For Kubernetes, when using TLS (which is not the case in Jenkins I think, also we are not testing multi master). Both Kubernetes Load balancer and ETCD LB must be set to TCP.
curl -v --cacert /srv/kubernetes/ca.crt --cert /srv/kubernetes/client.crt --key /srv/kubernetes/client.key 'https://10.0.0.4:2379/v2/keys/atomic.io/network/config?quorum=false&recursive=false&sorted=false'
* Trying 10.0.0.4...
* TCP_NODELAY set
* Connected to 10.0.0.4 (10.0.0.4) port 2379 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: /srv/kubernetes/ca.crt
CApath: none
* NSS error -12263 (SSL_ERROR_RX_RECORD_TOO_LONG)
* SSL received a record that exceeded the maximum permissible length.
* Curl_http_done: called premature == 1
* stopped the pause stream!
* Closing connection 0
curl: (35) SSL received a record that exceeded the maximum permissible length.
This is not the case for ETCD which is hardcoded in TCP. I already proposed a fix https://review.openstack.org/#/c/450841/
But there is another issue during TLS certs generation because we are not adding the IP of the Neutron LB to the ALT-NAME when generating certs.
Reviewed: https:/
Committed: https:/
Submitter: Jenkins
Branch: master
commit ecfe6ac183effaa
Author: ArchiFleKs <email address hidden>
Date: Tue Mar 28 17:16:05 2017 +0200
Fix CoreOS multi master with LB cluster creation
Cluster that uses ETCD like swarm and K8s failed with LB and TLS enable
because ETCD LB protocol is HTTP but SSL termination in on the ETCD
node. ETCD LB protocol should be the same as K8s with TLS enable
Partial-Bug: #1679724
Change-Id: Ie8c8a7e4609c0e