Skip to content
This repository has been archived by the owner on Jan 11, 2023. It is now read-only.

Generate proxy certs script small issues #3984

Closed
CecileRobertMichon opened this issue Oct 9, 2018 · 1 comment · Fixed by #4123
Closed

Generate proxy certs script small issues #3984

CecileRobertMichon opened this issue Oct 9, 2018 · 1 comment · Fixed by #4123
Labels
good first issue help wanted orchestrator/k8s

Comments

@CecileRobertMichon
Copy link
Contributor

https://github.com/Azure/acs-engine/blob/master/parts/k8s/kubernetesmastergenerateproxycertscript.sh

Run by default on master nodes when ENABLE_AGGREGATED_APIS is True (default for k8s 1.9+).

  1. Keys are sometimes generated as part of the script and I've noticed sometimes get printed in /var/log/cluster-provision.log. We should be redacting secrets in the logs.

Example output:

Generating RSA private key, 2048 bit long modulus
.......+++
.................................................................................................+++
e is 65537 (0x10001)
Generating RSA private key, 2048 bit long modulus
....+++
...+++
e is 65537 (0x10001)
Signature ok
subject=/CN=aggregator/O=system:masters
Getting CA Private Key
member 2f72769ab698d244 is healthy: got healthy result from https://10.239.255.239:2379
member 6157595d95058788 is unreachable: no available published client urls
member 93d02c474f075436 is healthy: got healthy result from https://10.239.255.240:2379
cluster is healthy
Executed "etcdctl cluster-health" 1 times
 -----BEGIN CERTIFICATE-----
REDACTED
-----END CERTIFICATE-----
 -----BEGIN RSA PRIVATE KEY-----
REDACTED
-----END RSA PRIVATE KEY-----
 -----BEGIN CERTIFICATE-----
REDACTED
-----END CERTIFICATE-----

(where the REDACTED parts actually show in the logs).

  1. Investigate why one of the members appears unhealthy in the above, is it reproducible? 100% of the time?
member 6157595d95058788 is unreachable: no available published client urls
member 93d02c474f075436 is healthy: got healthy result from https://10.239.255.240:2379
cluster is healthy```
@goshlanguage goshlanguage mentioned this issue Oct 25, 2018
Merged
3 tasks
@goshlanguage
Copy link
Contributor

Hi,

I walked through the script to find where it would be outputting the contents of the cert, and pushed a change to stop that.

I'm new to this project however, so I'm not sure what environment this is supposed to run in. Could you point me in the right direction for testing this change so I can see where the etcd peers are having a hiccup?

Thanks in advance for any help.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
good first issue help wanted orchestrator/k8s
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

suppressing sensitive openssl output goshlanguage/acs-engine
2 participants
@goshlanguage @CecileRobertMichon