add deployment, document some challenges

tjungblu · tjungblu · commit 5920b8ef1215 · 2025-10-28T16:50:04.000+01:00
Signed-off-by: Thomas Jungblut &lt;tjungblu@redhat.com&gt;
diff --git a/bindata/etcd/dedicated-event-etcd-deployment.yaml b/bindata/etcd/dedicated-event-etcd-deployment.yaml
@@ -1,105 +1,164 @@
 apiVersion: apps/v1
+# TODO may become a daemonset now that we run this on hostnetwork
+# TODO or just a fully functional sidecar mounting memory in pod.gotpl.yaml
 kind: Deployment
 metadata:
   name: dedicated-event-etcd
   namespace: openshift-etcd
   labels:
     app: dedicated-event-etcd
     k8s-app: dedicated-event-etcd
-    etcd: "true"
 spec:
   replicas: 1
   selector:
     matchLabels:
       app: dedicated-event-etcd
       k8s-app: dedicated-event-etcd
-      etcd: "true"
   template:
     metadata:
       name: dedicated-event-etcd
       annotations:
-        kubectl.kubernetes.io/default-container: etcd
+        kubectl.kubernetes.io/default-container: etcdctl
       labels:
         app: dedicated-event-etcd
         k8s-app: dedicated-event-etcd
-        etcd: "true"
     spec:
       hostNetwork: true
-      priority: 2000001000
-      priorityClassName: system-node-critical
+      nodeSelector:
+        node-role.kubernetes.io/master: ""
       tolerations:
-      - operator: "Exists"
+        - operator: "Exists"    
       containers:
+      - name: etcdctl
+        # image: {{.Image}}
+        # harcoded 4.20.0
+        image: "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:3654c629d9d8c9a07b481f6d9f8b36f77922f4b196b5e9dd4979957821dbd4b2"
+        imagePullPolicy: IfNotPresent
+        terminationMessagePolicy: FallbackToLogsOnError
+        command:
+          - "/bin/bash"
+          - "-c"
+          - "trap TERM INT; sleep infinity & wait"
+        volumeMounts:
+          - mountPath: /var/lib/etcd/
+            name: data-dir
+          - mountPath: /etcd-all-bundles
+            name: etcd-ca-bundle
+          - mountPath: /etcd-all-certs
+            name: etcd-all-certs
+        env:
+          # export ETCDCTL_ENDPOINTS="https://${MY_POD_IP}:20379"
+          # export ETCDCTL_CACERT="/etcd-all-bundles/ca-bundle.crt"
+          # export ETCDCTL_CERT="/etcd-all-certs/etcd-peer-${MY_NODE_NAME}.crt"
+          # export ETCDCTL_KEY="/etcd-all-certs/etcd-peer-${MY_NODE_NAME}.key"
+
+          - name: MY_POD_IP
+            valueFrom:
+              fieldRef:
+                fieldPath: status.podIP
+          - name: MY_NODE_NAME
+            valueFrom:
+              fieldRef:
+                fieldPath: spec.nodeName
+          - name: ETCD_DATA_DIR
+            value: "/var/lib/etcd"
+          - name: ETCDCTL_ENDPOINTS
+            value: "https://${MY_POD_IP}:20379"
+          - name: ETCDCTL_CACERT
+            value: "/etcd-all-bundles/ca-bundle.crt"
+          - name: ETCDCTL_CERT
+            value: "/etcd-all-certs/etcd-peer-${MY_NODE_NAME}.crt"
+          - name: ETCDCTL_KEY
+            value: "/etcd-all-certs/etcd-peer-${MY_NODE_NAME}.key"
       - name: etcd
-        image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:placeholder
+        # image: {{.Image}}
+        # harcoded 4.20.0
+        image: "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:3654c629d9d8c9a07b481f6d9f8b36f77922f4b196b5e9dd4979957821dbd4b2"
         imagePullPolicy: IfNotPresent
         terminationMessagePolicy: FallbackToLogsOnError
+        env:
+        - name: MY_POD_IP
+          valueFrom:
+            fieldRef:
+              fieldPath: status.podIP
+        - name: MY_NODE_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: spec.nodeName
         command:
           - /bin/sh
           - -c
           - |
             #!/bin/sh
             set -euo pipefail
+            set -x
+            
+            export ETCD_NAME=events-etcd
 
-            export ETCD_NAME=${NODE_NODE_ENVVAR_NAME_ETCD_NAME}
+            echo "----------------"
             env | grep ETCD | grep -v NODE
-
-            set -x
-            # See https://etcd.io/docs/v3.4.0/tuning/ for why we use ionice
-            exec nice -n -19 ionice -c2 -n0 etcd \
+            echo "----------------"
+            echo "$MY_NODE_NAME"
+            echo "$MY_POD_IP"
+            echo "----------------"
+            ls -l /etcd-all-certs
+            echo "----------------"
+            ls -l /etcd-all-bundles
+            echo "----------------"
+                        
+            etcd \
+              --data-dir=/var/lib/etcd \
               --logger=zap \
               --log-level=WARN \
               --snapshot-count=10000 \
-              --initial-advertise-peer-urls=https://${NODE_NODE_ENVVAR_NAME_IP}:2380 \
-              --cert-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-serving-NODE_NAME.crt \
-              --key-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-serving-NODE_NAME.key \
-              --trusted-ca-file=/etc/kubernetes/static-pod-certs/configmaps/etcd-all-bundles/server-ca-bundle.crt \
+              --quota-backend-bytes 8589934592 \
+              --cert-file="/etcd-all-certs/etcd-serving-${MY_NODE_NAME}.crt" \
+              --key-file="/etcd-all-certs/etcd-serving-${MY_NODE_NAME}.key" \
+              --trusted-ca-file="/etcd-all-bundles/ca-bundle.crt" \
               --client-cert-auth=true \
-              --peer-cert-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.crt \
-              --peer-key-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.key \
-              --peer-trusted-ca-file=/etc/kubernetes/static-pod-certs/configmaps/etcd-all-bundles/server-ca-bundle.crt \
+              --initial-cluster="${ETCD_NAME}=https://${MY_POD_IP}:20380" \
+              --initial-advertise-peer-urls="https://${MY_POD_IP}:20380" \
+              --listen-peer-urls="https://${MY_POD_IP}:20380" \
+              --peer-cert-file="/etcd-all-certs/etcd-peer-${MY_NODE_NAME}.crt"\
+              --peer-key-file="/etcd-all-certs/etcd-peer-${MY_NODE_NAME}.key" \
+              --peer-trusted-ca-file="/etcd-all-bundles/ca-bundle.crt" \
               --peer-client-cert-auth=true \
-              --advertise-client-urls=https://${NODE_NODE_ENVVAR_NAME_IP}:2379 \
-              --listen-client-urls=https://0.0.0.0:2379 \
-              --listen-peer-urls=https://0.0.0.0:2380
-              
+              --advertise-client-urls=https://${MY_POD_IP}:20379 \
+              --listen-client-urls=https://0.0.0.0:20379 
+
         ports:
-        - containerPort: 2379
+        - containerPort: 20379
           name: etcd
           protocol: TCP
+        - containerPort: 20380
+          name: etcd-peer
+          protocol: TCP
         resources:
-          requests:
-            memory: 5Gi
           limits:
-            memory: 10Gi
+            memory: 8Gi
         securityContext:
           privileged: true
           readOnlyRootFilesystem: true
         volumeMounts:
-          - mountPath: /etc/kubernetes/manifests
-            name: static-pod-dir
-          - mountPath: /etc/kubernetes/static-pod-resources
-            name: resource-dir
-          - mountPath: /etc/kubernetes/static-pod-certs
-            name: cert-dir
-          - mountPath: /tmp
-            name: tmp-dir
+          # TODO inject etcd-all-certs and etcd-all-bundles
+          # TODO this is going to be annoying, because the certs are not issued for the pod IP
+          # and the peer cert is the client cert IIRC, so might make sense to schedule on the
+          # existing CP anyway and mount the static pods for the respective node name via downward API
           - mountPath: /var/lib/etcd/
             name: data-dir
+          - mountPath: /etcd-all-bundles
+            name: etcd-ca-bundle
+          - mountPath: /etcd-all-certs
+            name: etcd-all-certs
       volumes:
-        - hostPath:
-            path: /etc/kubernetes/manifests
-          name: static-pod-dir
-        - hostPath:
-            path: /etc/kubernetes/static-pod-resources/etcd-pod-REVISION
-          name: resource-dir
-        - hostPath:
-            path: /etc/kubernetes/static-pod-resources/etcd-certs
-          name: cert-dir
-        - emptyDir: {}
-          name: tmp-dir
+        - configMap:
+            name: etcd-ca-bundle
+          name: etcd-ca-bundle
+        - secret:
+            secretName: etcd-all-certs
+          name: etcd-all-certs
         - name: data-dir
           emptyDir:
             medium: Memory
-            sizeLimit: 5Gi
+            sizeLimit: 8Gi
 
diff --git a/bindata/etcd/dedicated-event-etcd-svc.yaml b/bindata/etcd/dedicated-event-etcd-svc.yaml
@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: Service
+metadata:
+  namespace: openshift-etcd
+  name: events-etcd
+  annotations:
+    service.alpha.openshift.io/serving-cert-secret-name: serving-cert
+    prometheus.io/scrape: "false"
+    prometheus.io/scheme: https
+  labels:
+    k8s-app: dedicated-event-etcd
+spec:
+  selector:
+    k8s-app: dedicated-event-etcd
+  ports:
+    - name: etcd
+      port: 2379
+      protocol: TCP
diff --git a/pkg/operator/dedicatedetcdcontroller/dedicated_etcd_controller.go b/pkg/operator/dedicatedetcdcontroller/dedicated_etcd_controller.go
@@ -91,6 +91,35 @@ func (c *DedicatedEtcdController) sync(ctx context.Context, syncCtx factory.Sync
 	// 2. Configure it to store only events
 	// 3. Update status accordingly
 
+	/*
+		TODO
+		seems the hostNetwork pod can't connect to the service network / DNS lookup the service:
+		grpc: addrConn.createTransport failed to connect to {Addr: "events-etcd.openshift-etcd.svc.cluster.local:2379", ServerName: "events-etcd.openshift-etcd.svc.cluster.local:2379", }. Err: connection error: desc = "transport: Error while dialing: dial tcp: lookup events-etcd.openshift-etcd.svc.cluster.local on 169.254.169.254:53: no such host"
+	*/
+
+	/*
+		TODO Patch for KAS-O
+		apiVersion: operator.openshift.io/v1
+		kind: KubeAPIServer
+		spec:
+		  unsupportedConfigOverrides:
+			apiServerArguments:
+			  etcd-servers-overrides:
+				- "/kubernetes.io/events#https://events-etcd.openshift-etcd.svc.cluster.local:2379"
+
+		# TODO also problematic somehow:
+		# err="--etcd-servers-overrides invalid, must be of format: group/resource#servers, where servers are URLs, semicolon separated"
+
+	*/
+
+	/*
+		 TODO using pod IPs instead will result in cert errors like:
+		desc = "transport: authentication handshake failed: tls: failed to verify certificate: x509: certificate is valid for 10.0.0.5, 127.0.0.1, ::1, not 10.130.0.68"
+	*/
+
+	// TODO one can verify whether it works by watching the event prefix on etcdctl
+	// sh-5.1# etcdctl watch /kubernetes.io/events --prefix
+
 	_, _, updateErr := v1helpers.UpdateStatus(ctx, c.operatorClient, v1helpers.UpdateConditionFn(operatorv1.OperatorCondition{
 		Type:   "DedicatedEtcdForEventsAvailable",
 		Status: operatorv1.ConditionTrue,
diff --git a/pkg/tlshelpers/tlshelpers.go b/pkg/tlshelpers/tlshelpers.go
@@ -65,7 +65,9 @@ func getServerHostNames(nodeInternalIPs []string) []string {
 		"etcd.kube-system.svc",
 		"etcd.kube-system.svc.cluster.local",
 		"etcd.openshift-etcd.svc",
+		"events-etcd.openshift-etcd.svc",
 		"etcd.openshift-etcd.svc.cluster.local",
+		"events-etcd.openshift-etcd.svc.cluster.local",
 		"127.0.0.1",
 		"::1",
 		// "0:0:0:0:0:0:0:1" will be automatically collapsed to "::1", so we don't have to add it on top
