status: | Fix Committed → Fix Released |
Changed in charm-canal: | |
status: | Fix Committed → Fix Released |
Changed in charm-etcd: | |
status: | Fix Committed → Fix Released |
Changed in charm-flannel: | |
status: | Fix Committed → Fix Released |
Changed in charm-kubeapi-load-balancer: | |
status: | Fix Committed → Fix Released |
Changed in charm-kubernetes-master: | |
status: | Fix Committed → Fix Released |
Changed in charm-kubernetes-worker: | |
status: | Fix Committed → Fix Released |
Changed in charm-tigera-secure-ee: | |
status: | Fix Committed → Fix Released |
I've added the canonical-bootstack tag here, as this affects our production Bootstack environments in the following way:
Firstly, we run K8s clouds, and have a single easyrsa unit there which is a single point of failure. I've not dug into recovery options for this as yet.
Secondly, the Openstack deployments use Easyrsa to provide a TLS cert for etcd, which is used by Vault, which stores the LUKs keys for Ceph. With a single unit of easyrsa, if we lose the host it resides on, re implementing a new easyrsa unit breaks the etcd cluster rendering it unusable, which in turn would do nasty things to Vault.