--- apiVersion: v1 items: - apiVersion: v1 data: install-config: | additionalTrustBundlePolicy: Proxyonly apiVersion: v1 baseDomain: openstack.lab bootstrapInPlace: installationDisk: /dev/disk/by-path/pci-0000:00:06.0 compute: - architecture: amd64 hyperthreading: Enabled name: worker platform: {} replicas: 0 controlPlane: architecture: amd64 hyperthreading: Enabled name: master platform: {} replicas: 1 metadata: creationTimestamp: null name: sno networking: clusterNetwork: - cidr: 10.128.0.0/16 hostPrefix: 23 machineNetwork: - cidr: 192.168.32.0/24 networkType: OVNKubernetes serviceNetwork: - 172.30.0.0/16 platform: none: {} publish: External pullSecret: "" sshKey: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDSZOoqPx68k2c5RlBkBRTUudjheon03RWQ0Ur1fWOIA0S48HCNRCGHvrlCnYtby/820vNr3r3uy3FbS9kFNc9v6SCHJXCqY8DfLEpDJMHoUTTNLavqEOXuyPsW7Sj09badUXA5VKG+SQue57SZIPG78WxxDAvgomgVEF/lxzARrLbYgpbR33qFm+Lib20d549oqOrc8OSzRQC13EOQpYSVrJwh2Y7igZW2XU2f4tW+3CDJGdrF6Sq4HLd4trtJrY5zRP58+Eocq9lWs2QJFnEiW1wcL2TVcd4/aTkjpdoZXPlSSZxzXBnSBdIGB/GH3CgABrAScbrVbzy/Ne6urNtV kind: ConfigMap metadata: annotations: kubernetes.io/description: The install-config content used to create the cluster. The cluster configuration may have evolved since installation, so check cluster configuration resources directly if you are interested in the current cluster state. creationTimestamp: "2026-03-08T00:21:29Z" managedFields: - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:data: .: {} f:install-config: {} f:metadata: f:annotations: .: {} f:kubernetes.io/description: {} manager: cluster-etcd-operator operation: Update time: "2026-03-08T00:21:29Z" name: cluster-config-v1 namespace: openshift-etcd resourceVersion: "4543" uid: 9bf06659-e30f-4583-8ebc-9cd40f4bd51a - apiVersion: v1 data: metrics-ca-bundle.crt: | -----BEGIN CERTIFICATE----- MIIDUzCCAjugAwIBAgIIaejPvhI0u9MwDQYJKoZIhvcNAQELBQAwNzE1MDMGA1UE Awwsb3BlbnNoaWZ0LWV0Y2RfZXRjZC1tZXRyaWMtc2lnbmVyQDE3NzI5Mjg4MjIw HhcNMjYwMzA4MDAxMzQyWhcNMzEwMzA3MDAxMzQzWjA3MTUwMwYDVQQDDCxvcGVu c2hpZnQtZXRjZF9ldGNkLW1ldHJpYy1zaWduZXJAMTc3MjkyODgyMjCCASIwDQYJ KoZIhvcNAQEBBQADggEPADCCAQoCggEBAOfdrGOLx7g+V9CRQoUyLar/8M0XZwxA D+H0/oi1j0H1DDXNQEicZ6u7rXyAthBczWQcmTK4vef0cbvpWHvwN7mQICP7qyAt w0nEaRX//Nrb0WrxRQpbHrXWULKays0wg0hA+g5c/ErydQLFg+renQQ+Ww4Ndi8f YR7eYfwI6ld5CJH9X1tNCeCtuxGSmLbI+YBoRyWy+Ei+6GYg0+uh2Zfnv0wxLvUn thLRQH9FgIzI90x4wzGewuaVppCL+TuI9XlUEXzCy3qrKCi1ckot4j+TstefRd91 NsPNkdUID7/QDKt+Hhywx/mTDw2E737AcVHVZ5yyW3XzOrTHmPdj8NMCAwEAAaNj MGEwDgYDVR0PAQH/BAQDAgKkMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFN37 14ZPkTwMlcicYbpydkDVTv5hMB8GA1UdIwQYMBaAFN3714ZPkTwMlcicYbpydkDV Tv5hMA0GCSqGSIb3DQEBCwUAA4IBAQBmqMvaUoLmUeE02uJcGbl/DrQf4h4Q+EGO hKSw7BoIqs0ZV/WShujlrZLCyd5BoCPywgM9vEH+wLqASW49dd74mNyVAbE5A/Xz I6kxsThzV1Om4ohtM6XIRm93UVoRJ8cUemnHRd8IK917g3gu3s+KJzfEmWpdiFHK eCdP2E40pj5qnIp+fqmpNaF7neVpNt6UrEGqTVfRxedCbK0fP+TP9dDKibxgCdzC 3B4pkQ89RZua7x7uaGFqGaiFmKXCXfLNixKfsaYqcnW8ArHGsTspXsixUqEVazBo OGIq3iVfAFH1YGTMaCx7EQVz3S9h8YeojP88sREaud4sdlfUv9L8 -----END CERTIFICATE----- server-ca-bundle.crt: | -----BEGIN CERTIFICATE----- MIIDRTCCAi2gAwIBAgIIBZdtBgR1XV0wDQYJKoZIhvcNAQELBQAwMDEuMCwGA1UE Awwlb3BlbnNoaWZ0LWV0Y2RfZXRjZC1zaWduZXJAMTc3MjkyODgyMjAeFw0yNjAz MDgwMDEzNDFaFw0zMTAzMDcwMDEzNDJaMDAxLjAsBgNVBAMMJW9wZW5zaGlmdC1l dGNkX2V0Y2Qtc2lnbmVyQDE3NzI5Mjg4MjIwggEiMA0GCSqGSIb3DQEBAQUAA4IB DwAwggEKAoIBAQC1dCzEsrkimCZtXpSL0cakdBZP7ElOclQ5tNotEkH1BNE29/2Q 67pSHKrw3JNRpeNQv2ASJ49zKYvXmKnrUi21gybNS4ZXME+wL5I0kEmRjsqbp1Jm vDaR3XnKpWHyvmnjOS6bgnOoMkdgIeZylfRzzE7bCFK3sqlvlNGJCfLVU+y260R5 zrx4n0ORjGsEz14GQO2V6ly+yUJgc2ZwuDeGdxbzE0BCpuHQaY81e9YC+MLfKu5S EcYVLafH4OI2dsJuf9XjFk+8U/qOcm3UozCHSatqTlejVF+n8DqlUDP4KP8RIXAU wOoF0MKRUetcqiqAURUZeue6gKF/d0WLTP0VAgMBAAGjYzBhMA4GA1UdDwEB/wQE AwICpDAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBQZgy21FOnQiK2fkOc44qXa KYAMujAfBgNVHSMEGDAWgBQZgy21FOnQiK2fkOc44qXaKYAMujANBgkqhkiG9w0B AQsFAAOCAQEAjSsQizBd7RyEZi9906wZ8OKsJuXB0xnYsDVWFfSqLCDWdrwWSuA7 TGhOgD9HTxeTmiS6YOoRRHl79MLHCX5zg1NA48hvD7MDFgu+cutvpBdmonR8NKli jHlH3eTUoBAnx3Y23m/jcD7/BzDEegp4OVTeEO2IR/yFASjlI3ReNykDMHoXjHwJ lkpKrNgpZXA8QE7GVo/9LrAsM08QVcpecsJi9Q6Eic9HTJjqBz9uWVdejWrrueJH EGbrA9d9CEnHHJEdItMSOtlWCipICsrC/NkdhL0REqRkqYQEckJXe3wIMzbqscpC hz0Lx8YmLfj6V/hT3GpBenLIWvGzXmrG7g== -----END CERTIFICATE----- kind: ConfigMap metadata: annotations: openshift.io/ceo-bundle-rollout-revision: "0" openshift.io/owning-component: Etcd creationTimestamp: "2026-03-08T00:15:38Z" managedFields: - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:data: .: {} f:metrics-ca-bundle.crt: {} f:server-ca-bundle.crt: {} f:metadata: f:annotations: .: {} f:openshift.io/ceo-bundle-rollout-revision: {} f:openshift.io/owning-component: {} manager: cluster-bootstrap operation: Update time: "2026-03-08T00:15:38Z" name: etcd-all-bundles namespace: openshift-etcd resourceVersion: "586" uid: 7f9a0959-43a7-4a41-985d-da87a83407b7 - apiVersion: v1 data: metrics-ca-bundle.crt: | -----BEGIN CERTIFICATE----- MIIDUzCCAjugAwIBAgIIaejPvhI0u9MwDQYJKoZIhvcNAQELBQAwNzE1MDMGA1UE Awwsb3BlbnNoaWZ0LWV0Y2RfZXRjZC1tZXRyaWMtc2lnbmVyQDE3NzI5Mjg4MjIw HhcNMjYwMzA4MDAxMzQyWhcNMzEwMzA3MDAxMzQzWjA3MTUwMwYDVQQDDCxvcGVu c2hpZnQtZXRjZF9ldGNkLW1ldHJpYy1zaWduZXJAMTc3MjkyODgyMjCCASIwDQYJ KoZIhvcNAQEBBQADggEPADCCAQoCggEBAOfdrGOLx7g+V9CRQoUyLar/8M0XZwxA D+H0/oi1j0H1DDXNQEicZ6u7rXyAthBczWQcmTK4vef0cbvpWHvwN7mQICP7qyAt w0nEaRX//Nrb0WrxRQpbHrXWULKays0wg0hA+g5c/ErydQLFg+renQQ+Ww4Ndi8f YR7eYfwI6ld5CJH9X1tNCeCtuxGSmLbI+YBoRyWy+Ei+6GYg0+uh2Zfnv0wxLvUn thLRQH9FgIzI90x4wzGewuaVppCL+TuI9XlUEXzCy3qrKCi1ckot4j+TstefRd91 NsPNkdUID7/QDKt+Hhywx/mTDw2E737AcVHVZ5yyW3XzOrTHmPdj8NMCAwEAAaNj MGEwDgYDVR0PAQH/BAQDAgKkMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFN37 14ZPkTwMlcicYbpydkDVTv5hMB8GA1UdIwQYMBaAFN3714ZPkTwMlcicYbpydkDV Tv5hMA0GCSqGSIb3DQEBCwUAA4IBAQBmqMvaUoLmUeE02uJcGbl/DrQf4h4Q+EGO hKSw7BoIqs0ZV/WShujlrZLCyd5BoCPywgM9vEH+wLqASW49dd74mNyVAbE5A/Xz I6kxsThzV1Om4ohtM6XIRm93UVoRJ8cUemnHRd8IK917g3gu3s+KJzfEmWpdiFHK eCdP2E40pj5qnIp+fqmpNaF7neVpNt6UrEGqTVfRxedCbK0fP+TP9dDKibxgCdzC 3B4pkQ89RZua7x7uaGFqGaiFmKXCXfLNixKfsaYqcnW8ArHGsTspXsixUqEVazBo OGIq3iVfAFH1YGTMaCx7EQVz3S9h8YeojP88sREaud4sdlfUv9L8 -----END CERTIFICATE----- server-ca-bundle.crt: | -----BEGIN CERTIFICATE----- MIIDRTCCAi2gAwIBAgIIBZdtBgR1XV0wDQYJKoZIhvcNAQELBQAwMDEuMCwGA1UE Awwlb3BlbnNoaWZ0LWV0Y2RfZXRjZC1zaWduZXJAMTc3MjkyODgyMjAeFw0yNjAz MDgwMDEzNDFaFw0zMTAzMDcwMDEzNDJaMDAxLjAsBgNVBAMMJW9wZW5zaGlmdC1l dGNkX2V0Y2Qtc2lnbmVyQDE3NzI5Mjg4MjIwggEiMA0GCSqGSIb3DQEBAQUAA4IB DwAwggEKAoIBAQC1dCzEsrkimCZtXpSL0cakdBZP7ElOclQ5tNotEkH1BNE29/2Q 67pSHKrw3JNRpeNQv2ASJ49zKYvXmKnrUi21gybNS4ZXME+wL5I0kEmRjsqbp1Jm vDaR3XnKpWHyvmnjOS6bgnOoMkdgIeZylfRzzE7bCFK3sqlvlNGJCfLVU+y260R5 zrx4n0ORjGsEz14GQO2V6ly+yUJgc2ZwuDeGdxbzE0BCpuHQaY81e9YC+MLfKu5S EcYVLafH4OI2dsJuf9XjFk+8U/qOcm3UozCHSatqTlejVF+n8DqlUDP4KP8RIXAU wOoF0MKRUetcqiqAURUZeue6gKF/d0WLTP0VAgMBAAGjYzBhMA4GA1UdDwEB/wQE AwICpDAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBQZgy21FOnQiK2fkOc44qXa KYAMujAfBgNVHSMEGDAWgBQZgy21FOnQiK2fkOc44qXaKYAMujANBgkqhkiG9w0B AQsFAAOCAQEAjSsQizBd7RyEZi9906wZ8OKsJuXB0xnYsDVWFfSqLCDWdrwWSuA7 TGhOgD9HTxeTmiS6YOoRRHl79MLHCX5zg1NA48hvD7MDFgu+cutvpBdmonR8NKli jHlH3eTUoBAnx3Y23m/jcD7/BzDEegp4OVTeEO2IR/yFASjlI3ReNykDMHoXjHwJ lkpKrNgpZXA8QE7GVo/9LrAsM08QVcpecsJi9Q6Eic9HTJjqBz9uWVdejWrrueJH EGbrA9d9CEnHHJEdItMSOtlWCipICsrC/NkdhL0REqRkqYQEckJXe3wIMzbqscpC hz0Lx8YmLfj6V/hT3GpBenLIWvGzXmrG7g== -----END CERTIFICATE----- kind: ConfigMap metadata: annotations: openshift.io/ceo-bundle-rollout-revision: "0" openshift.io/owning-component: Etcd creationTimestamp: "2026-03-08T00:21:38Z" labels: operator.openshift.io/controller-instance-name: etcd-RevisionController managedFields: - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:data: .: {} f:metrics-ca-bundle.crt: {} f:server-ca-bundle.crt: {} f:metadata: f:annotations: .: {} f:openshift.io/ceo-bundle-rollout-revision: {} f:openshift.io/owning-component: {} f:labels: .: {} f:operator.openshift.io/controller-instance-name: {} f:ownerReferences: .: {} k:{"uid":"d53f0d6b-b416-46e8-a3fa-90de3afb8449"}: {} manager: cluster-etcd-operator operation: Update time: "2026-03-08T00:21:38Z" name: etcd-all-bundles-1 namespace: openshift-etcd ownerReferences: - apiVersion: v1 kind: ConfigMap name: revision-status-1 uid: d53f0d6b-b416-46e8-a3fa-90de3afb8449 resourceVersion: "5225" uid: 6a857150-727f-4af1-b418-9ee2fdbdeb5b - apiVersion: v1 data: metrics-ca-bundle.crt: | -----BEGIN CERTIFICATE----- MIIDUzCCAjugAwIBAgIIaejPvhI0u9MwDQYJKoZIhvcNAQELBQAwNzE1MDMGA1UE Awwsb3BlbnNoaWZ0LWV0Y2RfZXRjZC1tZXRyaWMtc2lnbmVyQDE3NzI5Mjg4MjIw HhcNMjYwMzA4MDAxMzQyWhcNMzEwMzA3MDAxMzQzWjA3MTUwMwYDVQQDDCxvcGVu c2hpZnQtZXRjZF9ldGNkLW1ldHJpYy1zaWduZXJAMTc3MjkyODgyMjCCASIwDQYJ KoZIhvcNAQEBBQADggEPADCCAQoCggEBAOfdrGOLx7g+V9CRQoUyLar/8M0XZwxA D+H0/oi1j0H1DDXNQEicZ6u7rXyAthBczWQcmTK4vef0cbvpWHvwN7mQICP7qyAt w0nEaRX//Nrb0WrxRQpbHrXWULKays0wg0hA+g5c/ErydQLFg+renQQ+Ww4Ndi8f YR7eYfwI6ld5CJH9X1tNCeCtuxGSmLbI+YBoRyWy+Ei+6GYg0+uh2Zfnv0wxLvUn thLRQH9FgIzI90x4wzGewuaVppCL+TuI9XlUEXzCy3qrKCi1ckot4j+TstefRd91 NsPNkdUID7/QDKt+Hhywx/mTDw2E737AcVHVZ5yyW3XzOrTHmPdj8NMCAwEAAaNj MGEwDgYDVR0PAQH/BAQDAgKkMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFN37 14ZPkTwMlcicYbpydkDVTv5hMB8GA1UdIwQYMBaAFN3714ZPkTwMlcicYbpydkDV Tv5hMA0GCSqGSIb3DQEBCwUAA4IBAQBmqMvaUoLmUeE02uJcGbl/DrQf4h4Q+EGO hKSw7BoIqs0ZV/WShujlrZLCyd5BoCPywgM9vEH+wLqASW49dd74mNyVAbE5A/Xz I6kxsThzV1Om4ohtM6XIRm93UVoRJ8cUemnHRd8IK917g3gu3s+KJzfEmWpdiFHK eCdP2E40pj5qnIp+fqmpNaF7neVpNt6UrEGqTVfRxedCbK0fP+TP9dDKibxgCdzC 3B4pkQ89RZua7x7uaGFqGaiFmKXCXfLNixKfsaYqcnW8ArHGsTspXsixUqEVazBo OGIq3iVfAFH1YGTMaCx7EQVz3S9h8YeojP88sREaud4sdlfUv9L8 -----END CERTIFICATE----- server-ca-bundle.crt: | -----BEGIN CERTIFICATE----- MIIDRTCCAi2gAwIBAgIIBZdtBgR1XV0wDQYJKoZIhvcNAQELBQAwMDEuMCwGA1UE Awwlb3BlbnNoaWZ0LWV0Y2RfZXRjZC1zaWduZXJAMTc3MjkyODgyMjAeFw0yNjAz MDgwMDEzNDFaFw0zMTAzMDcwMDEzNDJaMDAxLjAsBgNVBAMMJW9wZW5zaGlmdC1l dGNkX2V0Y2Qtc2lnbmVyQDE3NzI5Mjg4MjIwggEiMA0GCSqGSIb3DQEBAQUAA4IB DwAwggEKAoIBAQC1dCzEsrkimCZtXpSL0cakdBZP7ElOclQ5tNotEkH1BNE29/2Q 67pSHKrw3JNRpeNQv2ASJ49zKYvXmKnrUi21gybNS4ZXME+wL5I0kEmRjsqbp1Jm vDaR3XnKpWHyvmnjOS6bgnOoMkdgIeZylfRzzE7bCFK3sqlvlNGJCfLVU+y260R5 zrx4n0ORjGsEz14GQO2V6ly+yUJgc2ZwuDeGdxbzE0BCpuHQaY81e9YC+MLfKu5S EcYVLafH4OI2dsJuf9XjFk+8U/qOcm3UozCHSatqTlejVF+n8DqlUDP4KP8RIXAU wOoF0MKRUetcqiqAURUZeue6gKF/d0WLTP0VAgMBAAGjYzBhMA4GA1UdDwEB/wQE AwICpDAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBQZgy21FOnQiK2fkOc44qXa KYAMujAfBgNVHSMEGDAWgBQZgy21FOnQiK2fkOc44qXaKYAMujANBgkqhkiG9w0B AQsFAAOCAQEAjSsQizBd7RyEZi9906wZ8OKsJuXB0xnYsDVWFfSqLCDWdrwWSuA7 TGhOgD9HTxeTmiS6YOoRRHl79MLHCX5zg1NA48hvD7MDFgu+cutvpBdmonR8NKli jHlH3eTUoBAnx3Y23m/jcD7/BzDEegp4OVTeEO2IR/yFASjlI3ReNykDMHoXjHwJ lkpKrNgpZXA8QE7GVo/9LrAsM08QVcpecsJi9Q6Eic9HTJjqBz9uWVdejWrrueJH EGbrA9d9CEnHHJEdItMSOtlWCipICsrC/NkdhL0REqRkqYQEckJXe3wIMzbqscpC hz0Lx8YmLfj6V/hT3GpBenLIWvGzXmrG7g== -----END CERTIFICATE----- kind: ConfigMap metadata: annotations: openshift.io/ceo-bundle-rollout-revision: "0" openshift.io/owning-component: Etcd creationTimestamp: "2026-03-08T00:33:00Z" labels: operator.openshift.io/controller-instance-name: etcd-RevisionController managedFields: - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:data: .: {} f:metrics-ca-bundle.crt: {} f:server-ca-bundle.crt: {} f:metadata: f:annotations: .: {} f:openshift.io/ceo-bundle-rollout-revision: {} f:openshift.io/owning-component: {} f:labels: .: {} f:operator.openshift.io/controller-instance-name: {} f:ownerReferences: .: {} k:{"uid":"c1019f1c-2ba3-4790-a7a8-ce11f9fbc534"}: {} manager: cluster-etcd-operator operation: Update time: "2026-03-08T00:33:00Z" name: etcd-all-bundles-2 namespace: openshift-etcd ownerReferences: - apiVersion: v1 kind: ConfigMap name: revision-status-2 uid: c1019f1c-2ba3-4790-a7a8-ce11f9fbc534 resourceVersion: "14256" uid: abe2fe2f-54f9-42ec-b659-2e6b0bcc76ef - apiVersion: v1 data: ca-bundle.crt: | -----BEGIN CERTIFICATE----- MIIDRTCCAi2gAwIBAgIIBZdtBgR1XV0wDQYJKoZIhvcNAQELBQAwMDEuMCwGA1UE Awwlb3BlbnNoaWZ0LWV0Y2RfZXRjZC1zaWduZXJAMTc3MjkyODgyMjAeFw0yNjAz MDgwMDEzNDFaFw0zMTAzMDcwMDEzNDJaMDAxLjAsBgNVBAMMJW9wZW5zaGlmdC1l dGNkX2V0Y2Qtc2lnbmVyQDE3NzI5Mjg4MjIwggEiMA0GCSqGSIb3DQEBAQUAA4IB DwAwggEKAoIBAQC1dCzEsrkimCZtXpSL0cakdBZP7ElOclQ5tNotEkH1BNE29/2Q 67pSHKrw3JNRpeNQv2ASJ49zKYvXmKnrUi21gybNS4ZXME+wL5I0kEmRjsqbp1Jm vDaR3XnKpWHyvmnjOS6bgnOoMkdgIeZylfRzzE7bCFK3sqlvlNGJCfLVU+y260R5 zrx4n0ORjGsEz14GQO2V6ly+yUJgc2ZwuDeGdxbzE0BCpuHQaY81e9YC+MLfKu5S EcYVLafH4OI2dsJuf9XjFk+8U/qOcm3UozCHSatqTlejVF+n8DqlUDP4KP8RIXAU wOoF0MKRUetcqiqAURUZeue6gKF/d0WLTP0VAgMBAAGjYzBhMA4GA1UdDwEB/wQE AwICpDAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBQZgy21FOnQiK2fkOc44qXa KYAMujAfBgNVHSMEGDAWgBQZgy21FOnQiK2fkOc44qXaKYAMujANBgkqhkiG9w0B AQsFAAOCAQEAjSsQizBd7RyEZi9906wZ8OKsJuXB0xnYsDVWFfSqLCDWdrwWSuA7 TGhOgD9HTxeTmiS6YOoRRHl79MLHCX5zg1NA48hvD7MDFgu+cutvpBdmonR8NKli jHlH3eTUoBAnx3Y23m/jcD7/BzDEegp4OVTeEO2IR/yFASjlI3ReNykDMHoXjHwJ lkpKrNgpZXA8QE7GVo/9LrAsM08QVcpecsJi9Q6Eic9HTJjqBz9uWVdejWrrueJH EGbrA9d9CEnHHJEdItMSOtlWCipICsrC/NkdhL0REqRkqYQEckJXe3wIMzbqscpC hz0Lx8YmLfj6V/hT3GpBenLIWvGzXmrG7g== -----END CERTIFICATE----- kind: ConfigMap metadata: annotations: openshift.io/description: Generated by cluster-etcd-operator for etcd and is used to authenticate clients and peers of etcd. openshift.io/owning-component: etcd creationTimestamp: "2026-03-08T00:15:39Z" labels: auth.openshift.io/managed-certificate-type: ca-bundle managedFields: - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:data: .: {} f:ca-bundle.crt: {} f:metadata: f:annotations: .: {} f:openshift.io/description: {} f:openshift.io/owning-component: {} f:labels: .: {} f:auth.openshift.io/managed-certificate-type: {} manager: cluster-bootstrap operation: Update time: "2026-03-08T00:15:39Z" name: etcd-ca-bundle namespace: openshift-etcd resourceVersion: "590" uid: 3b289f94-ca30-4d0f-a993-0f844bcbb308 - apiVersion: v1 data: 91eb892c5ee87610: 192.168.32.10 kind: ConfigMap metadata: creationTimestamp: "2026-03-08T00:15:48Z" managedFields: - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:data: {} manager: cluster-bootstrap operation: Update time: "2026-03-08T00:15:48Z" - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:data: f:91eb892c5ee87610: {} manager: cluster-etcd-operator operation: Update time: "2026-03-08T00:32:55Z" name: etcd-endpoints namespace: openshift-etcd resourceVersion: "14229" uid: 7d898002-1fc9-4885-89cd-70db2c5aa124 - apiVersion: v1 data: MTkyLjE2OC4zMi4xMA: 192.168.32.10 kind: ConfigMap metadata: creationTimestamp: "2026-03-08T00:21:36Z" labels: operator.openshift.io/controller-instance-name: etcd-RevisionController managedFields: - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:data: .: {} f:MTkyLjE2OC4zMi4xMA: {} f:metadata: f:labels: .: {} f:operator.openshift.io/controller-instance-name: {} f:ownerReferences: .: {} k:{"uid":"d53f0d6b-b416-46e8-a3fa-90de3afb8449"}: {} manager: cluster-etcd-operator operation: Update time: "2026-03-08T00:21:36Z" name: etcd-endpoints-1 namespace: openshift-etcd ownerReferences: - apiVersion: v1 kind: ConfigMap name: revision-status-1 uid: d53f0d6b-b416-46e8-a3fa-90de3afb8449 resourceVersion: "5131" uid: 6ec67404-32e0-4684-9820-315879451163 - apiVersion: v1 data: 91eb892c5ee87610: 192.168.32.10 kind: ConfigMap metadata: creationTimestamp: "2026-03-08T00:33:00Z" labels: operator.openshift.io/controller-instance-name: etcd-RevisionController managedFields: - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:data: .: {} f:91eb892c5ee87610: {} f:metadata: f:labels: .: {} f:operator.openshift.io/controller-instance-name: {} f:ownerReferences: .: {} k:{"uid":"c1019f1c-2ba3-4790-a7a8-ce11f9fbc534"}: {} manager: cluster-etcd-operator operation: Update time: "2026-03-08T00:33:00Z" name: etcd-endpoints-2 namespace: openshift-etcd ownerReferences: - apiVersion: v1 kind: ConfigMap name: revision-status-2 uid: c1019f1c-2ba3-4790-a7a8-ce11f9fbc534 resourceVersion: "14251" uid: 484fc924-63d5-4733-9888-084133d62819 - apiVersion: v1 data: ca-bundle.crt: | -----BEGIN CERTIFICATE----- MIIDUzCCAjugAwIBAgIIaejPvhI0u9MwDQYJKoZIhvcNAQELBQAwNzE1MDMGA1UE Awwsb3BlbnNoaWZ0LWV0Y2RfZXRjZC1tZXRyaWMtc2lnbmVyQDE3NzI5Mjg4MjIw HhcNMjYwMzA4MDAxMzQyWhcNMzEwMzA3MDAxMzQzWjA3MTUwMwYDVQQDDCxvcGVu c2hpZnQtZXRjZF9ldGNkLW1ldHJpYy1zaWduZXJAMTc3MjkyODgyMjCCASIwDQYJ KoZIhvcNAQEBBQADggEPADCCAQoCggEBAOfdrGOLx7g+V9CRQoUyLar/8M0XZwxA D+H0/oi1j0H1DDXNQEicZ6u7rXyAthBczWQcmTK4vef0cbvpWHvwN7mQICP7qyAt w0nEaRX//Nrb0WrxRQpbHrXWULKays0wg0hA+g5c/ErydQLFg+renQQ+Ww4Ndi8f YR7eYfwI6ld5CJH9X1tNCeCtuxGSmLbI+YBoRyWy+Ei+6GYg0+uh2Zfnv0wxLvUn thLRQH9FgIzI90x4wzGewuaVppCL+TuI9XlUEXzCy3qrKCi1ckot4j+TstefRd91 NsPNkdUID7/QDKt+Hhywx/mTDw2E737AcVHVZ5yyW3XzOrTHmPdj8NMCAwEAAaNj MGEwDgYDVR0PAQH/BAQDAgKkMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFN37 14ZPkTwMlcicYbpydkDVTv5hMB8GA1UdIwQYMBaAFN3714ZPkTwMlcicYbpydkDV Tv5hMA0GCSqGSIb3DQEBCwUAA4IBAQBmqMvaUoLmUeE02uJcGbl/DrQf4h4Q+EGO hKSw7BoIqs0ZV/WShujlrZLCyd5BoCPywgM9vEH+wLqASW49dd74mNyVAbE5A/Xz I6kxsThzV1Om4ohtM6XIRm93UVoRJ8cUemnHRd8IK917g3gu3s+KJzfEmWpdiFHK eCdP2E40pj5qnIp+fqmpNaF7neVpNt6UrEGqTVfRxedCbK0fP+TP9dDKibxgCdzC 3B4pkQ89RZua7x7uaGFqGaiFmKXCXfLNixKfsaYqcnW8ArHGsTspXsixUqEVazBo OGIq3iVfAFH1YGTMaCx7EQVz3S9h8YeojP88sREaud4sdlfUv9L8 -----END CERTIFICATE----- kind: ConfigMap metadata: annotations: openshift.io/description: Generated by cluster-etcd-operator for etcd and is used to authenticate Prometheus ServiceMonitors reaching etcd. openshift.io/owning-component: etcd creationTimestamp: "2026-03-08T00:15:40Z" labels: auth.openshift.io/managed-certificate-type: ca-bundle managedFields: - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:data: .: {} f:ca-bundle.crt: {} f:metadata: f:annotations: .: {} f:openshift.io/description: {} f:openshift.io/owning-component: {} f:labels: .: {} f:auth.openshift.io/managed-certificate-type: {} manager: cluster-bootstrap operation: Update time: "2026-03-08T00:15:40Z" name: etcd-metrics-ca-bundle namespace: openshift-etcd resourceVersion: "598" uid: 294fda1e-4736-441b-935c-d835e24747f0 - apiVersion: v1 data: forceRedeploymentReason: "" pod.yaml: "apiVersion: v1\nkind: Pod\nmetadata:\n name: etcd\n namespace: openshift-etcd\n \ annotations:\n kubectl.kubernetes.io/default-container: etcd\n target.workload.openshift.io/management: '{\"effect\": \"PreferredDuringScheduling\"}'\n labels:\n app: etcd\n k8s-app: etcd\n etcd: \"true\"\n revision: \"REVISION\"\nspec:\n initContainers:\n \ - name: setup\n image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:cc20748723f55f960cfb6328d1591880bbd1b3452155633996d4f41fc7c5f46b\n \ imagePullPolicy: IfNotPresent\n terminationMessagePolicy: FallbackToLogsOnError\n \ command:\n - /bin/sh\n - -c\n - |\n #!/bin/sh\n \ echo -n \"Fixing etcd log permissions.\"\n mkdir -p /var/log/etcd \ && chmod 0600 /var/log/etcd\n echo -n \"Fixing etcd auto backup permissions.\"\n \ mkdir -p /var/lib/etcd-auto-backup && chmod 0600 /var/lib/etcd-auto-backup\n \ securityContext:\n privileged: true\n resources:\n requests:\n \ memory: 50Mi\n cpu: 5m\n volumeMounts:\n - mountPath: /var/log/etcd\n name: log-dir\n - name: etcd-ensure-env-vars\n image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:cc20748723f55f960cfb6328d1591880bbd1b3452155633996d4f41fc7c5f46b\n \ imagePullPolicy: IfNotPresent\n terminationMessagePolicy: FallbackToLogsOnError\n \ command:\n - /bin/sh\n - -c\n - |\n #!/bin/sh\n \ set -euo pipefail\n\n : \"${NODE_NODE_ENVVAR_NAME_ETCD_URL_HOST?not set}\"\n : \"${NODE_NODE_ENVVAR_NAME_ETCD_NAME?not set}\"\n : \"${NODE_NODE_ENVVAR_NAME_IP?not set}\"\n\n # check for ipv4 addresses as well as ipv6 addresses with extra square brackets\n if [[ \"${NODE_NODE_ENVVAR_NAME_IP}\" != \"${NODE_IP}\" && \"${NODE_NODE_ENVVAR_NAME_IP}\" != \"[${NODE_IP}]\" ]]; then\n # echo the error message to stderr\n echo \"Expected node IP to be ${NODE_IP} got ${NODE_NODE_ENVVAR_NAME_IP}\" >&2\n exit 1\n fi\n\n # check for ipv4 addresses as well as ipv6 addresses with extra square brackets\n if [[ \"${NODE_NODE_ENVVAR_NAME_ETCD_URL_HOST}\" != \"${NODE_IP}\" && \"${NODE_NODE_ENVVAR_NAME_ETCD_URL_HOST}\" != \"[${NODE_IP}]\" ]]; then\n # echo the error message to stderr\n echo \"Expected etcd url host to be ${NODE_IP} got ${NODE_NODE_ENVVAR_NAME_ETCD_URL_HOST}\" >&2\n exit 1\n fi\n\n resources:\n requests:\n \ memory: 60Mi\n cpu: 10m\n securityContext:\n privileged: true\n env:\n - name: \"ALL_ETCD_ENDPOINTS\"\n value: \"https://192.168.32.10:2379\"\n \ - name: \"ETCDCTL_API\"\n value: \"3\"\n - name: \"ETCDCTL_CACERT\"\n \ value: \"/etc/kubernetes/static-pod-certs/configmaps/etcd-all-bundles/server-ca-bundle.crt\"\n \ - name: \"ETCDCTL_CERT\"\n value: \"/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.crt\"\n \ - name: \"ETCDCTL_ENDPOINTS\"\n value: \"https://192.168.32.10:2379\"\n \ - name: \"ETCDCTL_KEY\"\n value: \"/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.key\"\n \ - name: \"ETCD_CIPHER_SUITES\"\n value: \"TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256\"\n \ - name: \"ETCD_DATA_DIR\"\n value: \"/var/lib/etcd\"\n - name: \"ETCD_ELECTION_TIMEOUT\"\n value: \"2500\"\n - name: \"ETCD_ENABLE_PPROF\"\n \ value: \"true\"\n - name: \"ETCD_EXPERIMENTAL_MAX_LEARNERS\"\n \ value: \"1\"\n - name: \"ETCD_EXPERIMENTAL_WARNING_APPLY_DURATION\"\n \ value: \"200ms\"\n - name: \"ETCD_EXPERIMENTAL_WATCH_PROGRESS_NOTIFY_INTERVAL\"\n \ value: \"5s\"\n - name: \"ETCD_HEARTBEAT_INTERVAL\"\n value: \"500\"\n - name: \"ETCD_IMAGE\"\n value: \"quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:cc20748723f55f960cfb6328d1591880bbd1b3452155633996d4f41fc7c5f46b\"\n \ - name: \"ETCD_INITIAL_CLUSTER_STATE\"\n value: \"existing\"\n \ - name: \"ETCD_QUOTA_BACKEND_BYTES\"\n value: \"8589934592\"\n \ - name: \"ETCD_SOCKET_REUSE_ADDRESS\"\n value: \"true\"\n - name: \"ETCD_TLS_MIN_VERSION\"\n value: \"TLS1.2\"\n - name: \"NODE_master_0_ETCD_NAME\"\n \ value: \"master-0\"\n - name: \"NODE_master_0_ETCD_URL_HOST\"\n \ value: \"192.168.32.10\"\n - name: \"NODE_master_0_IP\"\n value: \"192.168.32.10\"\n - name: NODE_IP\n valueFrom:\n fieldRef:\n \ fieldPath: status.podIP\n - name: etcd-resources-copy\n image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:cc20748723f55f960cfb6328d1591880bbd1b3452155633996d4f41fc7c5f46b\n \ imagePullPolicy: IfNotPresent\n terminationMessagePolicy: FallbackToLogsOnError\n \ command:\n - /bin/sh\n - -c\n - |\n #!/bin/sh\n \ set -euo pipefail\n\n rm -f $(grep -l '^### Created by cluster-etcd-operator' /usr/local/bin/*)\n cp -p /etc/kubernetes/static-pod-certs/configmaps/etcd-scripts/*.sh /usr/local/bin\n\n resources:\n requests:\n memory: 60Mi\n \ cpu: 10m\n securityContext:\n privileged: true\n volumeMounts:\n \ - mountPath: /etc/kubernetes/static-pod-resources\n name: resource-dir\n \ - mountPath: /etc/kubernetes/static-pod-certs\n name: cert-dir\n \ - mountPath: /usr/local/bin\n name: usr-local-bin\n containers:\n \ # The etcdctl container should always be first. It is intended to be used\n \ # to open a remote shell via `oc rsh` that is ready to run `etcdctl`.\n - name: etcdctl\n image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:cc20748723f55f960cfb6328d1591880bbd1b3452155633996d4f41fc7c5f46b\n \ imagePullPolicy: IfNotPresent\n terminationMessagePolicy: FallbackToLogsOnError\n \ command:\n - \"/bin/bash\"\n - \"-c\"\n - \"trap TERM INT; sleep infinity & wait\"\n resources:\n requests:\n memory: 60Mi\n \ cpu: 10m\n volumeMounts:\n - mountPath: /etc/kubernetes/manifests\n \ name: static-pod-dir\n - mountPath: /etc/kubernetes/static-pod-resources\n \ name: resource-dir\n - mountPath: /etc/kubernetes/static-pod-certs\n \ name: cert-dir\n - mountPath: /var/lib/etcd/\n name: data-dir\n \ env:\n - name: \"ALL_ETCD_ENDPOINTS\"\n value: \"https://192.168.32.10:2379\"\n \ - name: \"ETCDCTL_API\"\n value: \"3\"\n - name: \"ETCDCTL_CACERT\"\n \ value: \"/etc/kubernetes/static-pod-certs/configmaps/etcd-all-bundles/server-ca-bundle.crt\"\n \ - name: \"ETCDCTL_CERT\"\n value: \"/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.crt\"\n \ - name: \"ETCDCTL_ENDPOINTS\"\n value: \"https://192.168.32.10:2379\"\n \ - name: \"ETCDCTL_KEY\"\n value: \"/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.key\"\n \ - name: \"ETCD_CIPHER_SUITES\"\n value: \"TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256\"\n \ - name: \"ETCD_DATA_DIR\"\n value: \"/var/lib/etcd\"\n - name: \"ETCD_ELECTION_TIMEOUT\"\n \ value: \"2500\"\n - name: \"ETCD_ENABLE_PPROF\"\n value: \"true\"\n \ - name: \"ETCD_EXPERIMENTAL_MAX_LEARNERS\"\n value: \"1\"\n - name: \"ETCD_EXPERIMENTAL_WARNING_APPLY_DURATION\"\n value: \"200ms\"\n - name: \"ETCD_EXPERIMENTAL_WATCH_PROGRESS_NOTIFY_INTERVAL\"\n value: \"5s\"\n \ - name: \"ETCD_HEARTBEAT_INTERVAL\"\n value: \"500\"\n - name: \"ETCD_IMAGE\"\n \ value: \"quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:cc20748723f55f960cfb6328d1591880bbd1b3452155633996d4f41fc7c5f46b\"\n \ - name: \"ETCD_INITIAL_CLUSTER_STATE\"\n value: \"existing\"\n - name: \"ETCD_QUOTA_BACKEND_BYTES\"\n value: \"8589934592\"\n - name: \"ETCD_SOCKET_REUSE_ADDRESS\"\n value: \"true\"\n - name: \"ETCD_TLS_MIN_VERSION\"\n \ value: \"TLS1.2\"\n - name: \"NODE_master_0_ETCD_NAME\"\n value: \"master-0\"\n - name: \"NODE_master_0_ETCD_URL_HOST\"\n value: \"192.168.32.10\"\n \ - name: \"NODE_master_0_IP\"\n value: \"192.168.32.10\"\n - name: \"ETCD_STATIC_POD_VERSION\"\n value: \"REVISION\"\n\n - name: etcd\n image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:cc20748723f55f960cfb6328d1591880bbd1b3452155633996d4f41fc7c5f46b\n \ imagePullPolicy: IfNotPresent\n terminationMessagePolicy: FallbackToLogsOnError\n \ command:\n - /bin/sh\n - -c\n - |\n #!/bin/sh\n set -euo pipefail\n\n etcdctl member list || true\n\n # this has a non-zero return code if the command is non-zero. If you use an export first, it doesn't and you\n # will succeed when you should fail.\n ETCD_INITIAL_CLUSTER=$(discover-etcd-initial-cluster \\\n --cacert=/etc/kubernetes/static-pod-certs/configmaps/etcd-all-bundles/server-ca-bundle.crt \\\n --cert=/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.crt \\\n --key=/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.key \\\n --endpoints=${ALL_ETCD_ENDPOINTS} \\\n --data-dir=/var/lib/etcd \\\n --target-peer-url-host=${NODE_NODE_ENVVAR_NAME_ETCD_URL_HOST} \\\n --target-name=NODE_NAME)\n export ETCD_INITIAL_CLUSTER\n\n \ # we cannot use the \"normal\" port conflict initcontainer because when we upgrade, the existing static pod will never yield,\n # so we do the detection in etcd container itself.\n echo -n \"Waiting for ports 2379, 2380 and 9978 to be released.\"\n time while [ -n \"$(ss -Htan '( sport = 2379 or sport = 2380 or sport = 9978 )')\" ]; do\n echo -n \".\"\n \ sleep 1\n done\n\n export ETCD_NAME=${NODE_NODE_ENVVAR_NAME_ETCD_NAME}\n \ env | grep ETCD | grep -v NODE\n\n set -x\n # See https://etcd.io/docs/v3.4.0/tuning/ for why we use ionice\n exec nice -n -19 ionice -c2 -n0 etcd \\\n --logger=zap \\\n --log-level=info \\\n --experimental-initial-corrupt-check=true \\\n --snapshot-count=10000 \\\n --initial-advertise-peer-urls=https://${NODE_NODE_ENVVAR_NAME_IP}:2380 \\\n --cert-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-serving-NODE_NAME.crt \\\n --key-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-serving-NODE_NAME.key \\\n --trusted-ca-file=/etc/kubernetes/static-pod-certs/configmaps/etcd-all-bundles/server-ca-bundle.crt \\\n --client-cert-auth=true \\\n --peer-cert-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.crt \\\n --peer-key-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.key \\\n --peer-trusted-ca-file=/etc/kubernetes/static-pod-certs/configmaps/etcd-all-bundles/server-ca-bundle.crt \\\n --peer-client-cert-auth=true \\\n --advertise-client-urls=https://${NODE_NODE_ENVVAR_NAME_IP}:2379 \\\n --listen-client-urls=https://0.0.0.0:2379,unixs://${NODE_NODE_ENVVAR_NAME_IP}:0 \\\n --listen-peer-urls=https://0.0.0.0:2380 \\\n --metrics=extensive \\\n --listen-metrics-urls=https://0.0.0.0:9978 || mv /etc/kubernetes/etcd-backup-dir/etcd-member.yaml /etc/kubernetes/manifests\n ports:\n - containerPort: 2379\n name: etcd\n protocol: TCP\n - containerPort: 2380\n name: etcd-peer\n \ protocol: TCP\n - containerPort: 9978\n name: etcd-metrics\n protocol: TCP\n env:\n - name: \"ALL_ETCD_ENDPOINTS\"\n value: \"https://192.168.32.10:2379\"\n \ - name: \"ETCDCTL_API\"\n value: \"3\"\n - name: \"ETCDCTL_CACERT\"\n \ value: \"/etc/kubernetes/static-pod-certs/configmaps/etcd-all-bundles/server-ca-bundle.crt\"\n \ - name: \"ETCDCTL_CERT\"\n value: \"/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.crt\"\n \ - name: \"ETCDCTL_ENDPOINTS\"\n value: \"https://192.168.32.10:2379\"\n \ - name: \"ETCDCTL_KEY\"\n value: \"/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.key\"\n \ - name: \"ETCD_CIPHER_SUITES\"\n value: \"TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256\"\n \ - name: \"ETCD_DATA_DIR\"\n value: \"/var/lib/etcd\"\n - name: \"ETCD_ELECTION_TIMEOUT\"\n \ value: \"2500\"\n - name: \"ETCD_ENABLE_PPROF\"\n value: \"true\"\n \ - name: \"ETCD_EXPERIMENTAL_MAX_LEARNERS\"\n value: \"1\"\n - name: \"ETCD_EXPERIMENTAL_WARNING_APPLY_DURATION\"\n value: \"200ms\"\n - name: \"ETCD_EXPERIMENTAL_WATCH_PROGRESS_NOTIFY_INTERVAL\"\n value: \"5s\"\n \ - name: \"ETCD_HEARTBEAT_INTERVAL\"\n value: \"500\"\n - name: \"ETCD_IMAGE\"\n \ value: \"quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:cc20748723f55f960cfb6328d1591880bbd1b3452155633996d4f41fc7c5f46b\"\n \ - name: \"ETCD_INITIAL_CLUSTER_STATE\"\n value: \"existing\"\n - name: \"ETCD_QUOTA_BACKEND_BYTES\"\n value: \"8589934592\"\n - name: \"ETCD_SOCKET_REUSE_ADDRESS\"\n value: \"true\"\n - name: \"ETCD_TLS_MIN_VERSION\"\n \ value: \"TLS1.2\"\n - name: \"NODE_master_0_ETCD_NAME\"\n value: \"master-0\"\n - name: \"NODE_master_0_ETCD_URL_HOST\"\n value: \"192.168.32.10\"\n \ - name: \"NODE_master_0_IP\"\n value: \"192.168.32.10\"\n - name: \"ETCD_STATIC_POD_VERSION\"\n value: \"REVISION\"\n resources:\n requests:\n \ memory: 600Mi\n cpu: 300m\n readinessProbe:\n httpGet:\n \ port: 9980\n path: readyz\n scheme: HTTPS\n timeoutSeconds: 30\n failureThreshold: 5\n periodSeconds: 5\n successThreshold: 1\n livenessProbe:\n httpGet:\n path: healthz\n port: 9980\n scheme: HTTPS\n timeoutSeconds: 30\n periodSeconds: 5\n successThreshold: 1\n failureThreshold: 5\n startupProbe:\n \ httpGet:\n port: 9980\n path: readyz\n scheme: HTTPS\n \ initialDelaySeconds: 10\n timeoutSeconds: 1\n periodSeconds: 10\n successThreshold: 1\n failureThreshold: 18\n securityContext:\n \ privileged: true\n volumeMounts:\n - mountPath: /etc/kubernetes/manifests\n \ name: static-pod-dir\n - mountPath: /etc/kubernetes/static-pod-resources\n \ name: resource-dir\n - mountPath: /etc/kubernetes/static-pod-certs\n \ name: cert-dir\n - mountPath: /var/lib/etcd/\n name: data-dir\n\n \ - name: etcd-metrics\n image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:cc20748723f55f960cfb6328d1591880bbd1b3452155633996d4f41fc7c5f46b\n \ imagePullPolicy: IfNotPresent\n terminationMessagePolicy: FallbackToLogsOnError\n \ command:\n - /bin/sh\n - -c\n - |\n #!/bin/sh\n set -euo pipefail\n\n export ETCD_NAME=${NODE_NODE_ENVVAR_NAME_ETCD_NAME}\n\n \ exec nice -n -18 etcd grpc-proxy start \\\n --endpoints https://${NODE_NODE_ENVVAR_NAME_ETCD_URL_HOST}:9978 \\\n --metrics-addr https://0.0.0.0:9979 \\\n --listen-addr 127.0.0.1:9977 \\\n --advertise-client-url \"\" \\\n --key /etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.key \\\n --key-file /etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-serving-metrics-NODE_NAME.key \\\n --cert /etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.crt \\\n --cert-file /etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-serving-metrics-NODE_NAME.crt \\\n --cacert /etc/kubernetes/static-pod-certs/configmaps/etcd-all-bundles/server-ca-bundle.crt \\\n --trusted-ca-file /etc/kubernetes/static-pod-certs/configmaps/etcd-all-bundles/metrics-ca-bundle.crt \\\n --listen-cipher-suites TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 \\\n --tls-min-version $(ETCD_TLS_MIN_VERSION)\n ports:\n - containerPort: 9979\n name: proxy-metrics\n protocol: TCP\n env:\n - name: \"ALL_ETCD_ENDPOINTS\"\n value: \"https://192.168.32.10:2379\"\n \n \ - name: \"ETCDCTL_API\"\n value: \"3\"\n \n - name: \"ETCDCTL_CACERT\"\n \ value: \"/etc/kubernetes/static-pod-certs/configmaps/etcd-all-bundles/server-ca-bundle.crt\"\n \ \n - name: \"ETCDCTL_CERT\"\n value: \"/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.crt\"\n \ \n - name: \"ETCDCTL_ENDPOINTS\"\n value: \"https://192.168.32.10:2379\"\n \ \n - name: \"ETCDCTL_KEY\"\n value: \"/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.key\"\n \ \n - name: \"ETCD_CIPHER_SUITES\"\n value: \"TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256\"\n \ \n - name: \"ETCD_DATA_DIR\"\n value: \"/var/lib/etcd\"\n \n \ - name: \"ETCD_ELECTION_TIMEOUT\"\n value: \"2500\"\n \n - name: \"ETCD_ENABLE_PPROF\"\n value: \"true\"\n \n - name: \"ETCD_EXPERIMENTAL_MAX_LEARNERS\"\n \ value: \"1\"\n \n - name: \"ETCD_EXPERIMENTAL_WARNING_APPLY_DURATION\"\n \ value: \"200ms\"\n \n - name: \"ETCD_EXPERIMENTAL_WATCH_PROGRESS_NOTIFY_INTERVAL\"\n \ value: \"5s\"\n \n - name: \"ETCD_HEARTBEAT_INTERVAL\"\n value: \"500\"\n \n - name: \"ETCD_IMAGE\"\n value: \"quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:cc20748723f55f960cfb6328d1591880bbd1b3452155633996d4f41fc7c5f46b\"\n \ \n - name: \"ETCD_INITIAL_CLUSTER_STATE\"\n value: \"existing\"\n \ \n - name: \"ETCD_QUOTA_BACKEND_BYTES\"\n value: \"8589934592\"\n \ \n - name: \"ETCD_SOCKET_REUSE_ADDRESS\"\n value: \"true\"\n \n \ - name: \"ETCD_TLS_MIN_VERSION\"\n value: \"TLS1.2\"\n \n - name: \"NODE_master_0_ETCD_NAME\"\n value: \"master-0\"\n \n - name: \"NODE_master_0_ETCD_URL_HOST\"\n \ value: \"192.168.32.10\"\n \n - name: \"NODE_master_0_IP\"\n value: \"192.168.32.10\"\n - name: \"ETCD_STATIC_POD_VERSION\"\n value: \"REVISION\"\n \ resources:\n requests:\n memory: 200Mi\n cpu: 40m\n securityContext:\n \ privileged: true\n volumeMounts:\n - mountPath: /etc/kubernetes/static-pod-resources\n \ name: resource-dir\n - mountPath: /etc/kubernetes/static-pod-certs\n \ name: cert-dir\n - mountPath: /var/lib/etcd/\n name: data-dir\n \ - name: etcd-readyz\n image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:6088910bdc1583b275fab261e3234c0b63b4cc16d01bcea697b6a7f6db13bdf3\n \ imagePullPolicy: IfNotPresent\n terminationMessagePolicy: FallbackToLogsOnError\n \ command:\n - /bin/sh\n - -c\n - |\n #!/bin/sh\n set -euo pipefail\n \n exec nice -n -18 cluster-etcd-operator readyz \\\n --target=https://localhost:2379 \\\n --listen-port=9980 \\\n --serving-cert-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-serving-NODE_NAME.crt \\\n --serving-key-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-serving-NODE_NAME.key \\\n --client-cert-file=$(ETCDCTL_CERT) \\\n --client-key-file=$(ETCDCTL_KEY) \\\n --client-cacert-file=$(ETCDCTL_CACERT) \\\n --listen-cipher-suites TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 \\\n --listen-tls-min-version=$(ETCD_TLS_MIN_VERSION)\n securityContext:\n \ privileged: true\n ports:\n - containerPort: 9980\n name: readyz\n \ protocol: TCP\n resources:\n requests:\n memory: 50Mi\n \ cpu: 10m\n env:\n - name: \"ALL_ETCD_ENDPOINTS\"\n value: \"https://192.168.32.10:2379\"\n - name: \"ETCDCTL_API\"\n value: \"3\"\n \ - name: \"ETCDCTL_CACERT\"\n value: \"/etc/kubernetes/static-pod-certs/configmaps/etcd-all-bundles/server-ca-bundle.crt\"\n \ - name: \"ETCDCTL_CERT\"\n value: \"/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.crt\"\n \ - name: \"ETCDCTL_ENDPOINTS\"\n value: \"https://192.168.32.10:2379\"\n \ - name: \"ETCDCTL_KEY\"\n value: \"/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.key\"\n \ - name: \"ETCD_CIPHER_SUITES\"\n value: \"TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256\"\n \ - name: \"ETCD_DATA_DIR\"\n value: \"/var/lib/etcd\"\n - name: \"ETCD_ELECTION_TIMEOUT\"\n \ value: \"2500\"\n - name: \"ETCD_ENABLE_PPROF\"\n value: \"true\"\n \ - name: \"ETCD_EXPERIMENTAL_MAX_LEARNERS\"\n value: \"1\"\n - name: \"ETCD_EXPERIMENTAL_WARNING_APPLY_DURATION\"\n value: \"200ms\"\n - name: \"ETCD_EXPERIMENTAL_WATCH_PROGRESS_NOTIFY_INTERVAL\"\n value: \"5s\"\n \ - name: \"ETCD_HEARTBEAT_INTERVAL\"\n value: \"500\"\n - name: \"ETCD_IMAGE\"\n \ value: \"quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:cc20748723f55f960cfb6328d1591880bbd1b3452155633996d4f41fc7c5f46b\"\n \ - name: \"ETCD_INITIAL_CLUSTER_STATE\"\n value: \"existing\"\n - name: \"ETCD_QUOTA_BACKEND_BYTES\"\n value: \"8589934592\"\n - name: \"ETCD_SOCKET_REUSE_ADDRESS\"\n value: \"true\"\n - name: \"ETCD_TLS_MIN_VERSION\"\n \ value: \"TLS1.2\"\n - name: \"NODE_master_0_ETCD_NAME\"\n value: \"master-0\"\n - name: \"NODE_master_0_ETCD_URL_HOST\"\n value: \"192.168.32.10\"\n \ - name: \"NODE_master_0_IP\"\n value: \"192.168.32.10\"\n volumeMounts:\n \ - mountPath: /var/log/etcd/\n name: log-dir\n - mountPath: /etc/kubernetes/static-pod-certs\n name: cert-dir\n - name: etcd-rev\n \ image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:6088910bdc1583b275fab261e3234c0b63b4cc16d01bcea697b6a7f6db13bdf3\n \ imagePullPolicy: IfNotPresent\n terminationMessagePolicy: FallbackToLogsOnError\n \ command:\n - /bin/sh\n - -c\n - |\n #!/bin/sh\n set -euo pipefail\n \n cluster-etcd-operator rev \\\n --endpoints=$(ALL_ETCD_ENDPOINTS) \\\n --client-cert-file=$(ETCDCTL_CERT) \\\n --client-key-file=$(ETCDCTL_KEY) \\\n --client-cacert-file=$(ETCDCTL_CACERT)\n securityContext:\n \ privileged: true\n resources:\n requests:\n memory: 50Mi\n \ cpu: 10m\n env:\n - name: \"ALL_ETCD_ENDPOINTS\"\n value: \"https://192.168.32.10:2379\"\n - name: \"ETCDCTL_API\"\n value: \"3\"\n \ - name: \"ETCDCTL_CACERT\"\n value: \"/etc/kubernetes/static-pod-certs/configmaps/etcd-all-bundles/server-ca-bundle.crt\"\n \ - name: \"ETCDCTL_CERT\"\n value: \"/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.crt\"\n \ - name: \"ETCDCTL_ENDPOINTS\"\n value: \"https://192.168.32.10:2379\"\n \ - name: \"ETCDCTL_KEY\"\n value: \"/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.key\"\n \ - name: \"ETCD_CIPHER_SUITES\"\n value: \"TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256\"\n \ - name: \"ETCD_DATA_DIR\"\n value: \"/var/lib/etcd\"\n - name: \"ETCD_ELECTION_TIMEOUT\"\n \ value: \"2500\"\n - name: \"ETCD_ENABLE_PPROF\"\n value: \"true\"\n \ - name: \"ETCD_EXPERIMENTAL_MAX_LEARNERS\"\n value: \"1\"\n - name: \"ETCD_EXPERIMENTAL_WARNING_APPLY_DURATION\"\n value: \"200ms\"\n - name: \"ETCD_EXPERIMENTAL_WATCH_PROGRESS_NOTIFY_INTERVAL\"\n value: \"5s\"\n \ - name: \"ETCD_HEARTBEAT_INTERVAL\"\n value: \"500\"\n - name: \"ETCD_IMAGE\"\n \ value: \"quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:cc20748723f55f960cfb6328d1591880bbd1b3452155633996d4f41fc7c5f46b\"\n \ - name: \"ETCD_INITIAL_CLUSTER_STATE\"\n value: \"existing\"\n - name: \"ETCD_QUOTA_BACKEND_BYTES\"\n value: \"8589934592\"\n - name: \"ETCD_SOCKET_REUSE_ADDRESS\"\n value: \"true\"\n - name: \"ETCD_TLS_MIN_VERSION\"\n \ value: \"TLS1.2\"\n - name: \"NODE_master_0_ETCD_NAME\"\n value: \"master-0\"\n - name: \"NODE_master_0_ETCD_URL_HOST\"\n value: \"192.168.32.10\"\n \ - name: \"NODE_master_0_IP\"\n value: \"192.168.32.10\"\n volumeMounts:\n \ - mountPath: /var/lib/etcd\n name: data-dir\n - mountPath: /etc/kubernetes/static-pod-certs\n \ name: cert-dir\n hostNetwork: true\n priority: 2000001000\n priorityClassName: system-node-critical\n tolerations:\n - operator: \"Exists\"\n volumes:\n \ - hostPath:\n path: /etc/kubernetes/manifests\n name: static-pod-dir\n \ - hostPath:\n path: /etc/kubernetes/static-pod-resources/etcd-pod-REVISION\n \ name: resource-dir\n - hostPath:\n path: /etc/kubernetes/static-pod-resources/etcd-certs\n \ name: cert-dir\n - hostPath:\n path: /var/lib/etcd\n type: \"\"\n name: data-dir\n - hostPath:\n path: /usr/local/bin\n \ name: usr-local-bin\n - hostPath:\n path: /var/log/etcd\n name: log-dir\n - hostPath:\n path: /etc/kubernetes\n name: config-dir\n \ - hostPath:\n path: /var/lib/etcd-auto-backup\n name: etcd-auto-backup-dir\n" version: 4.18.0-202602170912.p2.gb7e21f5.assembly.stream.el9-b7e21f5 kind: ConfigMap metadata: creationTimestamp: "2026-03-08T00:21:32Z" managedFields: - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:data: .: {} f:forceRedeploymentReason: {} f:pod.yaml: {} f:version: {} manager: cluster-etcd-operator operation: Update time: "2026-03-08T00:21:32Z" name: etcd-pod namespace: openshift-etcd resourceVersion: "4725" uid: c20314e8-42f5-4935-9ec1-48d4f01fc08b - apiVersion: v1 data: forceRedeploymentReason: "" pod.yaml: "apiVersion: v1\nkind: Pod\nmetadata:\n name: etcd\n namespace: openshift-etcd\n \ annotations:\n kubectl.kubernetes.io/default-container: etcd\n target.workload.openshift.io/management: '{\"effect\": \"PreferredDuringScheduling\"}'\n labels:\n app: etcd\n k8s-app: etcd\n etcd: \"true\"\n revision: \"REVISION\"\nspec:\n initContainers:\n \ - name: setup\n image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:cc20748723f55f960cfb6328d1591880bbd1b3452155633996d4f41fc7c5f46b\n \ imagePullPolicy: IfNotPresent\n terminationMessagePolicy: FallbackToLogsOnError\n \ command:\n - /bin/sh\n - -c\n - |\n #!/bin/sh\n \ echo -n \"Fixing etcd log permissions.\"\n mkdir -p /var/log/etcd \ && chmod 0600 /var/log/etcd\n echo -n \"Fixing etcd auto backup permissions.\"\n \ mkdir -p /var/lib/etcd-auto-backup && chmod 0600 /var/lib/etcd-auto-backup\n \ securityContext:\n privileged: true\n resources:\n requests:\n \ memory: 50Mi\n cpu: 5m\n volumeMounts:\n - mountPath: /var/log/etcd\n name: log-dir\n - name: etcd-ensure-env-vars\n image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:cc20748723f55f960cfb6328d1591880bbd1b3452155633996d4f41fc7c5f46b\n \ imagePullPolicy: IfNotPresent\n terminationMessagePolicy: FallbackToLogsOnError\n \ command:\n - /bin/sh\n - -c\n - |\n #!/bin/sh\n \ set -euo pipefail\n\n : \"${NODE_NODE_ENVVAR_NAME_ETCD_URL_HOST?not set}\"\n : \"${NODE_NODE_ENVVAR_NAME_ETCD_NAME?not set}\"\n : \"${NODE_NODE_ENVVAR_NAME_IP?not set}\"\n\n # check for ipv4 addresses as well as ipv6 addresses with extra square brackets\n if [[ \"${NODE_NODE_ENVVAR_NAME_IP}\" != \"${NODE_IP}\" && \"${NODE_NODE_ENVVAR_NAME_IP}\" != \"[${NODE_IP}]\" ]]; then\n # echo the error message to stderr\n echo \"Expected node IP to be ${NODE_IP} got ${NODE_NODE_ENVVAR_NAME_IP}\" >&2\n exit 1\n fi\n\n # check for ipv4 addresses as well as ipv6 addresses with extra square brackets\n if [[ \"${NODE_NODE_ENVVAR_NAME_ETCD_URL_HOST}\" != \"${NODE_IP}\" && \"${NODE_NODE_ENVVAR_NAME_ETCD_URL_HOST}\" != \"[${NODE_IP}]\" ]]; then\n # echo the error message to stderr\n echo \"Expected etcd url host to be ${NODE_IP} got ${NODE_NODE_ENVVAR_NAME_ETCD_URL_HOST}\" >&2\n exit 1\n fi\n\n resources:\n requests:\n \ memory: 60Mi\n cpu: 10m\n securityContext:\n privileged: true\n env:\n - name: \"ALL_ETCD_ENDPOINTS\"\n value: \"https://192.168.32.10:2379\"\n \ - name: \"ETCDCTL_API\"\n value: \"3\"\n - name: \"ETCDCTL_CACERT\"\n \ value: \"/etc/kubernetes/static-pod-certs/configmaps/etcd-all-bundles/server-ca-bundle.crt\"\n \ - name: \"ETCDCTL_CERT\"\n value: \"/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.crt\"\n \ - name: \"ETCDCTL_ENDPOINTS\"\n value: \"https://192.168.32.10:2379\"\n \ - name: \"ETCDCTL_KEY\"\n value: \"/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.key\"\n \ - name: \"ETCD_CIPHER_SUITES\"\n value: \"TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256\"\n \ - name: \"ETCD_DATA_DIR\"\n value: \"/var/lib/etcd\"\n - name: \"ETCD_ELECTION_TIMEOUT\"\n value: \"2500\"\n - name: \"ETCD_ENABLE_PPROF\"\n \ value: \"true\"\n - name: \"ETCD_EXPERIMENTAL_MAX_LEARNERS\"\n \ value: \"1\"\n - name: \"ETCD_EXPERIMENTAL_WARNING_APPLY_DURATION\"\n \ value: \"200ms\"\n - name: \"ETCD_EXPERIMENTAL_WATCH_PROGRESS_NOTIFY_INTERVAL\"\n \ value: \"5s\"\n - name: \"ETCD_HEARTBEAT_INTERVAL\"\n value: \"500\"\n - name: \"ETCD_IMAGE\"\n value: \"quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:cc20748723f55f960cfb6328d1591880bbd1b3452155633996d4f41fc7c5f46b\"\n \ - name: \"ETCD_INITIAL_CLUSTER_STATE\"\n value: \"existing\"\n \ - name: \"ETCD_QUOTA_BACKEND_BYTES\"\n value: \"8589934592\"\n \ - name: \"ETCD_SOCKET_REUSE_ADDRESS\"\n value: \"true\"\n - name: \"ETCD_TLS_MIN_VERSION\"\n value: \"TLS1.2\"\n - name: \"NODE_master_0_ETCD_NAME\"\n \ value: \"master-0\"\n - name: \"NODE_master_0_ETCD_URL_HOST\"\n \ value: \"192.168.32.10\"\n - name: \"NODE_master_0_IP\"\n value: \"192.168.32.10\"\n - name: NODE_IP\n valueFrom:\n fieldRef:\n \ fieldPath: status.podIP\n - name: etcd-resources-copy\n image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:cc20748723f55f960cfb6328d1591880bbd1b3452155633996d4f41fc7c5f46b\n \ imagePullPolicy: IfNotPresent\n terminationMessagePolicy: FallbackToLogsOnError\n \ command:\n - /bin/sh\n - -c\n - |\n #!/bin/sh\n \ set -euo pipefail\n\n rm -f $(grep -l '^### Created by cluster-etcd-operator' /usr/local/bin/*)\n cp -p /etc/kubernetes/static-pod-certs/configmaps/etcd-scripts/*.sh /usr/local/bin\n\n resources:\n requests:\n memory: 60Mi\n \ cpu: 10m\n securityContext:\n privileged: true\n volumeMounts:\n \ - mountPath: /etc/kubernetes/static-pod-resources\n name: resource-dir\n \ - mountPath: /etc/kubernetes/static-pod-certs\n name: cert-dir\n \ - mountPath: /usr/local/bin\n name: usr-local-bin\n containers:\n \ # The etcdctl container should always be first. It is intended to be used\n \ # to open a remote shell via `oc rsh` that is ready to run `etcdctl`.\n - name: etcdctl\n image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:cc20748723f55f960cfb6328d1591880bbd1b3452155633996d4f41fc7c5f46b\n \ imagePullPolicy: IfNotPresent\n terminationMessagePolicy: FallbackToLogsOnError\n \ command:\n - \"/bin/bash\"\n - \"-c\"\n - \"trap TERM INT; sleep infinity & wait\"\n resources:\n requests:\n memory: 60Mi\n \ cpu: 10m\n volumeMounts:\n - mountPath: /etc/kubernetes/manifests\n \ name: static-pod-dir\n - mountPath: /etc/kubernetes/static-pod-resources\n \ name: resource-dir\n - mountPath: /etc/kubernetes/static-pod-certs\n \ name: cert-dir\n - mountPath: /var/lib/etcd/\n name: data-dir\n \ env:\n - name: \"ALL_ETCD_ENDPOINTS\"\n value: \"https://192.168.32.10:2379\"\n \ - name: \"ETCDCTL_API\"\n value: \"3\"\n - name: \"ETCDCTL_CACERT\"\n \ value: \"/etc/kubernetes/static-pod-certs/configmaps/etcd-all-bundles/server-ca-bundle.crt\"\n \ - name: \"ETCDCTL_CERT\"\n value: \"/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.crt\"\n \ - name: \"ETCDCTL_ENDPOINTS\"\n value: \"https://192.168.32.10:2379\"\n \ - name: \"ETCDCTL_KEY\"\n value: \"/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.key\"\n \ - name: \"ETCD_CIPHER_SUITES\"\n value: \"TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256\"\n \ - name: \"ETCD_DATA_DIR\"\n value: \"/var/lib/etcd\"\n - name: \"ETCD_ELECTION_TIMEOUT\"\n \ value: \"2500\"\n - name: \"ETCD_ENABLE_PPROF\"\n value: \"true\"\n \ - name: \"ETCD_EXPERIMENTAL_MAX_LEARNERS\"\n value: \"1\"\n - name: \"ETCD_EXPERIMENTAL_WARNING_APPLY_DURATION\"\n value: \"200ms\"\n - name: \"ETCD_EXPERIMENTAL_WATCH_PROGRESS_NOTIFY_INTERVAL\"\n value: \"5s\"\n \ - name: \"ETCD_HEARTBEAT_INTERVAL\"\n value: \"500\"\n - name: \"ETCD_IMAGE\"\n \ value: \"quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:cc20748723f55f960cfb6328d1591880bbd1b3452155633996d4f41fc7c5f46b\"\n \ - name: \"ETCD_INITIAL_CLUSTER_STATE\"\n value: \"existing\"\n - name: \"ETCD_QUOTA_BACKEND_BYTES\"\n value: \"8589934592\"\n - name: \"ETCD_SOCKET_REUSE_ADDRESS\"\n value: \"true\"\n - name: \"ETCD_TLS_MIN_VERSION\"\n \ value: \"TLS1.2\"\n - name: \"NODE_master_0_ETCD_NAME\"\n value: \"master-0\"\n - name: \"NODE_master_0_ETCD_URL_HOST\"\n value: \"192.168.32.10\"\n \ - name: \"NODE_master_0_IP\"\n value: \"192.168.32.10\"\n - name: \"ETCD_STATIC_POD_VERSION\"\n value: \"REVISION\"\n\n - name: etcd\n image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:cc20748723f55f960cfb6328d1591880bbd1b3452155633996d4f41fc7c5f46b\n \ imagePullPolicy: IfNotPresent\n terminationMessagePolicy: FallbackToLogsOnError\n \ command:\n - /bin/sh\n - -c\n - |\n #!/bin/sh\n set -euo pipefail\n\n etcdctl member list || true\n\n # this has a non-zero return code if the command is non-zero. If you use an export first, it doesn't and you\n # will succeed when you should fail.\n ETCD_INITIAL_CLUSTER=$(discover-etcd-initial-cluster \\\n --cacert=/etc/kubernetes/static-pod-certs/configmaps/etcd-all-bundles/server-ca-bundle.crt \\\n --cert=/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.crt \\\n --key=/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.key \\\n --endpoints=${ALL_ETCD_ENDPOINTS} \\\n --data-dir=/var/lib/etcd \\\n --target-peer-url-host=${NODE_NODE_ENVVAR_NAME_ETCD_URL_HOST} \\\n --target-name=NODE_NAME)\n export ETCD_INITIAL_CLUSTER\n\n \ # we cannot use the \"normal\" port conflict initcontainer because when we upgrade, the existing static pod will never yield,\n # so we do the detection in etcd container itself.\n echo -n \"Waiting for ports 2379, 2380 and 9978 to be released.\"\n time while [ -n \"$(ss -Htan '( sport = 2379 or sport = 2380 or sport = 9978 )')\" ]; do\n echo -n \".\"\n \ sleep 1\n done\n\n export ETCD_NAME=${NODE_NODE_ENVVAR_NAME_ETCD_NAME}\n \ env | grep ETCD | grep -v NODE\n\n set -x\n # See https://etcd.io/docs/v3.4.0/tuning/ for why we use ionice\n exec nice -n -19 ionice -c2 -n0 etcd \\\n --logger=zap \\\n --log-level=info \\\n --experimental-initial-corrupt-check=true \\\n --snapshot-count=10000 \\\n --initial-advertise-peer-urls=https://${NODE_NODE_ENVVAR_NAME_IP}:2380 \\\n --cert-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-serving-NODE_NAME.crt \\\n --key-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-serving-NODE_NAME.key \\\n --trusted-ca-file=/etc/kubernetes/static-pod-certs/configmaps/etcd-all-bundles/server-ca-bundle.crt \\\n --client-cert-auth=true \\\n --peer-cert-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.crt \\\n --peer-key-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.key \\\n --peer-trusted-ca-file=/etc/kubernetes/static-pod-certs/configmaps/etcd-all-bundles/server-ca-bundle.crt \\\n --peer-client-cert-auth=true \\\n --advertise-client-urls=https://${NODE_NODE_ENVVAR_NAME_IP}:2379 \\\n --listen-client-urls=https://0.0.0.0:2379,unixs://${NODE_NODE_ENVVAR_NAME_IP}:0 \\\n --listen-peer-urls=https://0.0.0.0:2380 \\\n --metrics=extensive \\\n --listen-metrics-urls=https://0.0.0.0:9978 || mv /etc/kubernetes/etcd-backup-dir/etcd-member.yaml /etc/kubernetes/manifests\n ports:\n - containerPort: 2379\n name: etcd\n protocol: TCP\n - containerPort: 2380\n name: etcd-peer\n \ protocol: TCP\n - containerPort: 9978\n name: etcd-metrics\n protocol: TCP\n env:\n - name: \"ALL_ETCD_ENDPOINTS\"\n value: \"https://192.168.32.10:2379\"\n \ - name: \"ETCDCTL_API\"\n value: \"3\"\n - name: \"ETCDCTL_CACERT\"\n \ value: \"/etc/kubernetes/static-pod-certs/configmaps/etcd-all-bundles/server-ca-bundle.crt\"\n \ - name: \"ETCDCTL_CERT\"\n value: \"/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.crt\"\n \ - name: \"ETCDCTL_ENDPOINTS\"\n value: \"https://192.168.32.10:2379\"\n \ - name: \"ETCDCTL_KEY\"\n value: \"/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.key\"\n \ - name: \"ETCD_CIPHER_SUITES\"\n value: \"TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256\"\n \ - name: \"ETCD_DATA_DIR\"\n value: \"/var/lib/etcd\"\n - name: \"ETCD_ELECTION_TIMEOUT\"\n \ value: \"2500\"\n - name: \"ETCD_ENABLE_PPROF\"\n value: \"true\"\n \ - name: \"ETCD_EXPERIMENTAL_MAX_LEARNERS\"\n value: \"1\"\n - name: \"ETCD_EXPERIMENTAL_WARNING_APPLY_DURATION\"\n value: \"200ms\"\n - name: \"ETCD_EXPERIMENTAL_WATCH_PROGRESS_NOTIFY_INTERVAL\"\n value: \"5s\"\n \ - name: \"ETCD_HEARTBEAT_INTERVAL\"\n value: \"500\"\n - name: \"ETCD_IMAGE\"\n \ value: \"quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:cc20748723f55f960cfb6328d1591880bbd1b3452155633996d4f41fc7c5f46b\"\n \ - name: \"ETCD_INITIAL_CLUSTER_STATE\"\n value: \"existing\"\n - name: \"ETCD_QUOTA_BACKEND_BYTES\"\n value: \"8589934592\"\n - name: \"ETCD_SOCKET_REUSE_ADDRESS\"\n value: \"true\"\n - name: \"ETCD_TLS_MIN_VERSION\"\n \ value: \"TLS1.2\"\n - name: \"NODE_master_0_ETCD_NAME\"\n value: \"master-0\"\n - name: \"NODE_master_0_ETCD_URL_HOST\"\n value: \"192.168.32.10\"\n \ - name: \"NODE_master_0_IP\"\n value: \"192.168.32.10\"\n - name: \"ETCD_STATIC_POD_VERSION\"\n value: \"REVISION\"\n resources:\n requests:\n \ memory: 600Mi\n cpu: 300m\n readinessProbe:\n httpGet:\n \ port: 9980\n path: readyz\n scheme: HTTPS\n timeoutSeconds: 30\n failureThreshold: 5\n periodSeconds: 5\n successThreshold: 1\n livenessProbe:\n httpGet:\n path: healthz\n port: 9980\n scheme: HTTPS\n timeoutSeconds: 30\n periodSeconds: 5\n successThreshold: 1\n failureThreshold: 5\n startupProbe:\n \ httpGet:\n port: 9980\n path: readyz\n scheme: HTTPS\n \ initialDelaySeconds: 10\n timeoutSeconds: 1\n periodSeconds: 10\n successThreshold: 1\n failureThreshold: 18\n securityContext:\n \ privileged: true\n volumeMounts:\n - mountPath: /etc/kubernetes/manifests\n \ name: static-pod-dir\n - mountPath: /etc/kubernetes/static-pod-resources\n \ name: resource-dir\n - mountPath: /etc/kubernetes/static-pod-certs\n \ name: cert-dir\n - mountPath: /var/lib/etcd/\n name: data-dir\n\n \ - name: etcd-metrics\n image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:cc20748723f55f960cfb6328d1591880bbd1b3452155633996d4f41fc7c5f46b\n \ imagePullPolicy: IfNotPresent\n terminationMessagePolicy: FallbackToLogsOnError\n \ command:\n - /bin/sh\n - -c\n - |\n #!/bin/sh\n set -euo pipefail\n\n export ETCD_NAME=${NODE_NODE_ENVVAR_NAME_ETCD_NAME}\n\n \ exec nice -n -18 etcd grpc-proxy start \\\n --endpoints https://${NODE_NODE_ENVVAR_NAME_ETCD_URL_HOST}:9978 \\\n --metrics-addr https://0.0.0.0:9979 \\\n --listen-addr 127.0.0.1:9977 \\\n --advertise-client-url \"\" \\\n --key /etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.key \\\n --key-file /etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-serving-metrics-NODE_NAME.key \\\n --cert /etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.crt \\\n --cert-file /etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-serving-metrics-NODE_NAME.crt \\\n --cacert /etc/kubernetes/static-pod-certs/configmaps/etcd-all-bundles/server-ca-bundle.crt \\\n --trusted-ca-file /etc/kubernetes/static-pod-certs/configmaps/etcd-all-bundles/metrics-ca-bundle.crt \\\n --listen-cipher-suites TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 \\\n --tls-min-version $(ETCD_TLS_MIN_VERSION)\n ports:\n - containerPort: 9979\n name: proxy-metrics\n protocol: TCP\n env:\n - name: \"ALL_ETCD_ENDPOINTS\"\n value: \"https://192.168.32.10:2379\"\n \n \ - name: \"ETCDCTL_API\"\n value: \"3\"\n \n - name: \"ETCDCTL_CACERT\"\n \ value: \"/etc/kubernetes/static-pod-certs/configmaps/etcd-all-bundles/server-ca-bundle.crt\"\n \ \n - name: \"ETCDCTL_CERT\"\n value: \"/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.crt\"\n \ \n - name: \"ETCDCTL_ENDPOINTS\"\n value: \"https://192.168.32.10:2379\"\n \ \n - name: \"ETCDCTL_KEY\"\n value: \"/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.key\"\n \ \n - name: \"ETCD_CIPHER_SUITES\"\n value: \"TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256\"\n \ \n - name: \"ETCD_DATA_DIR\"\n value: \"/var/lib/etcd\"\n \n \ - name: \"ETCD_ELECTION_TIMEOUT\"\n value: \"2500\"\n \n - name: \"ETCD_ENABLE_PPROF\"\n value: \"true\"\n \n - name: \"ETCD_EXPERIMENTAL_MAX_LEARNERS\"\n \ value: \"1\"\n \n - name: \"ETCD_EXPERIMENTAL_WARNING_APPLY_DURATION\"\n \ value: \"200ms\"\n \n - name: \"ETCD_EXPERIMENTAL_WATCH_PROGRESS_NOTIFY_INTERVAL\"\n \ value: \"5s\"\n \n - name: \"ETCD_HEARTBEAT_INTERVAL\"\n value: \"500\"\n \n - name: \"ETCD_IMAGE\"\n value: \"quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:cc20748723f55f960cfb6328d1591880bbd1b3452155633996d4f41fc7c5f46b\"\n \ \n - name: \"ETCD_INITIAL_CLUSTER_STATE\"\n value: \"existing\"\n \ \n - name: \"ETCD_QUOTA_BACKEND_BYTES\"\n value: \"8589934592\"\n \ \n - name: \"ETCD_SOCKET_REUSE_ADDRESS\"\n value: \"true\"\n \n \ - name: \"ETCD_TLS_MIN_VERSION\"\n value: \"TLS1.2\"\n \n - name: \"NODE_master_0_ETCD_NAME\"\n value: \"master-0\"\n \n - name: \"NODE_master_0_ETCD_URL_HOST\"\n \ value: \"192.168.32.10\"\n \n - name: \"NODE_master_0_IP\"\n value: \"192.168.32.10\"\n - name: \"ETCD_STATIC_POD_VERSION\"\n value: \"REVISION\"\n \ resources:\n requests:\n memory: 200Mi\n cpu: 40m\n securityContext:\n \ privileged: true\n volumeMounts:\n - mountPath: /etc/kubernetes/static-pod-resources\n \ name: resource-dir\n - mountPath: /etc/kubernetes/static-pod-certs\n \ name: cert-dir\n - mountPath: /var/lib/etcd/\n name: data-dir\n \ - name: etcd-readyz\n image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:6088910bdc1583b275fab261e3234c0b63b4cc16d01bcea697b6a7f6db13bdf3\n \ imagePullPolicy: IfNotPresent\n terminationMessagePolicy: FallbackToLogsOnError\n \ command:\n - /bin/sh\n - -c\n - |\n #!/bin/sh\n set -euo pipefail\n \n exec nice -n -18 cluster-etcd-operator readyz \\\n --target=https://localhost:2379 \\\n --listen-port=9980 \\\n --serving-cert-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-serving-NODE_NAME.crt \\\n --serving-key-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-serving-NODE_NAME.key \\\n --client-cert-file=$(ETCDCTL_CERT) \\\n --client-key-file=$(ETCDCTL_KEY) \\\n --client-cacert-file=$(ETCDCTL_CACERT) \\\n --listen-cipher-suites TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 \\\n --listen-tls-min-version=$(ETCD_TLS_MIN_VERSION)\n securityContext:\n \ privileged: true\n ports:\n - containerPort: 9980\n name: readyz\n \ protocol: TCP\n resources:\n requests:\n memory: 50Mi\n \ cpu: 10m\n env:\n - name: \"ALL_ETCD_ENDPOINTS\"\n value: \"https://192.168.32.10:2379\"\n - name: \"ETCDCTL_API\"\n value: \"3\"\n \ - name: \"ETCDCTL_CACERT\"\n value: \"/etc/kubernetes/static-pod-certs/configmaps/etcd-all-bundles/server-ca-bundle.crt\"\n \ - name: \"ETCDCTL_CERT\"\n value: \"/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.crt\"\n \ - name: \"ETCDCTL_ENDPOINTS\"\n value: \"https://192.168.32.10:2379\"\n \ - name: \"ETCDCTL_KEY\"\n value: \"/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.key\"\n \ - name: \"ETCD_CIPHER_SUITES\"\n value: \"TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256\"\n \ - name: \"ETCD_DATA_DIR\"\n value: \"/var/lib/etcd\"\n - name: \"ETCD_ELECTION_TIMEOUT\"\n \ value: \"2500\"\n - name: \"ETCD_ENABLE_PPROF\"\n value: \"true\"\n \ - name: \"ETCD_EXPERIMENTAL_MAX_LEARNERS\"\n value: \"1\"\n - name: \"ETCD_EXPERIMENTAL_WARNING_APPLY_DURATION\"\n value: \"200ms\"\n - name: \"ETCD_EXPERIMENTAL_WATCH_PROGRESS_NOTIFY_INTERVAL\"\n value: \"5s\"\n \ - name: \"ETCD_HEARTBEAT_INTERVAL\"\n value: \"500\"\n - name: \"ETCD_IMAGE\"\n \ value: \"quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:cc20748723f55f960cfb6328d1591880bbd1b3452155633996d4f41fc7c5f46b\"\n \ - name: \"ETCD_INITIAL_CLUSTER_STATE\"\n value: \"existing\"\n - name: \"ETCD_QUOTA_BACKEND_BYTES\"\n value: \"8589934592\"\n - name: \"ETCD_SOCKET_REUSE_ADDRESS\"\n value: \"true\"\n - name: \"ETCD_TLS_MIN_VERSION\"\n \ value: \"TLS1.2\"\n - name: \"NODE_master_0_ETCD_NAME\"\n value: \"master-0\"\n - name: \"NODE_master_0_ETCD_URL_HOST\"\n value: \"192.168.32.10\"\n \ - name: \"NODE_master_0_IP\"\n value: \"192.168.32.10\"\n volumeMounts:\n \ - mountPath: /var/log/etcd/\n name: log-dir\n - mountPath: /etc/kubernetes/static-pod-certs\n name: cert-dir\n - name: etcd-rev\n \ image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:6088910bdc1583b275fab261e3234c0b63b4cc16d01bcea697b6a7f6db13bdf3\n \ imagePullPolicy: IfNotPresent\n terminationMessagePolicy: FallbackToLogsOnError\n \ command:\n - /bin/sh\n - -c\n - |\n #!/bin/sh\n set -euo pipefail\n \n cluster-etcd-operator rev \\\n --endpoints=$(ALL_ETCD_ENDPOINTS) \\\n --client-cert-file=$(ETCDCTL_CERT) \\\n --client-key-file=$(ETCDCTL_KEY) \\\n --client-cacert-file=$(ETCDCTL_CACERT)\n securityContext:\n \ privileged: true\n resources:\n requests:\n memory: 50Mi\n \ cpu: 10m\n env:\n - name: \"ALL_ETCD_ENDPOINTS\"\n value: \"https://192.168.32.10:2379\"\n - name: \"ETCDCTL_API\"\n value: \"3\"\n \ - name: \"ETCDCTL_CACERT\"\n value: \"/etc/kubernetes/static-pod-certs/configmaps/etcd-all-bundles/server-ca-bundle.crt\"\n \ - name: \"ETCDCTL_CERT\"\n value: \"/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.crt\"\n \ - name: \"ETCDCTL_ENDPOINTS\"\n value: \"https://192.168.32.10:2379\"\n \ - name: \"ETCDCTL_KEY\"\n value: \"/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.key\"\n \ - name: \"ETCD_CIPHER_SUITES\"\n value: \"TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256\"\n \ - name: \"ETCD_DATA_DIR\"\n value: \"/var/lib/etcd\"\n - name: \"ETCD_ELECTION_TIMEOUT\"\n \ value: \"2500\"\n - name: \"ETCD_ENABLE_PPROF\"\n value: \"true\"\n \ - name: \"ETCD_EXPERIMENTAL_MAX_LEARNERS\"\n value: \"1\"\n - name: \"ETCD_EXPERIMENTAL_WARNING_APPLY_DURATION\"\n value: \"200ms\"\n - name: \"ETCD_EXPERIMENTAL_WATCH_PROGRESS_NOTIFY_INTERVAL\"\n value: \"5s\"\n \ - name: \"ETCD_HEARTBEAT_INTERVAL\"\n value: \"500\"\n - name: \"ETCD_IMAGE\"\n \ value: \"quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:cc20748723f55f960cfb6328d1591880bbd1b3452155633996d4f41fc7c5f46b\"\n \ - name: \"ETCD_INITIAL_CLUSTER_STATE\"\n value: \"existing\"\n - name: \"ETCD_QUOTA_BACKEND_BYTES\"\n value: \"8589934592\"\n - name: \"ETCD_SOCKET_REUSE_ADDRESS\"\n value: \"true\"\n - name: \"ETCD_TLS_MIN_VERSION\"\n \ value: \"TLS1.2\"\n - name: \"NODE_master_0_ETCD_NAME\"\n value: \"master-0\"\n - name: \"NODE_master_0_ETCD_URL_HOST\"\n value: \"192.168.32.10\"\n \ - name: \"NODE_master_0_IP\"\n value: \"192.168.32.10\"\n volumeMounts:\n \ - mountPath: /var/lib/etcd\n name: data-dir\n - mountPath: /etc/kubernetes/static-pod-certs\n \ name: cert-dir\n hostNetwork: true\n priority: 2000001000\n priorityClassName: system-node-critical\n tolerations:\n - operator: \"Exists\"\n volumes:\n \ - hostPath:\n path: /etc/kubernetes/manifests\n name: static-pod-dir\n \ - hostPath:\n path: /etc/kubernetes/static-pod-resources/etcd-pod-REVISION\n \ name: resource-dir\n - hostPath:\n path: /etc/kubernetes/static-pod-resources/etcd-certs\n \ name: cert-dir\n - hostPath:\n path: /var/lib/etcd\n type: \"\"\n name: data-dir\n - hostPath:\n path: /usr/local/bin\n \ name: usr-local-bin\n - hostPath:\n path: /var/log/etcd\n name: log-dir\n - hostPath:\n path: /etc/kubernetes\n name: config-dir\n \ - hostPath:\n path: /var/lib/etcd-auto-backup\n name: etcd-auto-backup-dir\n" version: 4.18.0-202602170912.p2.gb7e21f5.assembly.stream.el9-b7e21f5 kind: ConfigMap metadata: creationTimestamp: "2026-03-08T00:21:35Z" labels: operator.openshift.io/controller-instance-name: etcd-RevisionController managedFields: - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:data: .: {} f:forceRedeploymentReason: {} f:pod.yaml: {} f:version: {} f:metadata: f:labels: .: {} f:operator.openshift.io/controller-instance-name: {} f:ownerReferences: .: {} k:{"uid":"d53f0d6b-b416-46e8-a3fa-90de3afb8449"}: {} manager: cluster-etcd-operator operation: Update time: "2026-03-08T00:21:35Z" name: etcd-pod-1 namespace: openshift-etcd ownerReferences: - apiVersion: v1 kind: ConfigMap name: revision-status-1 uid: d53f0d6b-b416-46e8-a3fa-90de3afb8449 resourceVersion: "5044" uid: 8f2fa22d-7509-4f9b-a996-f5c6218716d5 - apiVersion: v1 data: forceRedeploymentReason: "" pod.yaml: "apiVersion: v1\nkind: Pod\nmetadata:\n name: etcd\n namespace: openshift-etcd\n \ annotations:\n kubectl.kubernetes.io/default-container: etcd\n target.workload.openshift.io/management: '{\"effect\": \"PreferredDuringScheduling\"}'\n labels:\n app: etcd\n k8s-app: etcd\n etcd: \"true\"\n revision: \"REVISION\"\nspec:\n initContainers:\n \ - name: setup\n image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:cc20748723f55f960cfb6328d1591880bbd1b3452155633996d4f41fc7c5f46b\n \ imagePullPolicy: IfNotPresent\n terminationMessagePolicy: FallbackToLogsOnError\n \ command:\n - /bin/sh\n - -c\n - |\n #!/bin/sh\n \ echo -n \"Fixing etcd log permissions.\"\n mkdir -p /var/log/etcd \ && chmod 0600 /var/log/etcd\n echo -n \"Fixing etcd auto backup permissions.\"\n \ mkdir -p /var/lib/etcd-auto-backup && chmod 0600 /var/lib/etcd-auto-backup\n \ securityContext:\n privileged: true\n resources:\n requests:\n \ memory: 50Mi\n cpu: 5m\n volumeMounts:\n - mountPath: /var/log/etcd\n name: log-dir\n - name: etcd-ensure-env-vars\n image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:cc20748723f55f960cfb6328d1591880bbd1b3452155633996d4f41fc7c5f46b\n \ imagePullPolicy: IfNotPresent\n terminationMessagePolicy: FallbackToLogsOnError\n \ command:\n - /bin/sh\n - -c\n - |\n #!/bin/sh\n \ set -euo pipefail\n\n : \"${NODE_NODE_ENVVAR_NAME_ETCD_URL_HOST?not set}\"\n : \"${NODE_NODE_ENVVAR_NAME_ETCD_NAME?not set}\"\n : \"${NODE_NODE_ENVVAR_NAME_IP?not set}\"\n\n # check for ipv4 addresses as well as ipv6 addresses with extra square brackets\n if [[ \"${NODE_NODE_ENVVAR_NAME_IP}\" != \"${NODE_IP}\" && \"${NODE_NODE_ENVVAR_NAME_IP}\" != \"[${NODE_IP}]\" ]]; then\n # echo the error message to stderr\n echo \"Expected node IP to be ${NODE_IP} got ${NODE_NODE_ENVVAR_NAME_IP}\" >&2\n exit 1\n fi\n\n # check for ipv4 addresses as well as ipv6 addresses with extra square brackets\n if [[ \"${NODE_NODE_ENVVAR_NAME_ETCD_URL_HOST}\" != \"${NODE_IP}\" && \"${NODE_NODE_ENVVAR_NAME_ETCD_URL_HOST}\" != \"[${NODE_IP}]\" ]]; then\n # echo the error message to stderr\n echo \"Expected etcd url host to be ${NODE_IP} got ${NODE_NODE_ENVVAR_NAME_ETCD_URL_HOST}\" >&2\n exit 1\n fi\n\n resources:\n requests:\n \ memory: 60Mi\n cpu: 10m\n securityContext:\n privileged: true\n env:\n - name: \"ALL_ETCD_ENDPOINTS\"\n value: \"https://192.168.32.10:2379\"\n \ - name: \"ETCDCTL_API\"\n value: \"3\"\n - name: \"ETCDCTL_CACERT\"\n \ value: \"/etc/kubernetes/static-pod-certs/configmaps/etcd-all-bundles/server-ca-bundle.crt\"\n \ - name: \"ETCDCTL_CERT\"\n value: \"/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.crt\"\n \ - name: \"ETCDCTL_ENDPOINTS\"\n value: \"https://192.168.32.10:2379\"\n \ - name: \"ETCDCTL_KEY\"\n value: \"/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.key\"\n \ - name: \"ETCD_CIPHER_SUITES\"\n value: \"TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256\"\n \ - name: \"ETCD_DATA_DIR\"\n value: \"/var/lib/etcd\"\n - name: \"ETCD_ELECTION_TIMEOUT\"\n value: \"2500\"\n - name: \"ETCD_ENABLE_PPROF\"\n \ value: \"true\"\n - name: \"ETCD_EXPERIMENTAL_MAX_LEARNERS\"\n \ value: \"1\"\n - name: \"ETCD_EXPERIMENTAL_WARNING_APPLY_DURATION\"\n \ value: \"200ms\"\n - name: \"ETCD_EXPERIMENTAL_WATCH_PROGRESS_NOTIFY_INTERVAL\"\n \ value: \"5s\"\n - name: \"ETCD_HEARTBEAT_INTERVAL\"\n value: \"500\"\n - name: \"ETCD_IMAGE\"\n value: \"quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:cc20748723f55f960cfb6328d1591880bbd1b3452155633996d4f41fc7c5f46b\"\n \ - name: \"ETCD_INITIAL_CLUSTER_STATE\"\n value: \"existing\"\n \ - name: \"ETCD_QUOTA_BACKEND_BYTES\"\n value: \"8589934592\"\n \ - name: \"ETCD_SOCKET_REUSE_ADDRESS\"\n value: \"true\"\n - name: \"ETCD_TLS_MIN_VERSION\"\n value: \"TLS1.2\"\n - name: \"NODE_master_0_ETCD_NAME\"\n \ value: \"master-0\"\n - name: \"NODE_master_0_ETCD_URL_HOST\"\n \ value: \"192.168.32.10\"\n - name: \"NODE_master_0_IP\"\n value: \"192.168.32.10\"\n - name: NODE_IP\n valueFrom:\n fieldRef:\n \ fieldPath: status.podIP\n - name: etcd-resources-copy\n image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:cc20748723f55f960cfb6328d1591880bbd1b3452155633996d4f41fc7c5f46b\n \ imagePullPolicy: IfNotPresent\n terminationMessagePolicy: FallbackToLogsOnError\n \ command:\n - /bin/sh\n - -c\n - |\n #!/bin/sh\n \ set -euo pipefail\n\n rm -f $(grep -l '^### Created by cluster-etcd-operator' /usr/local/bin/*)\n cp -p /etc/kubernetes/static-pod-certs/configmaps/etcd-scripts/*.sh /usr/local/bin\n\n resources:\n requests:\n memory: 60Mi\n \ cpu: 10m\n securityContext:\n privileged: true\n volumeMounts:\n \ - mountPath: /etc/kubernetes/static-pod-resources\n name: resource-dir\n \ - mountPath: /etc/kubernetes/static-pod-certs\n name: cert-dir\n \ - mountPath: /usr/local/bin\n name: usr-local-bin\n containers:\n \ # The etcdctl container should always be first. It is intended to be used\n \ # to open a remote shell via `oc rsh` that is ready to run `etcdctl`.\n - name: etcdctl\n image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:cc20748723f55f960cfb6328d1591880bbd1b3452155633996d4f41fc7c5f46b\n \ imagePullPolicy: IfNotPresent\n terminationMessagePolicy: FallbackToLogsOnError\n \ command:\n - \"/bin/bash\"\n - \"-c\"\n - \"trap TERM INT; sleep infinity & wait\"\n resources:\n requests:\n memory: 60Mi\n \ cpu: 10m\n volumeMounts:\n - mountPath: /etc/kubernetes/manifests\n \ name: static-pod-dir\n - mountPath: /etc/kubernetes/static-pod-resources\n \ name: resource-dir\n - mountPath: /etc/kubernetes/static-pod-certs\n \ name: cert-dir\n - mountPath: /var/lib/etcd/\n name: data-dir\n \ env:\n - name: \"ALL_ETCD_ENDPOINTS\"\n value: \"https://192.168.32.10:2379\"\n \ - name: \"ETCDCTL_API\"\n value: \"3\"\n - name: \"ETCDCTL_CACERT\"\n \ value: \"/etc/kubernetes/static-pod-certs/configmaps/etcd-all-bundles/server-ca-bundle.crt\"\n \ - name: \"ETCDCTL_CERT\"\n value: \"/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.crt\"\n \ - name: \"ETCDCTL_ENDPOINTS\"\n value: \"https://192.168.32.10:2379\"\n \ - name: \"ETCDCTL_KEY\"\n value: \"/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.key\"\n \ - name: \"ETCD_CIPHER_SUITES\"\n value: \"TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256\"\n \ - name: \"ETCD_DATA_DIR\"\n value: \"/var/lib/etcd\"\n - name: \"ETCD_ELECTION_TIMEOUT\"\n \ value: \"2500\"\n - name: \"ETCD_ENABLE_PPROF\"\n value: \"true\"\n \ - name: \"ETCD_EXPERIMENTAL_MAX_LEARNERS\"\n value: \"1\"\n - name: \"ETCD_EXPERIMENTAL_WARNING_APPLY_DURATION\"\n value: \"200ms\"\n - name: \"ETCD_EXPERIMENTAL_WATCH_PROGRESS_NOTIFY_INTERVAL\"\n value: \"5s\"\n \ - name: \"ETCD_HEARTBEAT_INTERVAL\"\n value: \"500\"\n - name: \"ETCD_IMAGE\"\n \ value: \"quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:cc20748723f55f960cfb6328d1591880bbd1b3452155633996d4f41fc7c5f46b\"\n \ - name: \"ETCD_INITIAL_CLUSTER_STATE\"\n value: \"existing\"\n - name: \"ETCD_QUOTA_BACKEND_BYTES\"\n value: \"8589934592\"\n - name: \"ETCD_SOCKET_REUSE_ADDRESS\"\n value: \"true\"\n - name: \"ETCD_TLS_MIN_VERSION\"\n \ value: \"TLS1.2\"\n - name: \"NODE_master_0_ETCD_NAME\"\n value: \"master-0\"\n - name: \"NODE_master_0_ETCD_URL_HOST\"\n value: \"192.168.32.10\"\n \ - name: \"NODE_master_0_IP\"\n value: \"192.168.32.10\"\n - name: \"ETCD_STATIC_POD_VERSION\"\n value: \"REVISION\"\n\n - name: etcd\n image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:cc20748723f55f960cfb6328d1591880bbd1b3452155633996d4f41fc7c5f46b\n \ imagePullPolicy: IfNotPresent\n terminationMessagePolicy: FallbackToLogsOnError\n \ command:\n - /bin/sh\n - -c\n - |\n #!/bin/sh\n set -euo pipefail\n\n etcdctl member list || true\n\n # this has a non-zero return code if the command is non-zero. If you use an export first, it doesn't and you\n # will succeed when you should fail.\n ETCD_INITIAL_CLUSTER=$(discover-etcd-initial-cluster \\\n --cacert=/etc/kubernetes/static-pod-certs/configmaps/etcd-all-bundles/server-ca-bundle.crt \\\n --cert=/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.crt \\\n --key=/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.key \\\n --endpoints=${ALL_ETCD_ENDPOINTS} \\\n --data-dir=/var/lib/etcd \\\n --target-peer-url-host=${NODE_NODE_ENVVAR_NAME_ETCD_URL_HOST} \\\n --target-name=NODE_NAME)\n export ETCD_INITIAL_CLUSTER\n\n \ # we cannot use the \"normal\" port conflict initcontainer because when we upgrade, the existing static pod will never yield,\n # so we do the detection in etcd container itself.\n echo -n \"Waiting for ports 2379, 2380 and 9978 to be released.\"\n time while [ -n \"$(ss -Htan '( sport = 2379 or sport = 2380 or sport = 9978 )')\" ]; do\n echo -n \".\"\n \ sleep 1\n done\n\n export ETCD_NAME=${NODE_NODE_ENVVAR_NAME_ETCD_NAME}\n \ env | grep ETCD | grep -v NODE\n\n set -x\n # See https://etcd.io/docs/v3.4.0/tuning/ for why we use ionice\n exec nice -n -19 ionice -c2 -n0 etcd \\\n --logger=zap \\\n --log-level=info \\\n --experimental-initial-corrupt-check=true \\\n --snapshot-count=10000 \\\n --initial-advertise-peer-urls=https://${NODE_NODE_ENVVAR_NAME_IP}:2380 \\\n --cert-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-serving-NODE_NAME.crt \\\n --key-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-serving-NODE_NAME.key \\\n --trusted-ca-file=/etc/kubernetes/static-pod-certs/configmaps/etcd-all-bundles/server-ca-bundle.crt \\\n --client-cert-auth=true \\\n --peer-cert-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.crt \\\n --peer-key-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.key \\\n --peer-trusted-ca-file=/etc/kubernetes/static-pod-certs/configmaps/etcd-all-bundles/server-ca-bundle.crt \\\n --peer-client-cert-auth=true \\\n --advertise-client-urls=https://${NODE_NODE_ENVVAR_NAME_IP}:2379 \\\n --listen-client-urls=https://0.0.0.0:2379,unixs://${NODE_NODE_ENVVAR_NAME_IP}:0 \\\n --listen-peer-urls=https://0.0.0.0:2380 \\\n --metrics=extensive \\\n --listen-metrics-urls=https://0.0.0.0:9978 || mv /etc/kubernetes/etcd-backup-dir/etcd-member.yaml /etc/kubernetes/manifests\n ports:\n - containerPort: 2379\n name: etcd\n protocol: TCP\n - containerPort: 2380\n name: etcd-peer\n \ protocol: TCP\n - containerPort: 9978\n name: etcd-metrics\n protocol: TCP\n env:\n - name: \"ALL_ETCD_ENDPOINTS\"\n value: \"https://192.168.32.10:2379\"\n \ - name: \"ETCDCTL_API\"\n value: \"3\"\n - name: \"ETCDCTL_CACERT\"\n \ value: \"/etc/kubernetes/static-pod-certs/configmaps/etcd-all-bundles/server-ca-bundle.crt\"\n \ - name: \"ETCDCTL_CERT\"\n value: \"/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.crt\"\n \ - name: \"ETCDCTL_ENDPOINTS\"\n value: \"https://192.168.32.10:2379\"\n \ - name: \"ETCDCTL_KEY\"\n value: \"/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.key\"\n \ - name: \"ETCD_CIPHER_SUITES\"\n value: \"TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256\"\n \ - name: \"ETCD_DATA_DIR\"\n value: \"/var/lib/etcd\"\n - name: \"ETCD_ELECTION_TIMEOUT\"\n \ value: \"2500\"\n - name: \"ETCD_ENABLE_PPROF\"\n value: \"true\"\n \ - name: \"ETCD_EXPERIMENTAL_MAX_LEARNERS\"\n value: \"1\"\n - name: \"ETCD_EXPERIMENTAL_WARNING_APPLY_DURATION\"\n value: \"200ms\"\n - name: \"ETCD_EXPERIMENTAL_WATCH_PROGRESS_NOTIFY_INTERVAL\"\n value: \"5s\"\n \ - name: \"ETCD_HEARTBEAT_INTERVAL\"\n value: \"500\"\n - name: \"ETCD_IMAGE\"\n \ value: \"quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:cc20748723f55f960cfb6328d1591880bbd1b3452155633996d4f41fc7c5f46b\"\n \ - name: \"ETCD_INITIAL_CLUSTER_STATE\"\n value: \"existing\"\n - name: \"ETCD_QUOTA_BACKEND_BYTES\"\n value: \"8589934592\"\n - name: \"ETCD_SOCKET_REUSE_ADDRESS\"\n value: \"true\"\n - name: \"ETCD_TLS_MIN_VERSION\"\n \ value: \"TLS1.2\"\n - name: \"NODE_master_0_ETCD_NAME\"\n value: \"master-0\"\n - name: \"NODE_master_0_ETCD_URL_HOST\"\n value: \"192.168.32.10\"\n \ - name: \"NODE_master_0_IP\"\n value: \"192.168.32.10\"\n - name: \"ETCD_STATIC_POD_VERSION\"\n value: \"REVISION\"\n resources:\n requests:\n \ memory: 600Mi\n cpu: 300m\n readinessProbe:\n httpGet:\n \ port: 9980\n path: readyz\n scheme: HTTPS\n timeoutSeconds: 30\n failureThreshold: 5\n periodSeconds: 5\n successThreshold: 1\n livenessProbe:\n httpGet:\n path: healthz\n port: 9980\n scheme: HTTPS\n timeoutSeconds: 30\n periodSeconds: 5\n successThreshold: 1\n failureThreshold: 5\n startupProbe:\n \ httpGet:\n port: 9980\n path: readyz\n scheme: HTTPS\n \ initialDelaySeconds: 10\n timeoutSeconds: 1\n periodSeconds: 10\n successThreshold: 1\n failureThreshold: 18\n securityContext:\n \ privileged: true\n volumeMounts:\n - mountPath: /etc/kubernetes/manifests\n \ name: static-pod-dir\n - mountPath: /etc/kubernetes/static-pod-resources\n \ name: resource-dir\n - mountPath: /etc/kubernetes/static-pod-certs\n \ name: cert-dir\n - mountPath: /var/lib/etcd/\n name: data-dir\n\n \ - name: etcd-metrics\n image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:cc20748723f55f960cfb6328d1591880bbd1b3452155633996d4f41fc7c5f46b\n \ imagePullPolicy: IfNotPresent\n terminationMessagePolicy: FallbackToLogsOnError\n \ command:\n - /bin/sh\n - -c\n - |\n #!/bin/sh\n set -euo pipefail\n\n export ETCD_NAME=${NODE_NODE_ENVVAR_NAME_ETCD_NAME}\n\n \ exec nice -n -18 etcd grpc-proxy start \\\n --endpoints https://${NODE_NODE_ENVVAR_NAME_ETCD_URL_HOST}:9978 \\\n --metrics-addr https://0.0.0.0:9979 \\\n --listen-addr 127.0.0.1:9977 \\\n --advertise-client-url \"\" \\\n --key /etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.key \\\n --key-file /etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-serving-metrics-NODE_NAME.key \\\n --cert /etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.crt \\\n --cert-file /etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-serving-metrics-NODE_NAME.crt \\\n --cacert /etc/kubernetes/static-pod-certs/configmaps/etcd-all-bundles/server-ca-bundle.crt \\\n --trusted-ca-file /etc/kubernetes/static-pod-certs/configmaps/etcd-all-bundles/metrics-ca-bundle.crt \\\n --listen-cipher-suites TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 \\\n --tls-min-version $(ETCD_TLS_MIN_VERSION)\n ports:\n - containerPort: 9979\n name: proxy-metrics\n protocol: TCP\n env:\n - name: \"ALL_ETCD_ENDPOINTS\"\n value: \"https://192.168.32.10:2379\"\n \n \ - name: \"ETCDCTL_API\"\n value: \"3\"\n \n - name: \"ETCDCTL_CACERT\"\n \ value: \"/etc/kubernetes/static-pod-certs/configmaps/etcd-all-bundles/server-ca-bundle.crt\"\n \ \n - name: \"ETCDCTL_CERT\"\n value: \"/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.crt\"\n \ \n - name: \"ETCDCTL_ENDPOINTS\"\n value: \"https://192.168.32.10:2379\"\n \ \n - name: \"ETCDCTL_KEY\"\n value: \"/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.key\"\n \ \n - name: \"ETCD_CIPHER_SUITES\"\n value: \"TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256\"\n \ \n - name: \"ETCD_DATA_DIR\"\n value: \"/var/lib/etcd\"\n \n \ - name: \"ETCD_ELECTION_TIMEOUT\"\n value: \"2500\"\n \n - name: \"ETCD_ENABLE_PPROF\"\n value: \"true\"\n \n - name: \"ETCD_EXPERIMENTAL_MAX_LEARNERS\"\n \ value: \"1\"\n \n - name: \"ETCD_EXPERIMENTAL_WARNING_APPLY_DURATION\"\n \ value: \"200ms\"\n \n - name: \"ETCD_EXPERIMENTAL_WATCH_PROGRESS_NOTIFY_INTERVAL\"\n \ value: \"5s\"\n \n - name: \"ETCD_HEARTBEAT_INTERVAL\"\n value: \"500\"\n \n - name: \"ETCD_IMAGE\"\n value: \"quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:cc20748723f55f960cfb6328d1591880bbd1b3452155633996d4f41fc7c5f46b\"\n \ \n - name: \"ETCD_INITIAL_CLUSTER_STATE\"\n value: \"existing\"\n \ \n - name: \"ETCD_QUOTA_BACKEND_BYTES\"\n value: \"8589934592\"\n \ \n - name: \"ETCD_SOCKET_REUSE_ADDRESS\"\n value: \"true\"\n \n \ - name: \"ETCD_TLS_MIN_VERSION\"\n value: \"TLS1.2\"\n \n - name: \"NODE_master_0_ETCD_NAME\"\n value: \"master-0\"\n \n - name: \"NODE_master_0_ETCD_URL_HOST\"\n \ value: \"192.168.32.10\"\n \n - name: \"NODE_master_0_IP\"\n value: \"192.168.32.10\"\n - name: \"ETCD_STATIC_POD_VERSION\"\n value: \"REVISION\"\n \ resources:\n requests:\n memory: 200Mi\n cpu: 40m\n securityContext:\n \ privileged: true\n volumeMounts:\n - mountPath: /etc/kubernetes/static-pod-resources\n \ name: resource-dir\n - mountPath: /etc/kubernetes/static-pod-certs\n \ name: cert-dir\n - mountPath: /var/lib/etcd/\n name: data-dir\n \ - name: etcd-readyz\n image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:6088910bdc1583b275fab261e3234c0b63b4cc16d01bcea697b6a7f6db13bdf3\n \ imagePullPolicy: IfNotPresent\n terminationMessagePolicy: FallbackToLogsOnError\n \ command:\n - /bin/sh\n - -c\n - |\n #!/bin/sh\n set -euo pipefail\n \n exec nice -n -18 cluster-etcd-operator readyz \\\n --target=https://localhost:2379 \\\n --listen-port=9980 \\\n --serving-cert-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-serving-NODE_NAME.crt \\\n --serving-key-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-serving-NODE_NAME.key \\\n --client-cert-file=$(ETCDCTL_CERT) \\\n --client-key-file=$(ETCDCTL_KEY) \\\n --client-cacert-file=$(ETCDCTL_CACERT) \\\n --listen-cipher-suites TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 \\\n --listen-tls-min-version=$(ETCD_TLS_MIN_VERSION)\n securityContext:\n \ privileged: true\n ports:\n - containerPort: 9980\n name: readyz\n \ protocol: TCP\n resources:\n requests:\n memory: 50Mi\n \ cpu: 10m\n env:\n - name: \"ALL_ETCD_ENDPOINTS\"\n value: \"https://192.168.32.10:2379\"\n - name: \"ETCDCTL_API\"\n value: \"3\"\n \ - name: \"ETCDCTL_CACERT\"\n value: \"/etc/kubernetes/static-pod-certs/configmaps/etcd-all-bundles/server-ca-bundle.crt\"\n \ - name: \"ETCDCTL_CERT\"\n value: \"/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.crt\"\n \ - name: \"ETCDCTL_ENDPOINTS\"\n value: \"https://192.168.32.10:2379\"\n \ - name: \"ETCDCTL_KEY\"\n value: \"/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.key\"\n \ - name: \"ETCD_CIPHER_SUITES\"\n value: \"TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256\"\n \ - name: \"ETCD_DATA_DIR\"\n value: \"/var/lib/etcd\"\n - name: \"ETCD_ELECTION_TIMEOUT\"\n \ value: \"2500\"\n - name: \"ETCD_ENABLE_PPROF\"\n value: \"true\"\n \ - name: \"ETCD_EXPERIMENTAL_MAX_LEARNERS\"\n value: \"1\"\n - name: \"ETCD_EXPERIMENTAL_WARNING_APPLY_DURATION\"\n value: \"200ms\"\n - name: \"ETCD_EXPERIMENTAL_WATCH_PROGRESS_NOTIFY_INTERVAL\"\n value: \"5s\"\n \ - name: \"ETCD_HEARTBEAT_INTERVAL\"\n value: \"500\"\n - name: \"ETCD_IMAGE\"\n \ value: \"quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:cc20748723f55f960cfb6328d1591880bbd1b3452155633996d4f41fc7c5f46b\"\n \ - name: \"ETCD_INITIAL_CLUSTER_STATE\"\n value: \"existing\"\n - name: \"ETCD_QUOTA_BACKEND_BYTES\"\n value: \"8589934592\"\n - name: \"ETCD_SOCKET_REUSE_ADDRESS\"\n value: \"true\"\n - name: \"ETCD_TLS_MIN_VERSION\"\n \ value: \"TLS1.2\"\n - name: \"NODE_master_0_ETCD_NAME\"\n value: \"master-0\"\n - name: \"NODE_master_0_ETCD_URL_HOST\"\n value: \"192.168.32.10\"\n \ - name: \"NODE_master_0_IP\"\n value: \"192.168.32.10\"\n volumeMounts:\n \ - mountPath: /var/log/etcd/\n name: log-dir\n - mountPath: /etc/kubernetes/static-pod-certs\n name: cert-dir\n - name: etcd-rev\n \ image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:6088910bdc1583b275fab261e3234c0b63b4cc16d01bcea697b6a7f6db13bdf3\n \ imagePullPolicy: IfNotPresent\n terminationMessagePolicy: FallbackToLogsOnError\n \ command:\n - /bin/sh\n - -c\n - |\n #!/bin/sh\n set -euo pipefail\n \n cluster-etcd-operator rev \\\n --endpoints=$(ALL_ETCD_ENDPOINTS) \\\n --client-cert-file=$(ETCDCTL_CERT) \\\n --client-key-file=$(ETCDCTL_KEY) \\\n --client-cacert-file=$(ETCDCTL_CACERT)\n securityContext:\n \ privileged: true\n resources:\n requests:\n memory: 50Mi\n \ cpu: 10m\n env:\n - name: \"ALL_ETCD_ENDPOINTS\"\n value: \"https://192.168.32.10:2379\"\n - name: \"ETCDCTL_API\"\n value: \"3\"\n \ - name: \"ETCDCTL_CACERT\"\n value: \"/etc/kubernetes/static-pod-certs/configmaps/etcd-all-bundles/server-ca-bundle.crt\"\n \ - name: \"ETCDCTL_CERT\"\n value: \"/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.crt\"\n \ - name: \"ETCDCTL_ENDPOINTS\"\n value: \"https://192.168.32.10:2379\"\n \ - name: \"ETCDCTL_KEY\"\n value: \"/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.key\"\n \ - name: \"ETCD_CIPHER_SUITES\"\n value: \"TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256\"\n \ - name: \"ETCD_DATA_DIR\"\n value: \"/var/lib/etcd\"\n - name: \"ETCD_ELECTION_TIMEOUT\"\n \ value: \"2500\"\n - name: \"ETCD_ENABLE_PPROF\"\n value: \"true\"\n \ - name: \"ETCD_EXPERIMENTAL_MAX_LEARNERS\"\n value: \"1\"\n - name: \"ETCD_EXPERIMENTAL_WARNING_APPLY_DURATION\"\n value: \"200ms\"\n - name: \"ETCD_EXPERIMENTAL_WATCH_PROGRESS_NOTIFY_INTERVAL\"\n value: \"5s\"\n \ - name: \"ETCD_HEARTBEAT_INTERVAL\"\n value: \"500\"\n - name: \"ETCD_IMAGE\"\n \ value: \"quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:cc20748723f55f960cfb6328d1591880bbd1b3452155633996d4f41fc7c5f46b\"\n \ - name: \"ETCD_INITIAL_CLUSTER_STATE\"\n value: \"existing\"\n - name: \"ETCD_QUOTA_BACKEND_BYTES\"\n value: \"8589934592\"\n - name: \"ETCD_SOCKET_REUSE_ADDRESS\"\n value: \"true\"\n - name: \"ETCD_TLS_MIN_VERSION\"\n \ value: \"TLS1.2\"\n - name: \"NODE_master_0_ETCD_NAME\"\n value: \"master-0\"\n - name: \"NODE_master_0_ETCD_URL_HOST\"\n value: \"192.168.32.10\"\n \ - name: \"NODE_master_0_IP\"\n value: \"192.168.32.10\"\n volumeMounts:\n \ - mountPath: /var/lib/etcd\n name: data-dir\n - mountPath: /etc/kubernetes/static-pod-certs\n \ name: cert-dir\n hostNetwork: true\n priority: 2000001000\n priorityClassName: system-node-critical\n tolerations:\n - operator: \"Exists\"\n volumes:\n \ - hostPath:\n path: /etc/kubernetes/manifests\n name: static-pod-dir\n \ - hostPath:\n path: /etc/kubernetes/static-pod-resources/etcd-pod-REVISION\n \ name: resource-dir\n - hostPath:\n path: /etc/kubernetes/static-pod-resources/etcd-certs\n \ name: cert-dir\n - hostPath:\n path: /var/lib/etcd\n type: \"\"\n name: data-dir\n - hostPath:\n path: /usr/local/bin\n \ name: usr-local-bin\n - hostPath:\n path: /var/log/etcd\n name: log-dir\n - hostPath:\n path: /etc/kubernetes\n name: config-dir\n \ - hostPath:\n path: /var/lib/etcd-auto-backup\n name: etcd-auto-backup-dir\n" version: 4.18.0-202602170912.p2.gb7e21f5.assembly.stream.el9-b7e21f5 kind: ConfigMap metadata: creationTimestamp: "2026-03-08T00:32:59Z" labels: operator.openshift.io/controller-instance-name: etcd-RevisionController managedFields: - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:data: .: {} f:forceRedeploymentReason: {} f:pod.yaml: {} f:version: {} f:metadata: f:labels: .: {} f:operator.openshift.io/controller-instance-name: {} f:ownerReferences: .: {} k:{"uid":"c1019f1c-2ba3-4790-a7a8-ce11f9fbc534"}: {} manager: cluster-etcd-operator operation: Update time: "2026-03-08T00:32:59Z" name: etcd-pod-2 namespace: openshift-etcd ownerReferences: - apiVersion: v1 kind: ConfigMap name: revision-status-2 uid: c1019f1c-2ba3-4790-a7a8-ce11f9fbc534 resourceVersion: "14248" uid: a39621a8-602d-4395-a39e-1354eba15301 - apiVersion: v1 data: cluster-backup.sh: | #!/usr/bin/env bash ### Created by cluster-etcd-operator. DO NOT edit. set -o errexit set -o pipefail set -o errtrace # example # cluster-backup.sh $path-to-snapshot if [[ $EUID -ne 0 ]]; then echo "This script must be run as root" exit 1 fi function usage { echo 'Path to backup dir required: ./cluster-backup.sh [--force] ' exit 1 } IS_DIRTY="" if [ "$1" == "--force" ]; then IS_DIRTY="__POSSIBLY_DIRTY__" shift fi # If the first argument is missing, or it is an existing file, then print usage and exit if [ -z "$1" ] || [ -f "$1" ]; then usage fi if [ ! -d "$1" ]; then mkdir -p "$1" fi function check_if_operator_is_progressing { local operator="$1" if [ ! -f "${KUBECONFIG}" ]; then echo "Valid kubeconfig is not found in kube-apiserver-certs. Exiting!" exit 1 fi progressing=$(oc get co "${operator}" -o jsonpath='{.status.conditions[?(@.type=="Progressing")].status}') || true if [ "$progressing" == "" ]; then echo "Could not find the status of the $operator. Check if the API server is running. Pass the --force flag to skip checks." exit 1 elif [ "$progressing" != "False" ]; then echo "Currently the $operator operator is progressing. A reliable backup requires that a rollout is not in progress. Aborting!" exit 1 fi } # backup latest static pod resources function backup_latest_kube_static_resources { local backup_tar_file="$1" local backup_resource_list=("kube-apiserver" "kube-controller-manager" "kube-scheduler" "etcd") local latest_resource_dirs=() for resource in "${backup_resource_list[@]}"; do if [ ! -f "/etc/kubernetes/manifests/${resource}-pod.yaml" ]; then echo "error finding manifests for the ${resource} pod. please check if it is running." exit 1 fi local latest_resource latest_resource=$(grep -o -m 1 "/etc/kubernetes/static-pod-resources/${resource}-pod-[0-9]*" "/etc/kubernetes/manifests/${resource}-pod.yaml") || true if [ -z "${latest_resource}" ]; then echo "error finding static-pod-resources for the ${resource} pod. please check if it is running." exit 1 fi if [ "${IS_DIRTY}" == "" ]; then check_if_operator_is_progressing "${resource}" fi echo "found latest ${resource}: ${latest_resource}" latest_resource_dirs+=("${latest_resource#${CONFIG_FILE_DIR}/}") done # tar latest resources with the path relative to CONFIG_FILE_DIR tar -cpzf "$backup_tar_file" -C "${CONFIG_FILE_DIR}" "${latest_resource_dirs[@]}" chmod 600 "$backup_tar_file" } function source_required_dependency { local src_path="$1" if [ ! -f "${src_path}" ]; then echo "required dependencies not found, please ensure this script is run on a node with a functional etcd static pod" exit 1 fi # shellcheck disable=SC1090 source "${src_path}" } BACKUP_DIR="$1" DATESTRING=$(date "+%F_%H%M%S") BACKUP_TAR_FILE=${BACKUP_DIR}/static_kuberesources_${DATESTRING}${IS_DIRTY}.tar.gz SNAPSHOT_FILE="${BACKUP_DIR}/snapshot_${DATESTRING}${IS_DIRTY}.db" trap 'rm -f ${BACKUP_TAR_FILE} ${SNAPSHOT_FILE}' ERR source_required_dependency /etc/kubernetes/static-pod-resources/etcd-certs/configmaps/etcd-scripts/etcd.env source_required_dependency /etc/kubernetes/static-pod-resources/etcd-certs/configmaps/etcd-scripts/etcd-common-tools # replacing the value of variables sourced form etcd.env to use the local node folders if the script is not running into the cluster-backup pod if [ ! -f "${ETCDCTL_CACERT}" ]; then echo "Certificate ${ETCDCTL_CACERT} is missing. Checking in different directory" export ETCDCTL_CACERT=$(echo ${ETCDCTL_CACERT} | sed -e "s|static-pod-certs|static-pod-resources/etcd-certs|") export ETCDCTL_CERT=$(echo ${ETCDCTL_CERT} | sed -e "s|static-pod-certs|static-pod-resources/etcd-certs|") export ETCDCTL_KEY=$(echo ${ETCDCTL_KEY} | sed -e "s|static-pod-certs|static-pod-resources/etcd-certs|") if [ ! -f "${ETCDCTL_CACERT}" ]; then echo "Certificate ${ETCDCTL_CACERT} is also missing in the second directory. Exiting!" exit 1 else echo "Certificate ${ETCDCTL_CACERT} found!" fi fi backup_latest_kube_static_resources "${BACKUP_TAR_FILE}" # Download etcdctl and get the etcd snapshot dl_etcdctl # snapshot save will continue to stay in etcdctl ETCDCTL_ENDPOINTS="https://${NODE_NODE_ENVVAR_NAME_IP}:2379" etcdctl snapshot save "${SNAPSHOT_FILE}" # Check the integrity of the snapshot check_snapshot_status "${SNAPSHOT_FILE}" snapshot_failed=$? # If check_snapshot_status returned 1 it failed, so exit with code 1 if [[ $snapshot_failed -eq 1 ]]; then echo "snapshot failed with exit code ${snapshot_failed}" exit 1 fi echo "snapshot db and kube resources are successfully saved to ${BACKUP_DIR}" cluster-restore.sh: |+ #!/usr/bin/env bash ### Created by cluster-etcd-operator. DO NOT edit. set -o errexit set -o pipefail set -o errtrace # example # ./cluster-restore.sh $path-to-backup # ETCD_ETCDCTL_RESTORE - when set this script will use `etcdctl snapshot restore` instead of a restore pod yaml, # which can be used when restoring a single member (e.g. on single node OCP). # Syncing very big snapshots (>8GiB) from the leader might also be expensive, this aids in # keeping the amount of data pulled to a minimum. This option will neither rev-bump nor mark-compact. if [[ $EUID -ne 0 ]]; then echo "This script must be run as root" exit 1 fi function source_required_dependency { local src_path="$1" if [ ! -f "${src_path}" ]; then echo "required dependencies not found, please ensure this script is run on a node with a functional etcd static pod" exit 1 fi # shellcheck disable=SC1090 source "${src_path}" } source_required_dependency /etc/kubernetes/static-pod-resources/etcd-certs/configmaps/etcd-scripts/etcd.env source_required_dependency /etc/kubernetes/static-pod-resources/etcd-certs/configmaps/etcd-scripts/etcd-common-tools function usage() { echo 'Path to the directory containing backup files is required: ./cluster-restore.sh ' echo 'The backup directory is expected to be contain two files:' echo ' 1. etcd snapshot' echo ' 2. A copy of the Static POD resources at the time of backup' exit 1 } # If the argument is not passed, or if it is not a directory, print usage and exit. if [ "$1" == "" ] || [ ! -d "$1" ]; then usage fi function restore_static_pods() { local backup_file="$1" shift local static_pods=("$@") for pod_file_name in "${static_pods[@]}"; do backup_pod_path=$(tar -tvf "${backup_file}" "*${pod_file_name}" | awk '{ print $6 }') || true if [ -z "${backup_pod_path}" ]; then echo "${pod_file_name} does not exist in ${backup_file}" exit 1 fi echo "starting ${pod_file_name}" tar -xvf "${backup_file}" --strip-components=2 -C "${MANIFEST_DIR}"/ "${backup_pod_path}" done } BACKUP_DIR="$1" # shellcheck disable=SC2012 BACKUP_FILE=$(ls -vd "${BACKUP_DIR}"/static_kuberesources*.tar.gz | tail -1) || true # shellcheck disable=SC2012 SNAPSHOT_FILE=$(ls -vd "${BACKUP_DIR}"/snapshot*.db | tail -1) || true ETCD_STATIC_POD_LIST=("etcd-pod.yaml") ETCD_STATIC_POD_CONTAINERS=("etcd" "etcdctl" "etcd-metrics" "etcd-readyz" "etcd-rev" "etcd-backup-server") if [ ! -f "${SNAPSHOT_FILE}" ]; then echo "etcd snapshot ${SNAPSHOT_FILE} does not exist" exit 1 fi # Download etcdctl and check the snapshot status dl_etcdctl check_snapshot_status "${SNAPSHOT_FILE}" ETCD_CLIENT="${ETCD_ETCDCTL_BIN+etcdctl}" if [ -n "${ETCD_ETCDUTL_BIN}" ]; then ETCD_CLIENT="${ETCD_ETCDUTL_BIN}" fi # always move etcd pod and wait for all containers to exit mv_static_pods "${ETCD_STATIC_POD_LIST[@]}" wait_for_containers_to_stop "${ETCD_STATIC_POD_CONTAINERS[@]}" if [ ! -d "${ETCD_DATA_DIR_BACKUP}" ]; then mkdir -p "${ETCD_DATA_DIR_BACKUP}" fi # backup old data-dir if [ -d "${ETCD_DATA_DIR}/member" ]; then if [ -d "${ETCD_DATA_DIR_BACKUP}/member" ]; then echo "removing previous backup ${ETCD_DATA_DIR_BACKUP}/member" rm -rf "${ETCD_DATA_DIR_BACKUP}"/member fi echo "Moving etcd data-dir ${ETCD_DATA_DIR}/member to ${ETCD_DATA_DIR_BACKUP}" mv "${ETCD_DATA_DIR}"/member "${ETCD_DATA_DIR_BACKUP}"/ fi if [ -z "${ETCD_ETCDCTL_RESTORE}" ]; then # Restore static pod resources tar -C "${CONFIG_FILE_DIR}" -xzf "${BACKUP_FILE}" static-pod-resources # Copy snapshot to backupdir cp -p "${SNAPSHOT_FILE}" "${ETCD_DATA_DIR_BACKUP}"/snapshot.db # Move the revision.json when it exists [ ! -f "${ETCD_REV_JSON}" ] || mv -f "${ETCD_REV_JSON}" "${ETCD_DATA_DIR_BACKUP}"/revision.json # removing any fio perf files left behind that could be deleted without problems rm -f "${ETCD_DATA_DIR}"/etcd_perf* # ensure the folder is really empty, otherwise the restore pod will crash loop if [ -n "$(ls -A "${ETCD_DATA_DIR}")" ]; then echo "folder ${ETCD_DATA_DIR} is not empty, please review and remove all files in it" exit 1 fi echo "starting restore-etcd static pod" cp -p "${RESTORE_ETCD_POD_YAML}" "${MANIFEST_DIR}/etcd-pod.yaml" else echo "removing etcd data dir..." rm -rf "${ETCD_DATA_DIR}" mkdir -p "${ETCD_DATA_DIR}" echo "starting snapshot restore through etcdctl..." # We are never going to rev-bump here to ensure we don't cause a revision split between the # remainder of the running cluster and this restore member. Imagine your non-restore quorum members run at rev 100, # we would attempt to rev bump this with snapshot at rev 120, now this member is 20 revisions ahead and RAFT is confused. if ! ${ETCD_CLIENT} snapshot restore "${SNAPSHOT_FILE}" --data-dir="${ETCD_DATA_DIR}"; then echo "Snapshot restore failed. Aborting!" exit 1 fi # start the original etcd static pod again through the new snapshot echo "restoring old etcd pod to start etcd again" mv "${MANIFEST_STOPPED_DIR}/etcd-pod.yaml" "${MANIFEST_DIR}/etcd-pod.yaml" fi disable-etcd.sh: | #!/usr/bin/env bash ### Created by cluster-etcd-operator. DO NOT edit. set -o errexit set -o pipefail set -o errtrace # disable-etcd.sh # This script will move the etcd static pod into the home/core/assets/manifests-stopped folder and wait for all containers to exit. if [[ $EUID -ne 0 ]]; then echo "This script must be run as root" exit 1 fi function source_required_dependency { local src_path="$1" if [ ! -f "${src_path}" ]; then echo "required dependencies not found, please ensure this script is run on a node with a functional etcd static pod" exit 1 fi # shellcheck disable=SC1090 source "${src_path}" } source_required_dependency /etc/kubernetes/static-pod-resources/etcd-certs/configmaps/etcd-scripts/etcd.env source_required_dependency /etc/kubernetes/static-pod-resources/etcd-certs/configmaps/etcd-scripts/etcd-common-tools ETCD_STATIC_POD_LIST=("etcd-pod.yaml") ETCD_STATIC_POD_CONTAINERS=("etcd" "etcdctl" "etcd-metrics" "etcd-readyz" "etcd-rev" "etcd-backup-server") # always move etcd pod and wait for all containers to exit mv_static_pods "${ETCD_STATIC_POD_LIST[@]}" wait_for_containers_to_stop "${ETCD_STATIC_POD_CONTAINERS[@]}" etcd-common-tools: | # Common environment variables ASSET_DIR="/home/core/assets" CONFIG_FILE_DIR="/etc/kubernetes" MANIFEST_DIR="${CONFIG_FILE_DIR}/manifests" ETCD_DATA_DIR="/var/lib/etcd" ETCD_DATA_DIR_BACKUP="/var/lib/etcd-backup" ETCD_REV_JSON="${ETCD_DATA_DIR}/revision.json" MANIFEST_STOPPED_DIR="${ASSET_DIR}/manifests-stopped" RESTORE_ETCD_POD_YAML="${CONFIG_FILE_DIR}/static-pod-resources/etcd-certs/configmaps/restore-etcd-pod/pod.yaml" QUORUM_RESTORE_ETCD_POD_YAML="${CONFIG_FILE_DIR}/static-pod-resources/etcd-certs/configmaps/restore-etcd-pod/quorum-restore-pod.yaml" ETCDCTL_BIN_DIR="${CONFIG_FILE_DIR}/static-pod-resources/bin" PATH=${PATH}:${ETCDCTL_BIN_DIR} export KUBECONFIG="/etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/node-kubeconfigs/localhost.kubeconfig" export ETCD_ETCDCTL_BIN="etcdctl" # download etcdctl from download release image function dl_etcdctl { # Avoid caching the binary when podman exists, the etcd image is always available locally and we need a way to update etcdctl. # When we're running from an etcd image there's no podman and we can continue without a download. if ([ -n "$(command -v podman)" ]); then local etcdimg=${ETCD_IMAGE} local etcdctr=$(podman create --authfile=/var/lib/kubelet/config.json ${etcdimg}) local etcdmnt=$(podman mount "${etcdctr}") [ ! -d ${ETCDCTL_BIN_DIR} ] && mkdir -p ${ETCDCTL_BIN_DIR} cp ${etcdmnt}/bin/etcdctl ${ETCDCTL_BIN_DIR}/ if [ -f "${etcdmnt}/bin/etcdutl" ]; then cp ${etcdmnt}/bin/etcdutl ${ETCDCTL_BIN_DIR}/ export ETCD_ETCDUTL_BIN=etcdutl fi if ! [ -x "$(command -v jq)" ]; then cp ${etcdmnt}/bin/jq ${ETCDCTL_BIN_DIR}/ fi umount "${etcdmnt}" podman rm "${etcdctr}" etcdctl version return fi if ([ -x "$(command -v etcdctl)" ]); then echo "etcdctl is already installed" if [ -x "$(command -v etcdutl)" ]; then echo "etcdutl is already installed" export ETCD_ETCDUTL_BIN=etcdutl fi return fi echo "Could neither pull etcdctl nor find it locally in cache. Aborting!" exit 1 } function check_snapshot_status() { local snap_file="$1" ETCD_CLIENT="${ETCD_ETCDCTL_BIN}" if [ -n "${ETCD_ETCDUTL_BIN}" ]; then ETCD_CLIENT="${ETCD_ETCDUTL_BIN}" fi if ! ${ETCD_CLIENT} snapshot status "${snap_file}" -w json; then echo "Backup integrity verification failed. Backup appears corrupted. Aborting!" return 1 fi } function wait_for_containers_to_stop() { local containers=("$@") for container_name in "${containers[@]}"; do echo "Waiting for container ${container_name} to stop" while [[ -n $(crictl ps --label io.kubernetes.container.name="${container_name}" -q) ]]; do echo -n "." sleep 1 done echo "complete" done } function mv_static_pods() { local containers=("$@") # Move manifests and stop static pods if [ ! -d "$MANIFEST_STOPPED_DIR" ]; then mkdir -p "$MANIFEST_STOPPED_DIR" fi for POD_FILE_NAME in "${containers[@]}"; do echo "...stopping ${POD_FILE_NAME}" [ ! -f "${MANIFEST_DIR}/${POD_FILE_NAME}" ] && continue mv "${MANIFEST_DIR}/${POD_FILE_NAME}" "${MANIFEST_STOPPED_DIR}" done } etcd.env: | export ALL_ETCD_ENDPOINTS="https://192.168.32.10:2379" export ETCDCTL_API="3" export ETCDCTL_CACERT="/etc/kubernetes/static-pod-certs/configmaps/etcd-all-bundles/server-ca-bundle.crt" export ETCDCTL_CERT="/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.crt" export ETCDCTL_ENDPOINTS="https://192.168.32.10:2379" export ETCDCTL_KEY="/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.key" export ETCD_CIPHER_SUITES="TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256" export ETCD_DATA_DIR="/var/lib/etcd" export ETCD_ELECTION_TIMEOUT="2500" export ETCD_ENABLE_PPROF="true" export ETCD_EXPERIMENTAL_MAX_LEARNERS="1" export ETCD_EXPERIMENTAL_WARNING_APPLY_DURATION="200ms" export ETCD_EXPERIMENTAL_WATCH_PROGRESS_NOTIFY_INTERVAL="5s" export ETCD_HEARTBEAT_INTERVAL="500" export ETCD_IMAGE="quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:cc20748723f55f960cfb6328d1591880bbd1b3452155633996d4f41fc7c5f46b" export ETCD_INITIAL_CLUSTER_STATE="existing" export ETCD_QUOTA_BACKEND_BYTES="8589934592" export ETCD_SOCKET_REUSE_ADDRESS="true" export ETCD_TLS_MIN_VERSION="TLS1.2" export NODE_master_0_ETCD_NAME="master-0" export NODE_master_0_ETCD_URL_HOST="192.168.32.10" export NODE_master_0_IP="192.168.32.10" quorum-restore.sh: | #!/usr/bin/env bash ### Created by cluster-etcd-operator. DO NOT edit. set -o errexit set -o pipefail set -o errtrace # ./quorum-restore.sh # This script attempts to restore quorum by spawning a revision-bumped etcd without membership information. if [[ $EUID -ne 0 ]]; then echo "This script must be run as root" exit 1 fi function source_required_dependency { local src_path="$1" if [ ! -f "${src_path}" ]; then echo "required dependencies not found, please ensure this script is run on a node with a functional etcd static pod" exit 1 fi # shellcheck disable=SC1090 source "${src_path}" } source_required_dependency /etc/kubernetes/static-pod-resources/etcd-certs/configmaps/etcd-scripts/etcd.env source_required_dependency /etc/kubernetes/static-pod-resources/etcd-certs/configmaps/etcd-scripts/etcd-common-tools ETCD_STATIC_POD_LIST=("etcd-pod.yaml") ETCD_STATIC_POD_CONTAINERS=("etcd" "etcdctl" "etcd-metrics" "etcd-readyz" "etcd-rev" "etcd-backup-server") # always move etcd pod and wait for all containers to exit mv_static_pods "${ETCD_STATIC_POD_LIST[@]}" wait_for_containers_to_stop "${ETCD_STATIC_POD_CONTAINERS[@]}" echo "starting restore-etcd static pod" cp "${QUORUM_RESTORE_ETCD_POD_YAML}" "${MANIFEST_DIR}/etcd-pod.yaml" kind: ConfigMap metadata: creationTimestamp: "2026-03-08T00:21:32Z" managedFields: - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:data: .: {} f:cluster-backup.sh: {} f:cluster-restore.sh: {} f:disable-etcd.sh: {} f:etcd-common-tools: {} f:etcd.env: {} f:quorum-restore.sh: {} manager: cluster-etcd-operator operation: Update time: "2026-03-08T00:21:32Z" name: etcd-scripts namespace: openshift-etcd resourceVersion: "4752" uid: a0073490-1b57-42dd-be04-7f988ed70fe4 - apiVersion: v1 data: ca.crt: | -----BEGIN CERTIFICATE----- MIIDMjCCAhqgAwIBAgIIcB+BS2IZtgowDQYJKoZIhvcNAQELBQAwNzESMBAGA1UE CxMJb3BlbnNoaWZ0MSEwHwYDVQQDExhrdWJlLWFwaXNlcnZlci1sYi1zaWduZXIw HhcNMjYwMzA4MDAwNTEzWhcNMzYwMzA1MDAwNTEzWjA3MRIwEAYDVQQLEwlvcGVu c2hpZnQxITAfBgNVBAMTGGt1YmUtYXBpc2VydmVyLWxiLXNpZ25lcjCCASIwDQYJ KoZIhvcNAQEBBQADggEPADCCAQoCggEBAM7TOidcwN+YSWZG04EBi4uab+2HWNT1 RFy+pDcn4EFvntTc+5gSjyMgv/O6/lnkqIgJlG6CV7HFOdAHid/TdKMMrF0VDUYV vnyQz4KvTm+T0ctXI5/l2ZXTh6CM9wPrRzq7JiUWQg+pGUPtRJft3B7pngLy42V2 5lGTrcyqUu8P42cXdPr+RzAhfBYHCjXDTw8u/3Uo/Rowf4Ndx7E3wfmborp3GUju Yr4mgayAHx+TvuQ3O8MWJm5XfzmoWFHEplW2CpEhseXPl8safX+mn1xSmHBVQ9fi pT/daRtRIBR+xWo7giG1L6adGe1iklLM5Y1IfO66Dm8rcZJJXpNxUXkCAwEAAaNC MEAwDgYDVR0PAQH/BAQDAgKkMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFBCu 0RESnZH0whR4HLC0s2Sc/hhAMA0GCSqGSIb3DQEBCwUAA4IBAQBVR6xBBXTNX6EW hBhSJT4AFJ9b6S7MP2TGNX/HHsGT+hm0nvuTXhRGLAej/cdwoX+BGls5EBA+m3r2 8sZbgkOT+QrOJyCgzKLXF93hMpgRjvMyuY1bgswCRx+hsq59BzSImIxeebOULDKX OsmNYzOiLNKPTVVJNkNlIRTEpakdACPtBA1c6bdSSt0PBKxSJ3eMoX7o+uOvAlWU DFQfBj+MwpsyexsyeuayxDFvOYPESUyHxfUdNrmQ86SVCPPr0Q5uqx7CcWMuIK6p sdssfyur8eXd4+Myi9eEo1wcR8d6HB+fvY1f6gJ/DybJh1e/NEFG1UC7YKxynUvS mntV0bWw -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIDQDCCAiigAwIBAgIIdGawk0eovZAwDQYJKoZIhvcNAQELBQAwPjESMBAGA1UE CxMJb3BlbnNoaWZ0MSgwJgYDVQQDEx9rdWJlLWFwaXNlcnZlci1sb2NhbGhvc3Qt c2lnbmVyMB4XDTI2MDMwODAwMDUxM1oXDTM2MDMwNTAwMDUxM1owPjESMBAGA1UE CxMJb3BlbnNoaWZ0MSgwJgYDVQQDEx9rdWJlLWFwaXNlcnZlci1sb2NhbGhvc3Qt c2lnbmVyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0wNzg7Rye4BW Ede2QW5ImBL9BPUKDkcPYYrKuQYLC3qUhdKn+L9mNG8zZHQq6aIyXJbPOZXFMZaR QCpzjNI2A15Cug6DU/X9A/b6t4DvT2T3uTVqfV5DYB262vL+MaYap8zMl3Ydh+dX 3vVHv0nFKniKfSrbeS9K2e4vaUg+rDKaNWcu3mwZpX6mZ7EWNKO5tUIH60VkUYSw v0ez61/x37O49B6qrjo0LA9V8O8fbh/wD5/lbKuJV6pXxNZsnBcmO5mkOfR3mp8k eUojzGRIQTczQbWnRqDRZIT98xmN91TuOSJK3ZNyqXoIMika3BV5E33H9JCZrsjH VE3G4lSzZQIDAQABo0IwQDAOBgNVHQ8BAf8EBAMCAqQwDwYDVR0TAQH/BAUwAwEB /zAdBgNVHQ4EFgQUkHRQFn9bwfSqCVEaJsAyrsAAsHwwDQYJKoZIhvcNAQELBQAD ggEBABslce9rGbcLkY+rUys7vf+l13Zi2DP9gb38nHqnJVmsj39p9b7PIja/4svJ oOVq+GioMuTrl+buNGpFYc3ERhnWRELCi9DAjfoRJk+5iZInOPeRIwJJpfrv8B0/ 2ujfeK2pRPcAuDvXuluQN/iZLvEJKeARLAt2/ppln0hdnQlC4dL7w4v0K43XYs60 eeSreJomw4H9vjqQR5bH0NTQsH5ADN8eM8IpCg697tc7oDdIdH8VbTp3HyKfo8tQ j9ufjyUCR1fnQc5Ub11Ze4F4dXqJpmNpwWqJQhWpN+JZ7/EKfPYz78TNe5aPbOPS IxIdX6tEXHdRRJ7O4PQ4mFutQ7U= -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIDTDCCAjSgAwIBAgIILJezD5VGh0EwDQYJKoZIhvcNAQELBQAwRDESMBAGA1UE CxMJb3BlbnNoaWZ0MS4wLAYDVQQDEyVrdWJlLWFwaXNlcnZlci1zZXJ2aWNlLW5l dHdvcmstc2lnbmVyMB4XDTI2MDMwODAwMDUxM1oXDTM2MDMwNTAwMDUxM1owRDES MBAGA1UECxMJb3BlbnNoaWZ0MS4wLAYDVQQDEyVrdWJlLWFwaXNlcnZlci1zZXJ2 aWNlLW5ldHdvcmstc2lnbmVyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC AQEAotkhP5fHHieiq8PuzeHq66SnghgCAkLz4kdCSSiFLT/FuqdJcV0jsG1WgxlS 9Vk3lLWofzk79ci57q4AU7R1cs89litiz9icxqO3BUSl8GFyRLUuZ19Ox47PV5wY lFwkri2OEzQETTvTDye7aEVLFze3yNXur7QPC1dUJ5IPmPoFn9XC2yYlmx+VdCIi vZOzjGqfcJwQCHuVQ6lqxOUZ2DpvF8aI/FMd/rSJPScJfsLx1Q4o/hdVxyyZ6ZjZ IuA8pVE06mtO6nir1bPtREHv04JmbzH8oxVKp2VNvWTilQW68bHYrkllnFD1zLxa 2ou0qD0LJN1VkKk8sXQIzMWHMwIDAQABo0IwQDAOBgNVHQ8BAf8EBAMCAqQwDwYD VR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUXjNJXKgyiUq6mG1BO3GX8Hg0Ut4wDQYJ KoZIhvcNAQELBQADggEBADh2pM6AwLYVvRSVHwPnfAGHIvDrf7K1w7zaKZhvxFnD EhonGpYEYeFr01iXE74KQp9pxuJT7xxYSKfKWlKA34zlRM+Rb0dOce+2Na/PvHTh K/8ZSIElxn+sPmlPPMIGNO/TfA7UyuG942x0jnc6JuAZTXR7o2cI/2H4Fg9AGF8w dxTHTC67nsENRTcnkvKsh8r4zZ0sb5JR+zPTbdQ4+9WhOYNa5JS1It1fo4wVlgwL 1yiOMjx1XUIsfhrDzVdleZ+NKDTaUeDjkCMzquTmAemxMGRaNCXKb8uwlmSFQYEd lw1HRrhShFygDhHC3PqOpI7oulNgYtNE5MlLh7lMDSA= -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIDlzCCAn+gAwIBAgIIQZ9DS9WdDuAwDQYJKoZIhvcNAQELBQAwWTFXMFUGA1UE AwxOb3BlbnNoaWZ0LWt1YmUtYXBpc2VydmVyLW9wZXJhdG9yX2xvY2FsaG9zdC1y ZWNvdmVyeS1zZXJ2aW5nLXNpZ25lckAxNzcyOTI5Mjc1MB4XDTI2MDMwODAwMjEx NFoXDTM2MDMwNTAwMjExNVowWTFXMFUGA1UEAwxOb3BlbnNoaWZ0LWt1YmUtYXBp c2VydmVyLW9wZXJhdG9yX2xvY2FsaG9zdC1yZWNvdmVyeS1zZXJ2aW5nLXNpZ25l ckAxNzcyOTI5Mjc1MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArW0y Np9fNu2ahy0tBmCVOXbZe/4p1vdKND3lhg5dcn8DR2VyWWiZZfy8bhohVjAENtyw keW0VnwBO8QmgpNWz40QTWzE9O5GksYMXo1eKpXv+gKMPKCz/ey694ZKXyULqGIk kF/fWkhALEWoTJajz2cFLis4WT2GhsppkAcezOLlk9Df114i/eZGzr2CtElJZWSH I/+MyW4GeuJIy46iJh+SPAYvIKmfqSp8jIfE7FMsauXMHEqKx59Yj4Q7EEv8BiDg RwDOUL5eTnOP1s57s9YU1BfGbasNmlx9vpNRH+24zqQtKqAbM8lyRtuHai6bHUQb yNMCoYcMdz8QkaT7YwIDAQABo2MwYTAOBgNVHQ8BAf8EBAMCAqQwDwYDVR0TAQH/ BAUwAwEB/zAdBgNVHQ4EFgQUcrMyB0g8iqKxpZ6W9l7mp5tJa0UwHwYDVR0jBBgw FoAUcrMyB0g8iqKxpZ6W9l7mp5tJa0UwDQYJKoZIhvcNAQELBQADggEBAEFF20Qa 14TjrNhajb73OX021ZU7oAD8ymiZIjk2LW4RyQKDNl6IeTVQQjgHfENlX3es+Zdn Opz5pSX13mBQFfx2X052T2gpSGPepwDeunu/HN00NgqO1pidQduGJCS7RocGOvQg 1ayBpOuZnVnxyKNqYBqS8haAUerIH16IyOmrwQuRxfT8Beow0DCTs0+mDmNZV7RH u+ekhiKAJwkUcNNLAMJulEDsb4/8QS8Ahq1OnkMiYwXpvWmQFicHKNLSN+/dJhDr JTdj/nKF6PqUyN/2/8mXE6TBt5A2staZlLU7lw0u5Hdhv5Yg2JOdmox5xurJpsm0 TMmjF61OEa6Ou7Y= -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIDZzCCAk+gAwIBAgIINACkKXNPqdEwDQYJKoZIhvcNAQELBQAwJjEkMCIGA1UE AwwbaW5ncmVzcy1vcGVyYXRvckAxNzcyOTI5MzE2MB4XDTI2MDMwODAwMjE1NloX DTI4MDMwNzAwMjE1N1owIzEhMB8GA1UEAwwYKi5hcHBzLnNuby5vcGVuc3RhY2su bGFiMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzdNMLqH/tUjyxqXI HrwhFhe9B0G2K8sdXnSJ+Va13ue/KXTCngDQ8xnsg5oeDYnJa31wQMTLnXKAZJUB Ofe3ZJZPYmMXDetSPK/cPqhmU7lE7+Krt0I9CSLw5PtQY1QYflNw4Gw9wpFgR5Qm zt78zxTxmfidHaTkQSVgCP52cZSV/HqZaAsnmW7wGHjIhneNPt9o5Y+IkbbKG/l3 NS7IYrzSWvwujflTbFpvil7zuEWF9tJeHUk2uOse60Z9OWy3Nm7fLe7dfQABcf3f qL+ukdIpbzkosqsMYYWVKmMsckSWlxv34SN6y/VQEi9JVaZUUk9HIdTl4Gc77UT4 0FvXpwIDAQABo4GbMIGYMA4GA1UdDwEB/wQEAwIFoDATBgNVHSUEDDAKBggrBgEF BQcDATAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBSEZRlXp935/YSddeKlDSw8X6E6 VzAfBgNVHSMEGDAWgBTbLMNLBgufeG1XogushlboVdtltTAjBgNVHREEHDAaghgq LmFwcHMuc25vLm9wZW5zdGFjay5sYWIwDQYJKoZIhvcNAQELBQADggEBAC6FJZiQ TFOYio+i3m1i6UdaCQ3O/X4qhIVwUBC0/oKSkZ+ihkAox5FJR3MDbaKODEOXpz+1 bTF6/6piBD5p9vEHjmNpY1kMhbZeAtprLD8C6mOJ0A2qa85wolAJX/wFYnRXHd6s RzbfE4k/zYWIk43ORsPW9ge8K6bP1fAY5H5sR7VWmKavAZMY+uEtqyeTLm7UgxI4 xhTxXpokYG/z55DhXJx/9WVSdUIsGKfkAKP2kTYTVfN8O0Mw0jm93QHfTsg15pqD pHEYarcDfCbxb0T6i4HERTu82BKDZRoaXnDvidDmbVQk/6FH/LZFWP2Diy87IR17 QL7k6yPuCIYhLk8= -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIDDDCCAfSgAwIBAgIBATANBgkqhkiG9w0BAQsFADAmMSQwIgYDVQQDDBtpbmdy ZXNzLW9wZXJhdG9yQDE3NzI5MjkzMTYwHhcNMjYwMzA4MDAyMTU2WhcNMjgwMzA3 MDAyMTU3WjAmMSQwIgYDVQQDDBtpbmdyZXNzLW9wZXJhdG9yQDE3NzI5MjkzMTYw ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDtxzg7cbOPyRMY0EpAl0pI A1pmA5yxvUnLRztZG5BPiI4CdDNr8OdutEDqtywHHXEvEsK/WfjQp1nTa8btaVo9 dmW5rRcuOCgEKhgieobxcotuNM56frY/RvsgDpc2CH6hu64Z2iOGkGjfTgYtxuom dOQp2ngp8SSQTT4utCKap1aDAcYDqdhK97wx9wMdgO3ptXV2su1KnsiFy7gq6ujG 6ULZmARWpx6Fb7fKJrw3QcmsJnHnCxymyW6eWYgMCiXhkK09kegXsghZ1IxOzQDB BM4uRZQNM+BlOKoEQmLtVma790+SXxfx22OVxmfzb6pORmD2kx0LQLY+e9zbBF/p AgMBAAGjRTBDMA4GA1UdDwEB/wQEAwICpDASBgNVHRMBAf8ECDAGAQH/AgEAMB0G A1UdDgQWBBTbLMNLBgufeG1XogushlboVdtltTANBgkqhkiG9w0BAQsFAAOCAQEA paV3lqxH7sPUkG7buHcNG/SxQEqUYPMknggc2RmWTcgHPtDM7kTIFRW3F4h2MgBD MCvqYq2/RjaD8HnRiPEpE1iGpQGFNsXkBKDX5SnCz//U+Vql9hv24QoJR6Z2SRt2 TJ3GZx7DCu6/RJtD23QsjplULhpkNnqfAFboqh1qN0+rFffBeSBZ2sTtOPM974wo tnbOl6muXCXOfln0SEKWTe9WIceXN8/36tFcSV7xtoNqlYD5pESEUse9C0zFd0Vt W8t+FPXXLbes2SysrW1M58js2pzVdKfUuvltNmTzS8+qQzunca2shiFuCPaTb+YS tNfpj7vfKEo5mHB7zMsaiA== -----END CERTIFICATE----- kind: ConfigMap metadata: annotations: kubernetes.io/description: Contains a CA bundle that can be used to verify the kube-apiserver when using internal endpoints such as the internal service IP or kubernetes.default.svc. No other usage is guaranteed across distributions of Kubernetes clusters. creationTimestamp: "2026-03-08T00:15:14Z" managedFields: - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:data: .: {} f:ca.crt: {} f:metadata: f:annotations: .: {} f:kubernetes.io/description: {} manager: kube-controller-manager operation: Update time: "2026-03-08T00:33:04Z" name: kube-root-ca.crt namespace: openshift-etcd resourceVersion: "14433" uid: 43e0aad4-9b03-42cf-8a4c-089072f3d403 - apiVersion: v1 data: service-ca.crt: | -----BEGIN CERTIFICATE----- MIIDUTCCAjmgAwIBAgIIMrd9s7oWjRcwDQYJKoZIhvcNAQELBQAwNjE0MDIGA1UE Awwrb3BlbnNoaWZ0LXNlcnZpY2Utc2VydmluZy1zaWduZXJAMTc3MjkyOTI4ODAe Fw0yNjAzMDgwMDIxMjhaFw0yODA1MDYwMDIxMjlaMDYxNDAyBgNVBAMMK29wZW5z aGlmdC1zZXJ2aWNlLXNlcnZpbmctc2lnbmVyQDE3NzI5MjkyODgwggEiMA0GCSqG SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCudn6C5GSTGpDZeIlE8OW5F6Q2iIQMVptt QvTUu2Ar+yuimwFaj5H2XYV4o3ZxP7vJPy9kafBnyI03ehDmefuofzhzPtd6wReH 20jEIVgvFNdhLtUwqrRDyJKsCPNtXz5/mp4xLMakHFPSEtuSu8rgPiMSkPZ03J9i ZxPyBdtp+bLTohROs/OasAQWVyvfWw8ppJX7JTxAbAg3dgqFrGDiuviTjihvdvpE QgqrzE0BYKO30R8p3+ja3eMLfBSBEmGX5HOK0lObN65T1uC1ixfzRq4XPbGQPkgH wdceYNz+t8QyboCvpsnTDPwknLyE/8KvNaibJ0/h77fKEvmTssWPAgMBAAGjYzBh MA4GA1UdDwEB/wQEAwICpDAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBSOk0QY /WuiSGxxVUMGwG0sxGaEuzAfBgNVHSMEGDAWgBSOk0QY/WuiSGxxVUMGwG0sxGaE uzANBgkqhkiG9w0BAQsFAAOCAQEAoV+Xo/JX53h6jWZur/GnKWsO9eKKKRE28OmF /5m0mA7s4Y/tXfGt9eR8XIcHTMdlNJzWxTOUxO0cyFWt6gr9wcaP0bO841v9zqHJ PERED8tQ+zrPJlZgvew0XfICkaKCGcloeb04a/zVCjUOYf8TR+WTiYwhnWIutRIq 1bPCvKAxjiJmlWZjko9nnvTpGymeyMcy5tWt0q7HvS14bgaKLp2efb6TU3V/5P9g VpUHVyZrH1//Em4nRv4fkL+qgUPVX1PuguCV2tt9bFtVyEVRj2SUlzUgji7EVq0A YU6/XYaqoLuh97Hw7WU3LWm1/PXB+hdNb2J9VhN5bVHmNRCH8Q== -----END CERTIFICATE----- kind: ConfigMap metadata: annotations: service.beta.openshift.io/inject-cabundle: "true" creationTimestamp: "2026-03-08T00:15:14Z" managedFields: - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:data: {} f:metadata: f:annotations: .: {} f:service.beta.openshift.io/inject-cabundle: {} manager: kube-controller-manager operation: Update time: "2026-03-08T00:15:14Z" - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:data: f:service-ca.crt: {} manager: service-ca-operator operation: Update time: "2026-03-08T00:21:38Z" name: openshift-service-ca.crt namespace: openshift-etcd resourceVersion: "5343" uid: 08e8faba-1085-4541-be05-d96a9e0f1d5b - apiVersion: v1 data: forceRedeploymentReason: "" pod.yaml: "apiVersion: v1\nkind: Pod\nmetadata:\n name: etcd\n namespace: openshift-etcd\n \ labels:\n app: etcd\n k8s-app: etcd\n etcd: \"true\"\n revision: \"REVISION\"\nspec:\n containers:\n - name: etcd\n image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:cc20748723f55f960cfb6328d1591880bbd1b3452155633996d4f41fc7c5f46b\n \ imagePullPolicy: IfNotPresent\n terminationMessagePolicy: FallbackToLogsOnError\n \ command:\n - /bin/sh\n - -c\n - |\n #!/bin/sh\n set -euo pipefail\n \n export ETCD_NAME=${NODE_NODE_ENVVAR_NAME_ETCD_NAME}\n \ export ETCD_INITIAL_CLUSTER=\"${ETCD_NAME}=https://${NODE_NODE_ENVVAR_NAME_ETCD_URL_HOST}:2380\"\n \ env | grep ETCD | grep -v NODE\n export ETCD_NODE_PEER_URL=https://${NODE_NODE_ENVVAR_NAME_ETCD_URL_HOST}:2380\n \ export REV_JSON=\"/var/lib/etcd-backup/revision.json\"\n export SNAPSHOT_FILE=\"/var/lib/etcd-backup/snapshot.db\"\n\n # checking if data directory is empty, if not etcdctl restore will fail \n if [ -n \"$(ls -A \"/var/lib/etcd\")\" ]; then\n echo \"please delete the contents of the /var/lib/etcd directory before restoring, running the restore script will do this for you\"\n exit 1\n fi\n \n ETCD_ETCDCTL_BIN=\"etcdctl\"\n \ if [ -x \"$(command -v etcdutl)\" ]; then\n echo \"found etcdutl, using that instead of etcdctl for local operations\"\n ETCD_ETCDCTL_BIN=\"etcdutl\"\n \ fi \n\n # check if we have backup file to be restored\n \ # if the file exist, check if it has not changed size in last 5 seconds\n \ if [ ! -f \"${SNAPSHOT_FILE}\" ]; then\n echo \"please make a copy of the snapshot db file, then move that copy to ${SNAPSHOT_FILE}\"\n \ exit 1\n else\n filesize=$(stat --format=%s \"${SNAPSHOT_FILE}\")\n \ sleep 5\n newfilesize=$(stat --format=%s \"${SNAPSHOT_FILE}\")\n \ if [ \"$filesize\" != \"$newfilesize\" ]; then\n echo \"file size has changed since last 5 seconds, retry sometime after copying is complete\"\n \ exit 1\n fi\n fi\n \n SNAPSHOT_REV=$(etcdutl snapshot status -wjson \"$SNAPSHOT_FILE\" | jq -r \".revision\")\n echo \"snapshot is at revision ${SNAPSHOT_REV}\"\n \n if [ -n \"$(ls -A \"${REV_JSON}\")\" ]; then\n # this will bump by the amount of the last known live revision + 20% slack.\n # Note: the bump amount is an addition to the current revision stored in the snapshot.\n # We're avoiding to do any math with SNAPSHOT_REV, uint64 has plenty of space to double revisions\n # and we're assuming that full disaster restores are a very rare occurrence anyway.\n BUMP_REV=$(jq -r \"(.maxRaftIndex*1.2|floor)\" \"${REV_JSON}\")\n echo \"bumping revisions by ${BUMP_REV}\"\n else\n \ # we can't take SNAPSHOT_REV as an indicator here, because the snapshot might be much older\n # than any currently live served revision. \n \ # 1bn would be an etcd running at 1000 writes/s for about eleven days.\n echo \"no revision.json found, assuming a 1bn revision bump\"\n \ BUMP_REV=1000000000\n fi\n \n UUID=$(uuidgen)\n \ echo \"restoring to a single node cluster\"\n ${ETCD_ETCDCTL_BIN} snapshot restore \"${SNAPSHOT_FILE}\" \\\n --name $ETCD_NAME \\\n --initial-cluster=$ETCD_INITIAL_CLUSTER \\\n --initial-cluster-token \"openshift-etcd-${UUID}\" \\\n --initial-advertise-peer-urls $ETCD_NODE_PEER_URL \\\n --data-dir=\"/var/lib/etcd/restore-${UUID}\" \\\n --mark-compacted \\\n --bump-revision \"${BUMP_REV}\"\n\n \ mv /var/lib/etcd/restore-${UUID}/* /var/lib/etcd/\n # copy the revision.json back in case a second restore needs to be run afterwards\n if [ -n \"$(ls -A \"${REV_JSON}\")\" ]; then\n cp ${REV_JSON} /var/lib/etcd/\n \ fi\n\n rmdir /var/lib/etcd/restore-${UUID}\n rm /var/lib/etcd-backup/snapshot.db\n\n \ set -x\n exec etcd \\\n --logger=zap \\\n --log-level=info \\\n --initial-advertise-peer-urls=https://${NODE_NODE_ENVVAR_NAME_IP}:2380 \\\n --cert-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-serving-NODE_NAME.crt \\\n --key-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-serving-NODE_NAME.key \\\n --trusted-ca-file=/etc/kubernetes/static-pod-certs/configmaps/etcd-all-bundles/server-ca-bundle.crt \\\n --client-cert-auth=true \\\n --peer-cert-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.crt \\\n --peer-key-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.key \\\n --peer-trusted-ca-file=/etc/kubernetes/static-pod-certs/configmaps/etcd-all-bundles/server-ca-bundle.crt \\\n --peer-client-cert-auth=true \\\n --advertise-client-urls=https://${NODE_NODE_ENVVAR_NAME_IP}:2379 \\\n --listen-client-urls=https://0.0.0.0:2379 \\\n --listen-peer-urls=https://0.0.0.0:2380 \\\n --metrics=extensive \\\n --listen-metrics-urls=https://0.0.0.0:9978\n \ env:\n - name: \"ALL_ETCD_ENDPOINTS\"\n value: \"https://192.168.32.10:2379\"\n \ - name: \"ETCDCTL_API\"\n value: \"3\"\n - name: \"ETCDCTL_CACERT\"\n \ value: \"/etc/kubernetes/static-pod-certs/configmaps/etcd-all-bundles/server-ca-bundle.crt\"\n \ - name: \"ETCDCTL_CERT\"\n value: \"/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.crt\"\n \ - name: \"ETCDCTL_ENDPOINTS\"\n value: \"https://192.168.32.10:2379\"\n \ - name: \"ETCDCTL_KEY\"\n value: \"/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.key\"\n \ - name: \"ETCD_CIPHER_SUITES\"\n value: \"TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256\"\n \ - name: \"ETCD_DATA_DIR\"\n value: \"/var/lib/etcd\"\n - name: \"ETCD_ELECTION_TIMEOUT\"\n value: \"2500\"\n - name: \"ETCD_ENABLE_PPROF\"\n \ value: \"true\"\n - name: \"ETCD_EXPERIMENTAL_MAX_LEARNERS\"\n \ value: \"1\"\n - name: \"ETCD_EXPERIMENTAL_WARNING_APPLY_DURATION\"\n \ value: \"200ms\"\n - name: \"ETCD_EXPERIMENTAL_WATCH_PROGRESS_NOTIFY_INTERVAL\"\n \ value: \"5s\"\n - name: \"ETCD_HEARTBEAT_INTERVAL\"\n value: \"500\"\n - name: \"ETCD_IMAGE\"\n value: \"quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:cc20748723f55f960cfb6328d1591880bbd1b3452155633996d4f41fc7c5f46b\"\n \ - name: \"ETCD_INITIAL_CLUSTER_STATE\"\n value: \"existing\"\n \ - name: \"ETCD_QUOTA_BACKEND_BYTES\"\n value: \"8589934592\"\n \ - name: \"ETCD_SOCKET_REUSE_ADDRESS\"\n value: \"true\"\n - name: \"ETCD_TLS_MIN_VERSION\"\n value: \"TLS1.2\"\n - name: \"NODE_master_0_ETCD_NAME\"\n \ value: \"master-0\"\n - name: \"NODE_master_0_ETCD_URL_HOST\"\n \ value: \"192.168.32.10\"\n - name: \"NODE_master_0_IP\"\n value: \"192.168.32.10\"\n - name: \"ETCD_STATIC_POD_REV\"\n value: \"REVISION\"\n \ resources:\n requests:\n memory: 600Mi\n cpu: 300m\n \ readinessProbe:\n tcpSocket:\n port: 2380\n failureThreshold: 3\n initialDelaySeconds: 3\n periodSeconds: 5\n successThreshold: 1\n timeoutSeconds: 5\n securityContext:\n privileged: true\n volumeMounts:\n \ - mountPath: /etc/kubernetes/manifests\n name: static-pod-dir\n \ - mountPath: /etc/kubernetes/static-pod-certs\n name: cert-dir\n \ - mountPath: /var/lib/etcd/\n name: data-dir\n - mountPath: /var/lib/etcd-backup/\n name: backup-dir\n - name: etcd-readyz\n image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:6088910bdc1583b275fab261e3234c0b63b4cc16d01bcea697b6a7f6db13bdf3\n \ imagePullPolicy: IfNotPresent\n terminationMessagePolicy: FallbackToLogsOnError\n \ command:\n - /bin/sh\n - -c\n - |\n #!/bin/sh\n set -euo pipefail\n \n exec nice -n -18 cluster-etcd-operator readyz \\\n --target=https://localhost:2379 \\\n --listen-port=9980 \\\n --serving-cert-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-serving-NODE_NAME.crt \\\n --serving-key-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-serving-NODE_NAME.key \\\n --client-cert-file=$(ETCDCTL_CERT) \\\n --client-key-file=$(ETCDCTL_KEY) \\\n --client-cacert-file=$(ETCDCTL_CACERT) \\\n --listen-cipher-suites=$(ETCD_CIPHER_SUITES)\n \ securityContext:\n privileged: true\n ports:\n - containerPort: 9980\n name: readyz\n protocol: TCP\n resources:\n requests:\n \ memory: 50Mi\n cpu: 10m\n env:\n - name: \"ALL_ETCD_ENDPOINTS\"\n \ value: \"https://192.168.32.10:2379\"\n - name: \"ETCDCTL_API\"\n \ value: \"3\"\n - name: \"ETCDCTL_CACERT\"\n value: \"/etc/kubernetes/static-pod-certs/configmaps/etcd-all-bundles/server-ca-bundle.crt\"\n \ - name: \"ETCDCTL_CERT\"\n value: \"/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.crt\"\n \ - name: \"ETCDCTL_ENDPOINTS\"\n value: \"https://192.168.32.10:2379\"\n \ - name: \"ETCDCTL_KEY\"\n value: \"/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.key\"\n \ - name: \"ETCD_CIPHER_SUITES\"\n value: \"TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256\"\n \ - name: \"ETCD_DATA_DIR\"\n value: \"/var/lib/etcd\"\n - name: \"ETCD_ELECTION_TIMEOUT\"\n value: \"2500\"\n - name: \"ETCD_ENABLE_PPROF\"\n \ value: \"true\"\n - name: \"ETCD_EXPERIMENTAL_MAX_LEARNERS\"\n \ value: \"1\"\n - name: \"ETCD_EXPERIMENTAL_WARNING_APPLY_DURATION\"\n \ value: \"200ms\"\n - name: \"ETCD_EXPERIMENTAL_WATCH_PROGRESS_NOTIFY_INTERVAL\"\n \ value: \"5s\"\n - name: \"ETCD_HEARTBEAT_INTERVAL\"\n value: \"500\"\n - name: \"ETCD_IMAGE\"\n value: \"quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:cc20748723f55f960cfb6328d1591880bbd1b3452155633996d4f41fc7c5f46b\"\n \ - name: \"ETCD_INITIAL_CLUSTER_STATE\"\n value: \"existing\"\n \ - name: \"ETCD_QUOTA_BACKEND_BYTES\"\n value: \"8589934592\"\n \ - name: \"ETCD_SOCKET_REUSE_ADDRESS\"\n value: \"true\"\n - name: \"ETCD_TLS_MIN_VERSION\"\n value: \"TLS1.2\"\n - name: \"NODE_master_0_ETCD_NAME\"\n \ value: \"master-0\"\n - name: \"NODE_master_0_ETCD_URL_HOST\"\n \ value: \"192.168.32.10\"\n - name: \"NODE_master_0_IP\"\n value: \"192.168.32.10\"\n volumeMounts:\n - mountPath: /etc/kubernetes/static-pod-certs\n \ name: cert-dir\n hostNetwork: true\n priorityClassName: system-node-critical\n \ tolerations:\n - operator: \"Exists\"\n volumes:\n - hostPath:\n path: /etc/kubernetes/manifests\n name: static-pod-dir\n - hostPath:\n path: /etc/kubernetes/static-pod-resources/etcd-certs\n name: cert-dir\n - hostPath:\n path: /var/lib/etcd\n type: \"\"\n name: data-dir\n \ - hostPath:\n path: /var/lib/etcd-backup\n type: \"\"\n name: backup-dir\n" quorum-restore-pod.yaml: "apiVersion: v1\nkind: Pod\nmetadata:\n name: etcd\n \ namespace: openshift-etcd\n labels:\n app: etcd\n k8s-app: etcd\n etcd: \"true\"\n revision: \"REVISION\"\nspec:\n containers:\n - name: etcd\n \ image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:cc20748723f55f960cfb6328d1591880bbd1b3452155633996d4f41fc7c5f46b\n \ imagePullPolicy: IfNotPresent\n terminationMessagePolicy: FallbackToLogsOnError\n \ command:\n - /bin/sh\n - -c\n - |\n #!/bin/sh\n set -euo pipefail\n \n export REV_JSON=\"/var/lib/etcd/revision.json\"\n \ \n if [ -n \"$(ls -A \"${REV_JSON}\")\" ]; then\n # this will bump by the amount of 20% of the last known live revision. \n \ BUMP_REV=$(jq -r \"(.maxRaftIndex*0.2|floor)\" \"${REV_JSON}\")\n \ echo \"bumping revisions by ${BUMP_REV}\"\n else\n # 1bn would be an etcd running at 1000 writes/s for about eleven days.\n echo \"no revision.json found, assuming a 1bn revision bump\"\n BUMP_REV=1000000000\n \ fi\n \n set -x\n exec etcd \\\n --logger=zap \\\n --log-level=info \\\n --force-new-cluster \\\n --force-new-cluster-bump-amount=\"${BUMP_REV}\" \\\n --name=\"${NODE_NODE_ENVVAR_NAME_ETCD_NAME}\" \\\n --initial-cluster=\"${NODE_NODE_ENVVAR_NAME_ETCD_NAME}=https://${NODE_NODE_ENVVAR_NAME_ETCD_URL_HOST}:2380\" \\\n --initial-advertise-peer-urls=https://${NODE_NODE_ENVVAR_NAME_IP}:2380 \\\n --cert-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-serving-NODE_NAME.crt \\\n --key-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-serving-NODE_NAME.key \\\n --trusted-ca-file=/etc/kubernetes/static-pod-certs/configmaps/etcd-all-bundles/server-ca-bundle.crt \\\n --client-cert-auth=true \\\n --peer-cert-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.crt \\\n --peer-key-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.key \\\n --peer-trusted-ca-file=/etc/kubernetes/static-pod-certs/configmaps/etcd-all-bundles/server-ca-bundle.crt \\\n --peer-client-cert-auth=true \\\n --advertise-client-urls=https://${NODE_NODE_ENVVAR_NAME_IP}:2379 \\\n --listen-client-urls=https://0.0.0.0:2379 \\\n --listen-peer-urls=https://0.0.0.0:2380 \\\n --metrics=extensive \\\n --listen-metrics-urls=https://0.0.0.0:9978\n \ env:\n - name: \"ALL_ETCD_ENDPOINTS\"\n value: \"https://192.168.32.10:2379\"\n \ - name: \"ETCDCTL_API\"\n value: \"3\"\n - name: \"ETCDCTL_CACERT\"\n \ value: \"/etc/kubernetes/static-pod-certs/configmaps/etcd-all-bundles/server-ca-bundle.crt\"\n \ - name: \"ETCDCTL_CERT\"\n value: \"/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.crt\"\n \ - name: \"ETCDCTL_ENDPOINTS\"\n value: \"https://192.168.32.10:2379\"\n \ - name: \"ETCDCTL_KEY\"\n value: \"/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.key\"\n \ - name: \"ETCD_CIPHER_SUITES\"\n value: \"TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256\"\n \ - name: \"ETCD_DATA_DIR\"\n value: \"/var/lib/etcd\"\n - name: \"ETCD_ELECTION_TIMEOUT\"\n value: \"2500\"\n - name: \"ETCD_ENABLE_PPROF\"\n \ value: \"true\"\n - name: \"ETCD_EXPERIMENTAL_MAX_LEARNERS\"\n \ value: \"1\"\n - name: \"ETCD_EXPERIMENTAL_WARNING_APPLY_DURATION\"\n \ value: \"200ms\"\n - name: \"ETCD_EXPERIMENTAL_WATCH_PROGRESS_NOTIFY_INTERVAL\"\n \ value: \"5s\"\n - name: \"ETCD_HEARTBEAT_INTERVAL\"\n value: \"500\"\n - name: \"ETCD_IMAGE\"\n value: \"quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:cc20748723f55f960cfb6328d1591880bbd1b3452155633996d4f41fc7c5f46b\"\n \ - name: \"ETCD_INITIAL_CLUSTER_STATE\"\n value: \"existing\"\n \ - name: \"ETCD_QUOTA_BACKEND_BYTES\"\n value: \"8589934592\"\n \ - name: \"ETCD_SOCKET_REUSE_ADDRESS\"\n value: \"true\"\n - name: \"ETCD_TLS_MIN_VERSION\"\n value: \"TLS1.2\"\n - name: \"NODE_master_0_ETCD_NAME\"\n \ value: \"master-0\"\n - name: \"NODE_master_0_ETCD_URL_HOST\"\n \ value: \"192.168.32.10\"\n - name: \"NODE_master_0_IP\"\n value: \"192.168.32.10\"\n - name: \"ETCD_STATIC_POD_REV\"\n value: \"REVISION\"\n \ resources:\n requests:\n memory: 600Mi\n cpu: 300m\n \ readinessProbe:\n tcpSocket:\n port: 2380\n failureThreshold: 3\n initialDelaySeconds: 3\n periodSeconds: 5\n successThreshold: 1\n timeoutSeconds: 5\n securityContext:\n privileged: true\n volumeMounts:\n \ - mountPath: /etc/kubernetes/manifests\n name: static-pod-dir\n \ - mountPath: /etc/kubernetes/static-pod-certs\n name: cert-dir\n \ - mountPath: /var/lib/etcd/\n name: data-dir\n - mountPath: /var/lib/etcd-backup/\n name: backup-dir\n - name: etcd-readyz\n image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:6088910bdc1583b275fab261e3234c0b63b4cc16d01bcea697b6a7f6db13bdf3\n \ imagePullPolicy: IfNotPresent\n terminationMessagePolicy: FallbackToLogsOnError\n \ command:\n - /bin/sh\n - -c\n - |\n #!/bin/sh\n set -euo pipefail\n \n exec nice -n -18 cluster-etcd-operator readyz \\\n --target=https://localhost:2379 \\\n --listen-port=9980 \\\n --serving-cert-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-serving-NODE_NAME.crt \\\n --serving-key-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-serving-NODE_NAME.key \\\n --client-cert-file=$(ETCDCTL_CERT) \\\n --client-key-file=$(ETCDCTL_KEY) \\\n --client-cacert-file=$(ETCDCTL_CACERT) \\\n --listen-cipher-suites=$(ETCD_CIPHER_SUITES)\n \ securityContext:\n privileged: true\n ports:\n - containerPort: 9980\n name: readyz\n protocol: TCP\n resources:\n requests:\n \ memory: 50Mi\n cpu: 10m\n env:\n - name: \"ALL_ETCD_ENDPOINTS\"\n \ value: \"https://192.168.32.10:2379\"\n - name: \"ETCDCTL_API\"\n \ value: \"3\"\n - name: \"ETCDCTL_CACERT\"\n value: \"/etc/kubernetes/static-pod-certs/configmaps/etcd-all-bundles/server-ca-bundle.crt\"\n \ - name: \"ETCDCTL_CERT\"\n value: \"/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.crt\"\n \ - name: \"ETCDCTL_ENDPOINTS\"\n value: \"https://192.168.32.10:2379\"\n \ - name: \"ETCDCTL_KEY\"\n value: \"/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.key\"\n \ - name: \"ETCD_CIPHER_SUITES\"\n value: \"TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256\"\n \ - name: \"ETCD_DATA_DIR\"\n value: \"/var/lib/etcd\"\n - name: \"ETCD_ELECTION_TIMEOUT\"\n value: \"2500\"\n - name: \"ETCD_ENABLE_PPROF\"\n \ value: \"true\"\n - name: \"ETCD_EXPERIMENTAL_MAX_LEARNERS\"\n \ value: \"1\"\n - name: \"ETCD_EXPERIMENTAL_WARNING_APPLY_DURATION\"\n \ value: \"200ms\"\n - name: \"ETCD_EXPERIMENTAL_WATCH_PROGRESS_NOTIFY_INTERVAL\"\n \ value: \"5s\"\n - name: \"ETCD_HEARTBEAT_INTERVAL\"\n value: \"500\"\n - name: \"ETCD_IMAGE\"\n value: \"quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:cc20748723f55f960cfb6328d1591880bbd1b3452155633996d4f41fc7c5f46b\"\n \ - name: \"ETCD_INITIAL_CLUSTER_STATE\"\n value: \"existing\"\n \ - name: \"ETCD_QUOTA_BACKEND_BYTES\"\n value: \"8589934592\"\n \ - name: \"ETCD_SOCKET_REUSE_ADDRESS\"\n value: \"true\"\n - name: \"ETCD_TLS_MIN_VERSION\"\n value: \"TLS1.2\"\n - name: \"NODE_master_0_ETCD_NAME\"\n \ value: \"master-0\"\n - name: \"NODE_master_0_ETCD_URL_HOST\"\n \ value: \"192.168.32.10\"\n - name: \"NODE_master_0_IP\"\n value: \"192.168.32.10\"\n volumeMounts:\n - mountPath: /etc/kubernetes/static-pod-certs\n \ name: cert-dir\n hostNetwork: true\n priorityClassName: system-node-critical\n \ tolerations:\n - operator: \"Exists\"\n volumes:\n - hostPath:\n path: /etc/kubernetes/manifests\n name: static-pod-dir\n - hostPath:\n path: /etc/kubernetes/static-pod-resources/etcd-certs\n name: cert-dir\n - hostPath:\n path: /var/lib/etcd\n type: \"\"\n name: data-dir\n \ - hostPath:\n path: /var/lib/etcd-backup\n type: \"\"\n name: backup-dir\n" version: 4.18.0-202602170912.p2.gb7e21f5.assembly.stream.el9-b7e21f5 kind: ConfigMap metadata: creationTimestamp: "2026-03-08T00:21:35Z" managedFields: - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:data: .: {} f:forceRedeploymentReason: {} f:pod.yaml: {} f:quorum-restore-pod.yaml: {} f:version: {} manager: cluster-etcd-operator operation: Update time: "2026-03-08T00:21:35Z" name: restore-etcd-pod namespace: openshift-etcd resourceVersion: "5025" uid: 473e910f-b7c5-41de-b0f5-719fc4f539a5 - apiVersion: v1 data: reason: configmap "etcd-pod-0" not found revision: "1" kind: ConfigMap metadata: annotations: operator.openshift.io/revision-ready: "true" creationTimestamp: "2026-03-08T00:21:34Z" labels: operator.openshift.io/controller-instance-name: etcd-RevisionController managedFields: - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:data: .: {} f:reason: {} f:revision: {} f:metadata: f:annotations: .: {} f:operator.openshift.io/revision-ready: {} f:labels: .: {} f:operator.openshift.io/controller-instance-name: {} manager: cluster-etcd-operator operation: Update time: "2026-03-08T00:21:40Z" name: revision-status-1 namespace: openshift-etcd resourceVersion: "5365" uid: d53f0d6b-b416-46e8-a3fa-90de3afb8449 - apiVersion: v1 data: reason: required configmap/etcd-endpoints has changed revision: "2" kind: ConfigMap metadata: annotations: operator.openshift.io/revision-ready: "true" creationTimestamp: "2026-03-08T00:32:57Z" labels: operator.openshift.io/controller-instance-name: etcd-RevisionController managedFields: - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:data: .: {} f:reason: {} f:revision: {} f:metadata: f:annotations: .: {} f:operator.openshift.io/revision-ready: {} f:labels: .: {} f:operator.openshift.io/controller-instance-name: {} manager: cluster-etcd-operator operation: Update time: "2026-03-08T00:33:02Z" name: revision-status-2 namespace: openshift-etcd resourceVersion: "14289" uid: c1019f1c-2ba3-4790-a7a8-ce11f9fbc534 kind: ConfigMapList metadata: resourceVersion: "47568"