Details
-
Bug
-
Resolution: Fixed
-
Critical
-
None
-
None
-
1
Description
When we create an exporter sidecar and we're using custom TLS certs, these TLS certs are supplied to the exporter via the pod spec.
The problem is that as can be seen in the code (https://github.com/couchbase/couchbase-operator/blob/525cf3234737e1eed4fa4eeeec582e4fd2e3e334/pkg/util/k8sutil/pod_util.go#L610-L612) we're appending the cert arguments etc to the command.
This used to work when the operator passed the explicit couchbase-exporter command to run, but now, since K8S-1452 we just use the entrypoint so there is no command.
This leads to the Operator overwriting the command and the pod spec looking like this:
- args:
|
- --token
|
- /var/run/secrets/couchbase.com/metrics-token/token
|
command:
|
- --cert
|
- /var/run/secrets/couchbase.com/couchbase-server-tls/chain.pem
|
- --key
|
- /var/run/secrets/couchbase.com/couchbase-server-tls/pkey.key
|
- --ca
|
- /var/run/secrets/couchbase.com/couchbase-operator-tls/ca.crt
|
Naturally, the exporter then can't start:
'OCI runtime create failed: container_linux.go:349: starting container
|
process caused "exec: \"--cert\": executable file not found in $PATH": unknown'
|
Marked as critical as the exporter is completely non-functional (with no workaround) when using custom TLS certificates.
The correct fix is to add the cert flags to the args, rather than the command.
Attachments
Issue Links
- blocks
-
K8S-1506 Autonomous Operator (Kubernetes) 2.0.2 GA Release - target on web week of July 27
- Resolved
For Gerrit Dashboard: K8S-1600 | ||||||
---|---|---|---|---|---|---|
# | Subject | Branch | Project | Status | CR | V |
133439,7 | K8S-1600: Exporter does not work with TLS | 2.0.x | couchbase-operator | Status: MERGED | +2 | +1 |