Page MenuHomePhabricator

Stand up upgraded Toolforge etcd clusters
Closed, ResolvedPublic


From, "The minimum recommended version of etcd to run in production is 3.2.10+".

It looks like Wikimedia's stretch/main repo has etcd-3.2.16. That should do!

For building the two clusters we need, we require:

  • A revisit of the current etcd config in puppet with attention to any new ideas around certificate management. -- note T144153, T169287 and T215553. There's a lot entangled in these tasks.
  • Documentation of the build and configuration -- making sure etcdctl actually functions on the servers in a way that is documented and perhaps consistent with upstream docs (currently, it might work, but it is so old that upstream docs are totally different).

Event Timeline

Bstorm triaged this task as High priority.Feb 8 2019, 9:42 PM
Bstorm created this task.

For at least test builds, we could probably just use the puppet certs...and that might be a fine way to use them going forward with a documentation and/or puppet change to say "subscribe" to the puppet certs file...not sure exactly how that would work or if it would considering how puppet uses them, but...


We can stand up etcd using kubeadm if we choose. It's weird. We'll probably at least test the process to see.

One advantage to using kubeadm for most everything is centralizing CA management from k8s itself, but this could turn into a problem instead of a solution. It depends on exactly how all certs end up getting used.

aborrero claimed this task.
aborrero added a subscriber: aborrero.

This has been done in 2 different ways:

So I think this task can be closed now. Feel free to reopen if required.