From 8e2708664f6cab43f80f35121893b01536ab7845 Mon Sep 17 00:00:00 2001 From: Hamid Date: Wed, 25 Sep 2019 22:22:53 +1000 Subject: [PATCH] Added etcd-certfile and etcd-keyfile options I think as etcd is configured to use CA and keys for authentication, we need to provide kube-apiserver with these two files. Without them, I was getting the following errors after each `systemctl reload kube-apiserver` ``` I0925 22:21:51.570292 2528 endpoint.go:66] ccResolverWrapper: sending new addresses to cc: [{https://etcd1.example.com:2379 0 }] W0925 22:21:51.575195 2528 clientconn.go:1120] grpc: addrConn.createTransport failed to connect to {https://etcd1.example.com:2379 0 }. Err :connection error: desc = "transport: authentication handshake failed: remote error: tls: bad certificate". Reconnecting... I0925 22:21:52.575910 2528 client.go:361] parsed scheme: "endpoint" I0925 22:21:52.577217 2528 endpoint.go:66] ccResolverWrapper: sending new addresses to cc: [{https://etcd1.example.com:2379 0 }] W0925 22:21:52.607232 2528 clientconn.go:1120] grpc: addrConn.createTransport failed to connect to {https://etcd1.example.com:2379 0 }. Err :connection error: desc = "transport: authentication handshake failed: remote error: tls: bad certificate". Reconnecting... W0925 22:21:52.609382 2528 clientconn.go:1120] grpc: addrConn.createTransport failed to connect to {https://etcd1.example.com:2379 0 }. Err :connection error: desc = "transport: authentication handshake failed: remote error: tls: bad certificate". Reconnecting... ``` --- kamran/Kubernetes-The-Hard-Way-on-BareMetal.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/kamran/Kubernetes-The-Hard-Way-on-BareMetal.md b/kamran/Kubernetes-The-Hard-Way-on-BareMetal.md index aae7ae2..6a3b0e6 100644 --- a/kamran/Kubernetes-The-Hard-Way-on-BareMetal.md +++ b/kamran/Kubernetes-The-Hard-Way-on-BareMetal.md @@ -1027,6 +1027,8 @@ ExecStart=/usr/bin/kube-apiserver \ --bind-address=0.0.0.0 \ --enable-swagger-ui=true \ --etcd-cafile=/var/lib/kubernetes/ca.pem \ + --etcd-certfile=/var/lib/kubernetes/kubernetes.pem \ + --etcd-keyfile=/var/lib/kubernetes/kubernetes-key.pem \ --insecure-bind-address=0.0.0.0 \ --kubelet-certificate-authority=/var/lib/kubernetes/ca.pem \ --etcd-servers=https://10.240.0.11:2379,https://10.240.0.12:2379 \