--- apiVersion: v1 items: - apiVersion: v1 data: install-config: | additionalTrustBundlePolicy: Proxyonly apiVersion: v1 baseDomain: openstack.lab bootstrapInPlace: installationDisk: /dev/disk/by-path/pci-0000:00:06.0 compute: - architecture: amd64 hyperthreading: Enabled name: worker platform: {} replicas: 0 controlPlane: architecture: amd64 hyperthreading: Enabled name: master platform: {} replicas: 1 metadata: creationTimestamp: null name: sno networking: clusterNetwork: - cidr: 10.128.0.0/16 hostPrefix: 23 machineNetwork: - cidr: 192.168.32.0/24 networkType: OVNKubernetes serviceNetwork: - 172.30.0.0/16 platform: none: {} publish: External pullSecret: "" sshKey: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC1qe1zGnOWKe/+dvlaJGGPh73bPj0pKrmJ667XYYaVwxjFBOxL+bzkzs6oqOVFjFd/iUy/DvpvYL+YB259r5Ny4uErZ8GsNnNk99nIZEkaEwdKrTdp5SKpoV2sH699zsLN40EkwapND4r1928mVF1DJMKYgRD6fxAIPznWSQpZY/fuOo3czWcRp7gqIoYSfBJlh1n28Z9iXVHtCdvqyYTfAcgy6WpGgjF7mKV3jMh912vHtJEncgGQE5nIoPThuYWUdKQP2w3PoPd9y2IqmnJEeTme4VM4rmg8foPDxZEQgjVw/9kKhyv6XB/5gCc8YF2ZX7JQJS3KvBGKp4b4t5lL kind: ConfigMap metadata: annotations: kubernetes.io/description: The install-config content used to create the cluster. The cluster configuration may have evolved since installation, so check cluster configuration resources directly if you are interested in the current cluster state. creationTimestamp: "2026-02-16T20:57:18Z" managedFields: - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:data: .: {} f:install-config: {} f:metadata: f:annotations: .: {} f:kubernetes.io/description: {} manager: cluster-etcd-operator operation: Update time: "2026-02-16T20:57:18Z" name: cluster-config-v1 namespace: openshift-etcd resourceVersion: "5012" uid: ac71dd29-4671-4e27-87fd-3b472883226b - apiVersion: v1 data: metrics-ca-bundle.crt: | -----BEGIN CERTIFICATE----- MIIDUzCCAjugAwIBAgIIQgaTIi24L1IwDQYJKoZIhvcNAQELBQAwNzE1MDMGA1UE Awwsb3BlbnNoaWZ0LWV0Y2RfZXRjZC1tZXRyaWMtc2lnbmVyQDE3NzEyNzQ5Njcw HhcNMjYwMjE2MjA0OTI2WhcNMzEwMjE1MjA0OTI3WjA3MTUwMwYDVQQDDCxvcGVu c2hpZnQtZXRjZF9ldGNkLW1ldHJpYy1zaWduZXJAMTc3MTI3NDk2NzCCASIwDQYJ KoZIhvcNAQEBBQADggEPADCCAQoCggEBAMq76vEKPY1q16p8YfUEkS82wD/krpMg whw+LSXn9cevZSRV8ERdANuSbb1/GvxKkopmHg+OzrcLRfizJeJ34dE0gVxp3PJ7 jneF+lD7WlqD2j2zHjR0iOmfPdwSAlIzrL7YlbTSHaj3Ku9cR206TNigcH8GodT0 sOkUh/huu8jTQmWCE2WN9D/phQJRiYQh1oMSDP7YLLpB0jxf/piyifVR0J1Ns0oG YZ2Van20KShdFT20SxOcbSUiNlGuuc1ubv5VD7p7FOe/zHQRofwoyunbiIvoiq6d 7X39muLS5aQMeUEkeCthNh4NXWrCUh+SJD2oq5iQFkU9weDEjCGeURsCAwEAAaNj MGEwDgYDVR0PAQH/BAQDAgKkMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFEx+ yxIQKO1MLFpM0hZWjaxOnuHxMB8GA1UdIwQYMBaAFEx+yxIQKO1MLFpM0hZWjaxO nuHxMA0GCSqGSIb3DQEBCwUAA4IBAQCBABkRIO2555qkjbkd6Ftt5LMqJ/avCG0/ wuUj72Eq07II8Ac2bBMcyvwWVIseohPPDVJMld07S7SGfl/RxFShumYQJaj2N7v0 iVjaOMEjjMQl5PP0AcCoDTbCnbkIZMa3Zo/RZ7x4WocVcDUNb56AdPeJw0pHom++ d4jdA92iZhxSg+tFoPCI/Hwjkd0ek218KQ6FhATkr9aPMDAS6AlLXHr/Ncsv9qfk 9eA7KwBpaI6LK4Cx3ZFdD2chMn0N26zh77yKU4ZoJlncU36o5yS0UoyU+SLaAPAE T+cjbNyyAu2vqB2Wej0AaY40APz8HgQ8lWsXa2HA6YVUJGMkkIPB -----END CERTIFICATE----- server-ca-bundle.crt: | -----BEGIN CERTIFICATE----- MIIDRTCCAi2gAwIBAgIIJUDWE0zORu0wDQYJKoZIhvcNAQELBQAwMDEuMCwGA1UE Awwlb3BlbnNoaWZ0LWV0Y2RfZXRjZC1zaWduZXJAMTc3MTI3NDk2NjAeFw0yNjAy MTYyMDQ5MjZaFw0zMTAyMTUyMDQ5MjdaMDAxLjAsBgNVBAMMJW9wZW5zaGlmdC1l dGNkX2V0Y2Qtc2lnbmVyQDE3NzEyNzQ5NjYwggEiMA0GCSqGSIb3DQEBAQUAA4IB DwAwggEKAoIBAQCzTnJCgoxq1nxvOwqOl66C3sgouGJPp4JqzBL5fX1QpAkVGT8x d0xMk2fkgKE3fQ2iikaHTMzM8HqGV1wiTiPUJPkZUUYO6IuduX6n9JYmFBg+Biis KSaThpGr7BfKpDL63CpHKa0daT5Wy2d1iXtTsI9dqio+utRil128nz5dBdgDvhUu N9hJp2qa7Tzl1HIezR0DaZBKZl54uhkF3Hz6SQuZfUUGCkZV0/xPnTiDENXpZ+TC hcb+cp9WjQBsBnz3uS+iiaGi01h/PoAjmBdjpZ5ua0L9YddclTrnBV0CQRkkMHm8 6+KzHh04bO08RSym+ohiozyVLyQ43VQ3tdKZAgMBAAGjYzBhMA4GA1UdDwEB/wQE AwICpDAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBRYIPaeSaFOwXVqrh9P4pYm FP3I2TAfBgNVHSMEGDAWgBRYIPaeSaFOwXVqrh9P4pYmFP3I2TANBgkqhkiG9w0B AQsFAAOCAQEAVefZ5erKtdWM9T3UceZTbACbe3xmeBT8gEXPmXKrRQTT/TE4BSdM 8ojrh12gd3B55JtjR0j6ZJ6BVRlkUtqG6la/Imn6fFjwUyONpFtSrsJgp4NikcKk 7tbrp+cyi0g6fTkE+I+vZGloYK6iemmxgoQtU+9bpBmmHlP+UKEA9nKVSckgbugh c9w89od4q9sR3vAybWyoH/IxpQOG/RRNGZ+TWN1SvgQ4RV6IqlRT7f9QgD2IA4cN e31LcUeWCHqAT7Z9tdL06A8h7F8s3HS2siiLACf+A1tFOZygWe1CDoxqAVKn2FdH KtM/f1nUDCX1rlIjS2nAnMMu2yJ4ZgmIUw== -----END CERTIFICATE----- kind: ConfigMap metadata: annotations: openshift.io/ceo-bundle-rollout-revision: "0" openshift.io/owning-component: Etcd creationTimestamp: "2026-02-16T20:51:32Z" managedFields: - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:data: .: {} f:metrics-ca-bundle.crt: {} f:server-ca-bundle.crt: {} f:metadata: f:annotations: .: {} f:openshift.io/ceo-bundle-rollout-revision: {} f:openshift.io/owning-component: {} manager: cluster-bootstrap operation: Update time: "2026-02-16T20:51:32Z" name: etcd-all-bundles namespace: openshift-etcd resourceVersion: "576" uid: 80d1de36-f17e-4aea-9746-8a38a26d9dd2 - apiVersion: v1 data: metrics-ca-bundle.crt: | -----BEGIN CERTIFICATE----- MIIDUzCCAjugAwIBAgIIQgaTIi24L1IwDQYJKoZIhvcNAQELBQAwNzE1MDMGA1UE Awwsb3BlbnNoaWZ0LWV0Y2RfZXRjZC1tZXRyaWMtc2lnbmVyQDE3NzEyNzQ5Njcw HhcNMjYwMjE2MjA0OTI2WhcNMzEwMjE1MjA0OTI3WjA3MTUwMwYDVQQDDCxvcGVu c2hpZnQtZXRjZF9ldGNkLW1ldHJpYy1zaWduZXJAMTc3MTI3NDk2NzCCASIwDQYJ KoZIhvcNAQEBBQADggEPADCCAQoCggEBAMq76vEKPY1q16p8YfUEkS82wD/krpMg whw+LSXn9cevZSRV8ERdANuSbb1/GvxKkopmHg+OzrcLRfizJeJ34dE0gVxp3PJ7 jneF+lD7WlqD2j2zHjR0iOmfPdwSAlIzrL7YlbTSHaj3Ku9cR206TNigcH8GodT0 sOkUh/huu8jTQmWCE2WN9D/phQJRiYQh1oMSDP7YLLpB0jxf/piyifVR0J1Ns0oG YZ2Van20KShdFT20SxOcbSUiNlGuuc1ubv5VD7p7FOe/zHQRofwoyunbiIvoiq6d 7X39muLS5aQMeUEkeCthNh4NXWrCUh+SJD2oq5iQFkU9weDEjCGeURsCAwEAAaNj MGEwDgYDVR0PAQH/BAQDAgKkMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFEx+ yxIQKO1MLFpM0hZWjaxOnuHxMB8GA1UdIwQYMBaAFEx+yxIQKO1MLFpM0hZWjaxO nuHxMA0GCSqGSIb3DQEBCwUAA4IBAQCBABkRIO2555qkjbkd6Ftt5LMqJ/avCG0/ wuUj72Eq07II8Ac2bBMcyvwWVIseohPPDVJMld07S7SGfl/RxFShumYQJaj2N7v0 iVjaOMEjjMQl5PP0AcCoDTbCnbkIZMa3Zo/RZ7x4WocVcDUNb56AdPeJw0pHom++ d4jdA92iZhxSg+tFoPCI/Hwjkd0ek218KQ6FhATkr9aPMDAS6AlLXHr/Ncsv9qfk 9eA7KwBpaI6LK4Cx3ZFdD2chMn0N26zh77yKU4ZoJlncU36o5yS0UoyU+SLaAPAE T+cjbNyyAu2vqB2Wej0AaY40APz8HgQ8lWsXa2HA6YVUJGMkkIPB -----END CERTIFICATE----- server-ca-bundle.crt: | -----BEGIN CERTIFICATE----- MIIDRTCCAi2gAwIBAgIIJUDWE0zORu0wDQYJKoZIhvcNAQELBQAwMDEuMCwGA1UE Awwlb3BlbnNoaWZ0LWV0Y2RfZXRjZC1zaWduZXJAMTc3MTI3NDk2NjAeFw0yNjAy MTYyMDQ5MjZaFw0zMTAyMTUyMDQ5MjdaMDAxLjAsBgNVBAMMJW9wZW5zaGlmdC1l dGNkX2V0Y2Qtc2lnbmVyQDE3NzEyNzQ5NjYwggEiMA0GCSqGSIb3DQEBAQUAA4IB DwAwggEKAoIBAQCzTnJCgoxq1nxvOwqOl66C3sgouGJPp4JqzBL5fX1QpAkVGT8x d0xMk2fkgKE3fQ2iikaHTMzM8HqGV1wiTiPUJPkZUUYO6IuduX6n9JYmFBg+Biis KSaThpGr7BfKpDL63CpHKa0daT5Wy2d1iXtTsI9dqio+utRil128nz5dBdgDvhUu N9hJp2qa7Tzl1HIezR0DaZBKZl54uhkF3Hz6SQuZfUUGCkZV0/xPnTiDENXpZ+TC hcb+cp9WjQBsBnz3uS+iiaGi01h/PoAjmBdjpZ5ua0L9YddclTrnBV0CQRkkMHm8 6+KzHh04bO08RSym+ohiozyVLyQ43VQ3tdKZAgMBAAGjYzBhMA4GA1UdDwEB/wQE AwICpDAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBRYIPaeSaFOwXVqrh9P4pYm FP3I2TAfBgNVHSMEGDAWgBRYIPaeSaFOwXVqrh9P4pYmFP3I2TANBgkqhkiG9w0B AQsFAAOCAQEAVefZ5erKtdWM9T3UceZTbACbe3xmeBT8gEXPmXKrRQTT/TE4BSdM 8ojrh12gd3B55JtjR0j6ZJ6BVRlkUtqG6la/Imn6fFjwUyONpFtSrsJgp4NikcKk 7tbrp+cyi0g6fTkE+I+vZGloYK6iemmxgoQtU+9bpBmmHlP+UKEA9nKVSckgbugh c9w89od4q9sR3vAybWyoH/IxpQOG/RRNGZ+TWN1SvgQ4RV6IqlRT7f9QgD2IA4cN e31LcUeWCHqAT7Z9tdL06A8h7F8s3HS2siiLACf+A1tFOZygWe1CDoxqAVKn2FdH KtM/f1nUDCX1rlIjS2nAnMMu2yJ4ZgmIUw== -----END CERTIFICATE----- kind: ConfigMap metadata: annotations: openshift.io/ceo-bundle-rollout-revision: "0" openshift.io/owning-component: Etcd creationTimestamp: "2026-02-16T20:57:26Z" labels: operator.openshift.io/controller-instance-name: etcd-RevisionController managedFields: - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:data: .: {} f:metrics-ca-bundle.crt: {} f:server-ca-bundle.crt: {} f:metadata: f:annotations: .: {} f:openshift.io/ceo-bundle-rollout-revision: {} f:openshift.io/owning-component: {} f:labels: .: {} f:operator.openshift.io/controller-instance-name: {} f:ownerReferences: .: {} k:{"uid":"4573af90-cd9b-4f73-8c30-4e259f1b31e3"}: {} manager: cluster-etcd-operator operation: Update time: "2026-02-16T20:57:26Z" name: etcd-all-bundles-1 namespace: openshift-etcd ownerReferences: - apiVersion: v1 kind: ConfigMap name: revision-status-1 uid: 4573af90-cd9b-4f73-8c30-4e259f1b31e3 resourceVersion: "5683" uid: ae92c218-b341-4efb-95ab-c1dbc6805373 - apiVersion: v1 data: metrics-ca-bundle.crt: | -----BEGIN CERTIFICATE----- MIIDUzCCAjugAwIBAgIIQgaTIi24L1IwDQYJKoZIhvcNAQELBQAwNzE1MDMGA1UE Awwsb3BlbnNoaWZ0LWV0Y2RfZXRjZC1tZXRyaWMtc2lnbmVyQDE3NzEyNzQ5Njcw HhcNMjYwMjE2MjA0OTI2WhcNMzEwMjE1MjA0OTI3WjA3MTUwMwYDVQQDDCxvcGVu c2hpZnQtZXRjZF9ldGNkLW1ldHJpYy1zaWduZXJAMTc3MTI3NDk2NzCCASIwDQYJ KoZIhvcNAQEBBQADggEPADCCAQoCggEBAMq76vEKPY1q16p8YfUEkS82wD/krpMg whw+LSXn9cevZSRV8ERdANuSbb1/GvxKkopmHg+OzrcLRfizJeJ34dE0gVxp3PJ7 jneF+lD7WlqD2j2zHjR0iOmfPdwSAlIzrL7YlbTSHaj3Ku9cR206TNigcH8GodT0 sOkUh/huu8jTQmWCE2WN9D/phQJRiYQh1oMSDP7YLLpB0jxf/piyifVR0J1Ns0oG YZ2Van20KShdFT20SxOcbSUiNlGuuc1ubv5VD7p7FOe/zHQRofwoyunbiIvoiq6d 7X39muLS5aQMeUEkeCthNh4NXWrCUh+SJD2oq5iQFkU9weDEjCGeURsCAwEAAaNj MGEwDgYDVR0PAQH/BAQDAgKkMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFEx+ yxIQKO1MLFpM0hZWjaxOnuHxMB8GA1UdIwQYMBaAFEx+yxIQKO1MLFpM0hZWjaxO nuHxMA0GCSqGSIb3DQEBCwUAA4IBAQCBABkRIO2555qkjbkd6Ftt5LMqJ/avCG0/ wuUj72Eq07II8Ac2bBMcyvwWVIseohPPDVJMld07S7SGfl/RxFShumYQJaj2N7v0 iVjaOMEjjMQl5PP0AcCoDTbCnbkIZMa3Zo/RZ7x4WocVcDUNb56AdPeJw0pHom++ d4jdA92iZhxSg+tFoPCI/Hwjkd0ek218KQ6FhATkr9aPMDAS6AlLXHr/Ncsv9qfk 9eA7KwBpaI6LK4Cx3ZFdD2chMn0N26zh77yKU4ZoJlncU36o5yS0UoyU+SLaAPAE T+cjbNyyAu2vqB2Wej0AaY40APz8HgQ8lWsXa2HA6YVUJGMkkIPB -----END CERTIFICATE----- server-ca-bundle.crt: | -----BEGIN CERTIFICATE----- MIIDRTCCAi2gAwIBAgIIJUDWE0zORu0wDQYJKoZIhvcNAQELBQAwMDEuMCwGA1UE Awwlb3BlbnNoaWZ0LWV0Y2RfZXRjZC1zaWduZXJAMTc3MTI3NDk2NjAeFw0yNjAy MTYyMDQ5MjZaFw0zMTAyMTUyMDQ5MjdaMDAxLjAsBgNVBAMMJW9wZW5zaGlmdC1l dGNkX2V0Y2Qtc2lnbmVyQDE3NzEyNzQ5NjYwggEiMA0GCSqGSIb3DQEBAQUAA4IB DwAwggEKAoIBAQCzTnJCgoxq1nxvOwqOl66C3sgouGJPp4JqzBL5fX1QpAkVGT8x d0xMk2fkgKE3fQ2iikaHTMzM8HqGV1wiTiPUJPkZUUYO6IuduX6n9JYmFBg+Biis KSaThpGr7BfKpDL63CpHKa0daT5Wy2d1iXtTsI9dqio+utRil128nz5dBdgDvhUu N9hJp2qa7Tzl1HIezR0DaZBKZl54uhkF3Hz6SQuZfUUGCkZV0/xPnTiDENXpZ+TC hcb+cp9WjQBsBnz3uS+iiaGi01h/PoAjmBdjpZ5ua0L9YddclTrnBV0CQRkkMHm8 6+KzHh04bO08RSym+ohiozyVLyQ43VQ3tdKZAgMBAAGjYzBhMA4GA1UdDwEB/wQE AwICpDAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBRYIPaeSaFOwXVqrh9P4pYm FP3I2TAfBgNVHSMEGDAWgBRYIPaeSaFOwXVqrh9P4pYmFP3I2TANBgkqhkiG9w0B AQsFAAOCAQEAVefZ5erKtdWM9T3UceZTbACbe3xmeBT8gEXPmXKrRQTT/TE4BSdM 8ojrh12gd3B55JtjR0j6ZJ6BVRlkUtqG6la/Imn6fFjwUyONpFtSrsJgp4NikcKk 7tbrp+cyi0g6fTkE+I+vZGloYK6iemmxgoQtU+9bpBmmHlP+UKEA9nKVSckgbugh c9w89od4q9sR3vAybWyoH/IxpQOG/RRNGZ+TWN1SvgQ4RV6IqlRT7f9QgD2IA4cN e31LcUeWCHqAT7Z9tdL06A8h7F8s3HS2siiLACf+A1tFOZygWe1CDoxqAVKn2FdH KtM/f1nUDCX1rlIjS2nAnMMu2yJ4ZgmIUw== -----END CERTIFICATE----- kind: ConfigMap metadata: annotations: openshift.io/ceo-bundle-rollout-revision: "0" openshift.io/owning-component: Etcd creationTimestamp: "2026-02-16T21:10:28Z" labels: operator.openshift.io/controller-instance-name: etcd-RevisionController managedFields: - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:data: .: {} f:metrics-ca-bundle.crt: {} f:server-ca-bundle.crt: {} f:metadata: f:annotations: .: {} f:openshift.io/ceo-bundle-rollout-revision: {} f:openshift.io/owning-component: {} f:labels: .: {} f:operator.openshift.io/controller-instance-name: {} f:ownerReferences: .: {} k:{"uid":"87a0a0cf-0e3c-4ac2-8337-176684c8e401"}: {} manager: cluster-etcd-operator operation: Update time: "2026-02-16T21:10:28Z" name: etcd-all-bundles-2 namespace: openshift-etcd ownerReferences: - apiVersion: v1 kind: ConfigMap name: revision-status-2 uid: 87a0a0cf-0e3c-4ac2-8337-176684c8e401 resourceVersion: "11319" uid: 22ce3d39-03bc-490a-b144-95e9129adf65 - apiVersion: v1 data: ca-bundle.crt: | -----BEGIN CERTIFICATE----- MIIDRTCCAi2gAwIBAgIIJUDWE0zORu0wDQYJKoZIhvcNAQELBQAwMDEuMCwGA1UE Awwlb3BlbnNoaWZ0LWV0Y2RfZXRjZC1zaWduZXJAMTc3MTI3NDk2NjAeFw0yNjAy MTYyMDQ5MjZaFw0zMTAyMTUyMDQ5MjdaMDAxLjAsBgNVBAMMJW9wZW5zaGlmdC1l dGNkX2V0Y2Qtc2lnbmVyQDE3NzEyNzQ5NjYwggEiMA0GCSqGSIb3DQEBAQUAA4IB DwAwggEKAoIBAQCzTnJCgoxq1nxvOwqOl66C3sgouGJPp4JqzBL5fX1QpAkVGT8x d0xMk2fkgKE3fQ2iikaHTMzM8HqGV1wiTiPUJPkZUUYO6IuduX6n9JYmFBg+Biis KSaThpGr7BfKpDL63CpHKa0daT5Wy2d1iXtTsI9dqio+utRil128nz5dBdgDvhUu N9hJp2qa7Tzl1HIezR0DaZBKZl54uhkF3Hz6SQuZfUUGCkZV0/xPnTiDENXpZ+TC hcb+cp9WjQBsBnz3uS+iiaGi01h/PoAjmBdjpZ5ua0L9YddclTrnBV0CQRkkMHm8 6+KzHh04bO08RSym+ohiozyVLyQ43VQ3tdKZAgMBAAGjYzBhMA4GA1UdDwEB/wQE AwICpDAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBRYIPaeSaFOwXVqrh9P4pYm FP3I2TAfBgNVHSMEGDAWgBRYIPaeSaFOwXVqrh9P4pYmFP3I2TANBgkqhkiG9w0B AQsFAAOCAQEAVefZ5erKtdWM9T3UceZTbACbe3xmeBT8gEXPmXKrRQTT/TE4BSdM 8ojrh12gd3B55JtjR0j6ZJ6BVRlkUtqG6la/Imn6fFjwUyONpFtSrsJgp4NikcKk 7tbrp+cyi0g6fTkE+I+vZGloYK6iemmxgoQtU+9bpBmmHlP+UKEA9nKVSckgbugh c9w89od4q9sR3vAybWyoH/IxpQOG/RRNGZ+TWN1SvgQ4RV6IqlRT7f9QgD2IA4cN e31LcUeWCHqAT7Z9tdL06A8h7F8s3HS2siiLACf+A1tFOZygWe1CDoxqAVKn2FdH KtM/f1nUDCX1rlIjS2nAnMMu2yJ4ZgmIUw== -----END CERTIFICATE----- kind: ConfigMap metadata: annotations: openshift.io/description: Generated by cluster-etcd-operator for etcd and is used to authenticate clients and peers of etcd. openshift.io/owning-component: etcd creationTimestamp: "2026-02-16T20:51:33Z" labels: auth.openshift.io/managed-certificate-type: ca-bundle managedFields: - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:data: .: {} f:ca-bundle.crt: {} f:metadata: f:annotations: .: {} f:openshift.io/description: {} f:openshift.io/owning-component: {} f:labels: .: {} f:auth.openshift.io/managed-certificate-type: {} manager: cluster-bootstrap operation: Update time: "2026-02-16T20:51:33Z" name: etcd-ca-bundle namespace: openshift-etcd resourceVersion: "581" uid: d4329f93-3ae6-4633-8a10-4a022b7c0a3a - apiVersion: v1 data: 91eb892c5ee87610: 192.168.32.10 kind: ConfigMap metadata: creationTimestamp: "2026-02-16T20:51:43Z" managedFields: - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:data: {} manager: cluster-bootstrap operation: Update time: "2026-02-16T20:51:43Z" - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:data: f:91eb892c5ee87610: {} manager: cluster-etcd-operator operation: Update time: "2026-02-16T21:10:21Z" name: etcd-endpoints namespace: openshift-etcd resourceVersion: "11288" uid: a8eaad39-d3c5-4a76-a183-3ec9934b2263 - apiVersion: v1 data: MTkyLjE2OC4zMi4xMA: 192.168.32.10 kind: ConfigMap metadata: creationTimestamp: "2026-02-16T20:57:25Z" labels: operator.openshift.io/controller-instance-name: etcd-RevisionController managedFields: - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:data: .: {} f:MTkyLjE2OC4zMi4xMA: {} f:metadata: f:labels: .: {} f:operator.openshift.io/controller-instance-name: {} f:ownerReferences: .: {} k:{"uid":"4573af90-cd9b-4f73-8c30-4e259f1b31e3"}: {} manager: cluster-etcd-operator operation: Update time: "2026-02-16T20:57:25Z" name: etcd-endpoints-1 namespace: openshift-etcd ownerReferences: - apiVersion: v1 kind: ConfigMap name: revision-status-1 uid: 4573af90-cd9b-4f73-8c30-4e259f1b31e3 resourceVersion: "5593" uid: dc38026b-b9b9-477c-b61a-a32ac24ce1c3 - apiVersion: v1 data: 91eb892c5ee87610: 192.168.32.10 kind: ConfigMap metadata: creationTimestamp: "2026-02-16T21:10:26Z" labels: operator.openshift.io/controller-instance-name: etcd-RevisionController managedFields: - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:data: .: {} f:91eb892c5ee87610: {} f:metadata: f:labels: .: {} f:operator.openshift.io/controller-instance-name: {} f:ownerReferences: .: {} k:{"uid":"87a0a0cf-0e3c-4ac2-8337-176684c8e401"}: {} manager: cluster-etcd-operator operation: Update time: "2026-02-16T21:10:26Z" name: etcd-endpoints-2 namespace: openshift-etcd ownerReferences: - apiVersion: v1 kind: ConfigMap name: revision-status-2 uid: 87a0a0cf-0e3c-4ac2-8337-176684c8e401 resourceVersion: "11316" uid: 93e6f4bd-3706-4deb-a180-94f09dde0dce - apiVersion: v1 data: ca-bundle.crt: | -----BEGIN CERTIFICATE----- MIIDUzCCAjugAwIBAgIIQgaTIi24L1IwDQYJKoZIhvcNAQELBQAwNzE1MDMGA1UE Awwsb3BlbnNoaWZ0LWV0Y2RfZXRjZC1tZXRyaWMtc2lnbmVyQDE3NzEyNzQ5Njcw HhcNMjYwMjE2MjA0OTI2WhcNMzEwMjE1MjA0OTI3WjA3MTUwMwYDVQQDDCxvcGVu c2hpZnQtZXRjZF9ldGNkLW1ldHJpYy1zaWduZXJAMTc3MTI3NDk2NzCCASIwDQYJ KoZIhvcNAQEBBQADggEPADCCAQoCggEBAMq76vEKPY1q16p8YfUEkS82wD/krpMg whw+LSXn9cevZSRV8ERdANuSbb1/GvxKkopmHg+OzrcLRfizJeJ34dE0gVxp3PJ7 jneF+lD7WlqD2j2zHjR0iOmfPdwSAlIzrL7YlbTSHaj3Ku9cR206TNigcH8GodT0 sOkUh/huu8jTQmWCE2WN9D/phQJRiYQh1oMSDP7YLLpB0jxf/piyifVR0J1Ns0oG YZ2Van20KShdFT20SxOcbSUiNlGuuc1ubv5VD7p7FOe/zHQRofwoyunbiIvoiq6d 7X39muLS5aQMeUEkeCthNh4NXWrCUh+SJD2oq5iQFkU9weDEjCGeURsCAwEAAaNj MGEwDgYDVR0PAQH/BAQDAgKkMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFEx+ yxIQKO1MLFpM0hZWjaxOnuHxMB8GA1UdIwQYMBaAFEx+yxIQKO1MLFpM0hZWjaxO nuHxMA0GCSqGSIb3DQEBCwUAA4IBAQCBABkRIO2555qkjbkd6Ftt5LMqJ/avCG0/ wuUj72Eq07II8Ac2bBMcyvwWVIseohPPDVJMld07S7SGfl/RxFShumYQJaj2N7v0 iVjaOMEjjMQl5PP0AcCoDTbCnbkIZMa3Zo/RZ7x4WocVcDUNb56AdPeJw0pHom++ d4jdA92iZhxSg+tFoPCI/Hwjkd0ek218KQ6FhATkr9aPMDAS6AlLXHr/Ncsv9qfk 9eA7KwBpaI6LK4Cx3ZFdD2chMn0N26zh77yKU4ZoJlncU36o5yS0UoyU+SLaAPAE T+cjbNyyAu2vqB2Wej0AaY40APz8HgQ8lWsXa2HA6YVUJGMkkIPB -----END CERTIFICATE----- kind: ConfigMap metadata: annotations: openshift.io/description: Generated by cluster-etcd-operator for etcd and is used to authenticate Prometheus ServiceMonitors reaching etcd. openshift.io/owning-component: etcd creationTimestamp: "2026-02-16T20:51:35Z" labels: auth.openshift.io/managed-certificate-type: ca-bundle managedFields: - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:data: .: {} f:ca-bundle.crt: {} f:metadata: f:annotations: .: {} f:openshift.io/description: {} f:openshift.io/owning-component: {} f:labels: .: {} f:auth.openshift.io/managed-certificate-type: {} manager: cluster-bootstrap operation: Update time: "2026-02-16T20:51:35Z" name: etcd-metrics-ca-bundle namespace: openshift-etcd resourceVersion: "589" uid: 7fc69b59-05f2-41bb-998a-17e29620d5a7 - apiVersion: v1 data: forceRedeploymentReason: "" pod.yaml: "apiVersion: v1\nkind: Pod\nmetadata:\n name: etcd\n namespace: openshift-etcd\n \ annotations:\n kubectl.kubernetes.io/default-container: etcd\n target.workload.openshift.io/management: '{\"effect\": \"PreferredDuringScheduling\"}'\n labels:\n app: etcd\n k8s-app: etcd\n etcd: \"true\"\n revision: \"REVISION\"\nspec:\n initContainers:\n \ - name: setup\n image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:8bed6766df40c0c172611f3e4555cd20db639eb505b2345abed6d5babdcbb5e3\n \ imagePullPolicy: IfNotPresent\n terminationMessagePolicy: FallbackToLogsOnError\n \ command:\n - /bin/sh\n - -c\n - |\n #!/bin/sh\n \ echo -n \"Fixing etcd log permissions.\"\n mkdir -p /var/log/etcd \ && chmod 0600 /var/log/etcd\n echo -n \"Fixing etcd auto backup permissions.\"\n \ mkdir -p /var/lib/etcd-auto-backup && chmod 0600 /var/lib/etcd-auto-backup\n \ securityContext:\n privileged: true\n resources:\n requests:\n \ memory: 50Mi\n cpu: 5m\n volumeMounts:\n - mountPath: /var/log/etcd\n name: log-dir\n - name: etcd-ensure-env-vars\n image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:8bed6766df40c0c172611f3e4555cd20db639eb505b2345abed6d5babdcbb5e3\n \ imagePullPolicy: IfNotPresent\n terminationMessagePolicy: FallbackToLogsOnError\n \ command:\n - /bin/sh\n - -c\n - |\n #!/bin/sh\n \ set -euo pipefail\n\n : \"${NODE_NODE_ENVVAR_NAME_ETCD_URL_HOST?not set}\"\n : \"${NODE_NODE_ENVVAR_NAME_ETCD_NAME?not set}\"\n : \"${NODE_NODE_ENVVAR_NAME_IP?not set}\"\n\n # check for ipv4 addresses as well as ipv6 addresses with extra square brackets\n if [[ \"${NODE_NODE_ENVVAR_NAME_IP}\" != \"${NODE_IP}\" && \"${NODE_NODE_ENVVAR_NAME_IP}\" != \"[${NODE_IP}]\" ]]; then\n # echo the error message to stderr\n echo \"Expected node IP to be ${NODE_IP} got ${NODE_NODE_ENVVAR_NAME_IP}\" >&2\n exit 1\n fi\n\n # check for ipv4 addresses as well as ipv6 addresses with extra square brackets\n if [[ \"${NODE_NODE_ENVVAR_NAME_ETCD_URL_HOST}\" != \"${NODE_IP}\" && \"${NODE_NODE_ENVVAR_NAME_ETCD_URL_HOST}\" != \"[${NODE_IP}]\" ]]; then\n # echo the error message to stderr\n echo \"Expected etcd url host to be ${NODE_IP} got ${NODE_NODE_ENVVAR_NAME_ETCD_URL_HOST}\" >&2\n exit 1\n fi\n\n resources:\n requests:\n \ memory: 60Mi\n cpu: 10m\n securityContext:\n privileged: true\n env:\n - name: \"ALL_ETCD_ENDPOINTS\"\n value: \"https://192.168.32.10:2379\"\n \ - name: \"ETCDCTL_API\"\n value: \"3\"\n - name: \"ETCDCTL_CACERT\"\n \ value: \"/etc/kubernetes/static-pod-certs/configmaps/etcd-all-bundles/server-ca-bundle.crt\"\n \ - name: \"ETCDCTL_CERT\"\n value: \"/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.crt\"\n \ - name: \"ETCDCTL_ENDPOINTS\"\n value: \"https://192.168.32.10:2379\"\n \ - name: \"ETCDCTL_KEY\"\n value: \"/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.key\"\n \ - name: \"ETCD_CIPHER_SUITES\"\n value: \"TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256\"\n \ - name: \"ETCD_DATA_DIR\"\n value: \"/var/lib/etcd\"\n - name: \"ETCD_ELECTION_TIMEOUT\"\n value: \"2500\"\n - name: \"ETCD_ENABLE_PPROF\"\n \ value: \"true\"\n - name: \"ETCD_EXPERIMENTAL_MAX_LEARNERS\"\n \ value: \"1\"\n - name: \"ETCD_EXPERIMENTAL_WARNING_APPLY_DURATION\"\n \ value: \"200ms\"\n - name: \"ETCD_EXPERIMENTAL_WATCH_PROGRESS_NOTIFY_INTERVAL\"\n \ value: \"5s\"\n - name: \"ETCD_HEARTBEAT_INTERVAL\"\n value: \"500\"\n - name: \"ETCD_IMAGE\"\n value: \"quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:8bed6766df40c0c172611f3e4555cd20db639eb505b2345abed6d5babdcbb5e3\"\n \ - name: \"ETCD_INITIAL_CLUSTER_STATE\"\n value: \"existing\"\n \ - name: \"ETCD_QUOTA_BACKEND_BYTES\"\n value: \"8589934592\"\n \ - name: \"ETCD_SOCKET_REUSE_ADDRESS\"\n value: \"true\"\n - name: \"ETCD_TLS_MIN_VERSION\"\n value: \"TLS1.2\"\n - name: \"NODE_master_0_ETCD_NAME\"\n \ value: \"master-0\"\n - name: \"NODE_master_0_ETCD_URL_HOST\"\n \ value: \"192.168.32.10\"\n - name: \"NODE_master_0_IP\"\n value: \"192.168.32.10\"\n - name: NODE_IP\n valueFrom:\n fieldRef:\n \ fieldPath: status.podIP\n - name: etcd-resources-copy\n image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:8bed6766df40c0c172611f3e4555cd20db639eb505b2345abed6d5babdcbb5e3\n \ imagePullPolicy: IfNotPresent\n terminationMessagePolicy: FallbackToLogsOnError\n \ command:\n - /bin/sh\n - -c\n - |\n #!/bin/sh\n \ set -euo pipefail\n\n rm -f $(grep -l '^### Created by cluster-etcd-operator' /usr/local/bin/*)\n cp -p /etc/kubernetes/static-pod-certs/configmaps/etcd-scripts/*.sh /usr/local/bin\n\n resources:\n requests:\n memory: 60Mi\n \ cpu: 10m\n securityContext:\n privileged: true\n volumeMounts:\n \ - mountPath: /etc/kubernetes/static-pod-resources\n name: resource-dir\n \ - mountPath: /etc/kubernetes/static-pod-certs\n name: cert-dir\n \ - mountPath: /usr/local/bin\n name: usr-local-bin\n containers:\n \ # The etcdctl container should always be first. It is intended to be used\n \ # to open a remote shell via `oc rsh` that is ready to run `etcdctl`.\n - name: etcdctl\n image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:8bed6766df40c0c172611f3e4555cd20db639eb505b2345abed6d5babdcbb5e3\n \ imagePullPolicy: IfNotPresent\n terminationMessagePolicy: FallbackToLogsOnError\n \ command:\n - \"/bin/bash\"\n - \"-c\"\n - \"trap TERM INT; sleep infinity & wait\"\n resources:\n requests:\n memory: 60Mi\n \ cpu: 10m\n volumeMounts:\n - mountPath: /etc/kubernetes/manifests\n \ name: static-pod-dir\n - mountPath: /etc/kubernetes/static-pod-resources\n \ name: resource-dir\n - mountPath: /etc/kubernetes/static-pod-certs\n \ name: cert-dir\n - mountPath: /var/lib/etcd/\n name: data-dir\n \ env:\n - name: \"ALL_ETCD_ENDPOINTS\"\n value: \"https://192.168.32.10:2379\"\n \ - name: \"ETCDCTL_API\"\n value: \"3\"\n - name: \"ETCDCTL_CACERT\"\n \ value: \"/etc/kubernetes/static-pod-certs/configmaps/etcd-all-bundles/server-ca-bundle.crt\"\n \ - name: \"ETCDCTL_CERT\"\n value: \"/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.crt\"\n \ - name: \"ETCDCTL_ENDPOINTS\"\n value: \"https://192.168.32.10:2379\"\n \ - name: \"ETCDCTL_KEY\"\n value: \"/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.key\"\n \ - name: \"ETCD_CIPHER_SUITES\"\n value: \"TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256\"\n \ - name: \"ETCD_DATA_DIR\"\n value: \"/var/lib/etcd\"\n - name: \"ETCD_ELECTION_TIMEOUT\"\n \ value: \"2500\"\n - name: \"ETCD_ENABLE_PPROF\"\n value: \"true\"\n \ - name: \"ETCD_EXPERIMENTAL_MAX_LEARNERS\"\n value: \"1\"\n - name: \"ETCD_EXPERIMENTAL_WARNING_APPLY_DURATION\"\n value: \"200ms\"\n - name: \"ETCD_EXPERIMENTAL_WATCH_PROGRESS_NOTIFY_INTERVAL\"\n value: \"5s\"\n \ - name: \"ETCD_HEARTBEAT_INTERVAL\"\n value: \"500\"\n - name: \"ETCD_IMAGE\"\n \ value: \"quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:8bed6766df40c0c172611f3e4555cd20db639eb505b2345abed6d5babdcbb5e3\"\n \ - name: \"ETCD_INITIAL_CLUSTER_STATE\"\n value: \"existing\"\n - name: \"ETCD_QUOTA_BACKEND_BYTES\"\n value: \"8589934592\"\n - name: \"ETCD_SOCKET_REUSE_ADDRESS\"\n value: \"true\"\n - name: \"ETCD_TLS_MIN_VERSION\"\n \ value: \"TLS1.2\"\n - name: \"NODE_master_0_ETCD_NAME\"\n value: \"master-0\"\n - name: \"NODE_master_0_ETCD_URL_HOST\"\n value: \"192.168.32.10\"\n \ - name: \"NODE_master_0_IP\"\n value: \"192.168.32.10\"\n - name: \"ETCD_STATIC_POD_VERSION\"\n value: \"REVISION\"\n\n - name: etcd\n image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:8bed6766df40c0c172611f3e4555cd20db639eb505b2345abed6d5babdcbb5e3\n \ imagePullPolicy: IfNotPresent\n terminationMessagePolicy: FallbackToLogsOnError\n \ command:\n - /bin/sh\n - -c\n - |\n #!/bin/sh\n set -euo pipefail\n\n etcdctl member list || true\n\n # this has a non-zero return code if the command is non-zero. If you use an export first, it doesn't and you\n # will succeed when you should fail.\n ETCD_INITIAL_CLUSTER=$(discover-etcd-initial-cluster \\\n --cacert=/etc/kubernetes/static-pod-certs/configmaps/etcd-all-bundles/server-ca-bundle.crt \\\n --cert=/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.crt \\\n --key=/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.key \\\n --endpoints=${ALL_ETCD_ENDPOINTS} \\\n --data-dir=/var/lib/etcd \\\n --target-peer-url-host=${NODE_NODE_ENVVAR_NAME_ETCD_URL_HOST} \\\n --target-name=NODE_NAME)\n export ETCD_INITIAL_CLUSTER\n\n \ # we cannot use the \"normal\" port conflict initcontainer because when we upgrade, the existing static pod will never yield,\n # so we do the detection in etcd container itself.\n echo -n \"Waiting for ports 2379, 2380 and 9978 to be released.\"\n time while [ -n \"$(ss -Htan '( sport = 2379 or sport = 2380 or sport = 9978 )')\" ]; do\n echo -n \".\"\n \ sleep 1\n done\n\n export ETCD_NAME=${NODE_NODE_ENVVAR_NAME_ETCD_NAME}\n \ env | grep ETCD | grep -v NODE\n\n set -x\n # See https://etcd.io/docs/v3.4.0/tuning/ for why we use ionice\n exec nice -n -19 ionice -c2 -n0 etcd \\\n --logger=zap \\\n --log-level=info \\\n --experimental-initial-corrupt-check=true \\\n --snapshot-count=10000 \\\n --initial-advertise-peer-urls=https://${NODE_NODE_ENVVAR_NAME_IP}:2380 \\\n --cert-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-serving-NODE_NAME.crt \\\n --key-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-serving-NODE_NAME.key \\\n --trusted-ca-file=/etc/kubernetes/static-pod-certs/configmaps/etcd-all-bundles/server-ca-bundle.crt \\\n --client-cert-auth=true \\\n --peer-cert-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.crt \\\n --peer-key-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.key \\\n --peer-trusted-ca-file=/etc/kubernetes/static-pod-certs/configmaps/etcd-all-bundles/server-ca-bundle.crt \\\n --peer-client-cert-auth=true \\\n --advertise-client-urls=https://${NODE_NODE_ENVVAR_NAME_IP}:2379 \\\n --listen-client-urls=https://0.0.0.0:2379,unixs://${NODE_NODE_ENVVAR_NAME_IP}:0 \\\n --listen-peer-urls=https://0.0.0.0:2380 \\\n --metrics=extensive \\\n --listen-metrics-urls=https://0.0.0.0:9978 || mv /etc/kubernetes/etcd-backup-dir/etcd-member.yaml /etc/kubernetes/manifests\n ports:\n - containerPort: 2379\n name: etcd\n protocol: TCP\n - containerPort: 2380\n name: etcd-peer\n \ protocol: TCP\n - containerPort: 9978\n name: etcd-metrics\n protocol: TCP\n env:\n - name: \"ALL_ETCD_ENDPOINTS\"\n value: \"https://192.168.32.10:2379\"\n \ - name: \"ETCDCTL_API\"\n value: \"3\"\n - name: \"ETCDCTL_CACERT\"\n \ value: \"/etc/kubernetes/static-pod-certs/configmaps/etcd-all-bundles/server-ca-bundle.crt\"\n \ - name: \"ETCDCTL_CERT\"\n value: \"/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.crt\"\n \ - name: \"ETCDCTL_ENDPOINTS\"\n value: \"https://192.168.32.10:2379\"\n \ - name: \"ETCDCTL_KEY\"\n value: \"/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.key\"\n \ - name: \"ETCD_CIPHER_SUITES\"\n value: \"TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256\"\n \ - name: \"ETCD_DATA_DIR\"\n value: \"/var/lib/etcd\"\n - name: \"ETCD_ELECTION_TIMEOUT\"\n \ value: \"2500\"\n - name: \"ETCD_ENABLE_PPROF\"\n value: \"true\"\n \ - name: \"ETCD_EXPERIMENTAL_MAX_LEARNERS\"\n value: \"1\"\n - name: \"ETCD_EXPERIMENTAL_WARNING_APPLY_DURATION\"\n value: \"200ms\"\n - name: \"ETCD_EXPERIMENTAL_WATCH_PROGRESS_NOTIFY_INTERVAL\"\n value: \"5s\"\n \ - name: \"ETCD_HEARTBEAT_INTERVAL\"\n value: \"500\"\n - name: \"ETCD_IMAGE\"\n \ value: \"quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:8bed6766df40c0c172611f3e4555cd20db639eb505b2345abed6d5babdcbb5e3\"\n \ - name: \"ETCD_INITIAL_CLUSTER_STATE\"\n value: \"existing\"\n - name: \"ETCD_QUOTA_BACKEND_BYTES\"\n value: \"8589934592\"\n - name: \"ETCD_SOCKET_REUSE_ADDRESS\"\n value: \"true\"\n - name: \"ETCD_TLS_MIN_VERSION\"\n \ value: \"TLS1.2\"\n - name: \"NODE_master_0_ETCD_NAME\"\n value: \"master-0\"\n - name: \"NODE_master_0_ETCD_URL_HOST\"\n value: \"192.168.32.10\"\n \ - name: \"NODE_master_0_IP\"\n value: \"192.168.32.10\"\n - name: \"ETCD_STATIC_POD_VERSION\"\n value: \"REVISION\"\n resources:\n requests:\n \ memory: 600Mi\n cpu: 300m\n readinessProbe:\n httpGet:\n \ port: 9980\n path: readyz\n scheme: HTTPS\n timeoutSeconds: 30\n failureThreshold: 5\n periodSeconds: 5\n successThreshold: 1\n livenessProbe:\n httpGet:\n path: healthz\n port: 9980\n scheme: HTTPS\n timeoutSeconds: 30\n periodSeconds: 5\n successThreshold: 1\n failureThreshold: 5\n startupProbe:\n \ httpGet:\n port: 9980\n path: readyz\n scheme: HTTPS\n \ initialDelaySeconds: 10\n timeoutSeconds: 1\n periodSeconds: 10\n successThreshold: 1\n failureThreshold: 18\n securityContext:\n \ privileged: true\n volumeMounts:\n - mountPath: /etc/kubernetes/manifests\n \ name: static-pod-dir\n - mountPath: /etc/kubernetes/static-pod-resources\n \ name: resource-dir\n - mountPath: /etc/kubernetes/static-pod-certs\n \ name: cert-dir\n - mountPath: /var/lib/etcd/\n name: data-dir\n\n \ - name: etcd-metrics\n image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:8bed6766df40c0c172611f3e4555cd20db639eb505b2345abed6d5babdcbb5e3\n \ imagePullPolicy: IfNotPresent\n terminationMessagePolicy: FallbackToLogsOnError\n \ command:\n - /bin/sh\n - -c\n - |\n #!/bin/sh\n set -euo pipefail\n\n export ETCD_NAME=${NODE_NODE_ENVVAR_NAME_ETCD_NAME}\n\n \ exec nice -n -18 etcd grpc-proxy start \\\n --endpoints https://${NODE_NODE_ENVVAR_NAME_ETCD_URL_HOST}:9978 \\\n --metrics-addr https://0.0.0.0:9979 \\\n --listen-addr 127.0.0.1:9977 \\\n --advertise-client-url \"\" \\\n --key /etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.key \\\n --key-file /etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-serving-metrics-NODE_NAME.key \\\n --cert /etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.crt \\\n --cert-file /etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-serving-metrics-NODE_NAME.crt \\\n --cacert /etc/kubernetes/static-pod-certs/configmaps/etcd-all-bundles/server-ca-bundle.crt \\\n --trusted-ca-file /etc/kubernetes/static-pod-certs/configmaps/etcd-all-bundles/metrics-ca-bundle.crt \\\n --listen-cipher-suites TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 \\\n --tls-min-version $(ETCD_TLS_MIN_VERSION)\n ports:\n - containerPort: 9979\n name: proxy-metrics\n protocol: TCP\n env:\n - name: \"ALL_ETCD_ENDPOINTS\"\n value: \"https://192.168.32.10:2379\"\n \n \ - name: \"ETCDCTL_API\"\n value: \"3\"\n \n - name: \"ETCDCTL_CACERT\"\n \ value: \"/etc/kubernetes/static-pod-certs/configmaps/etcd-all-bundles/server-ca-bundle.crt\"\n \ \n - name: \"ETCDCTL_CERT\"\n value: \"/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.crt\"\n \ \n - name: \"ETCDCTL_ENDPOINTS\"\n value: \"https://192.168.32.10:2379\"\n \ \n - name: \"ETCDCTL_KEY\"\n value: \"/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.key\"\n \ \n - name: \"ETCD_CIPHER_SUITES\"\n value: \"TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256\"\n \ \n - name: \"ETCD_DATA_DIR\"\n value: \"/var/lib/etcd\"\n \n \ - name: \"ETCD_ELECTION_TIMEOUT\"\n value: \"2500\"\n \n - name: \"ETCD_ENABLE_PPROF\"\n value: \"true\"\n \n - name: \"ETCD_EXPERIMENTAL_MAX_LEARNERS\"\n \ value: \"1\"\n \n - name: \"ETCD_EXPERIMENTAL_WARNING_APPLY_DURATION\"\n \ value: \"200ms\"\n \n - name: \"ETCD_EXPERIMENTAL_WATCH_PROGRESS_NOTIFY_INTERVAL\"\n \ value: \"5s\"\n \n - name: \"ETCD_HEARTBEAT_INTERVAL\"\n value: \"500\"\n \n - name: \"ETCD_IMAGE\"\n value: \"quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:8bed6766df40c0c172611f3e4555cd20db639eb505b2345abed6d5babdcbb5e3\"\n \ \n - name: \"ETCD_INITIAL_CLUSTER_STATE\"\n value: \"existing\"\n \ \n - name: \"ETCD_QUOTA_BACKEND_BYTES\"\n value: \"8589934592\"\n \ \n - name: \"ETCD_SOCKET_REUSE_ADDRESS\"\n value: \"true\"\n \n \ - name: \"ETCD_TLS_MIN_VERSION\"\n value: \"TLS1.2\"\n \n - name: \"NODE_master_0_ETCD_NAME\"\n value: \"master-0\"\n \n - name: \"NODE_master_0_ETCD_URL_HOST\"\n \ value: \"192.168.32.10\"\n \n - name: \"NODE_master_0_IP\"\n value: \"192.168.32.10\"\n - name: \"ETCD_STATIC_POD_VERSION\"\n value: \"REVISION\"\n \ resources:\n requests:\n memory: 200Mi\n cpu: 40m\n securityContext:\n \ privileged: true\n volumeMounts:\n - mountPath: /etc/kubernetes/static-pod-resources\n \ name: resource-dir\n - mountPath: /etc/kubernetes/static-pod-certs\n \ name: cert-dir\n - mountPath: /var/lib/etcd/\n name: data-dir\n \ - name: etcd-readyz\n image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:6dd9324942b3d09b4b9a768f36b47be4e555d947910ee3d115fc5448c95f7399\n \ imagePullPolicy: IfNotPresent\n terminationMessagePolicy: FallbackToLogsOnError\n \ command:\n - /bin/sh\n - -c\n - |\n #!/bin/sh\n set -euo pipefail\n \n exec nice -n -18 cluster-etcd-operator readyz \\\n --target=https://localhost:2379 \\\n --listen-port=9980 \\\n --serving-cert-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-serving-NODE_NAME.crt \\\n --serving-key-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-serving-NODE_NAME.key \\\n --client-cert-file=$(ETCDCTL_CERT) \\\n --client-key-file=$(ETCDCTL_KEY) \\\n --client-cacert-file=$(ETCDCTL_CACERT) \\\n --listen-cipher-suites TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 \\\n --listen-tls-min-version=$(ETCD_TLS_MIN_VERSION)\n securityContext:\n \ privileged: true\n ports:\n - containerPort: 9980\n name: readyz\n \ protocol: TCP\n resources:\n requests:\n memory: 50Mi\n \ cpu: 10m\n env:\n - name: \"ALL_ETCD_ENDPOINTS\"\n value: \"https://192.168.32.10:2379\"\n - name: \"ETCDCTL_API\"\n value: \"3\"\n \ - name: \"ETCDCTL_CACERT\"\n value: \"/etc/kubernetes/static-pod-certs/configmaps/etcd-all-bundles/server-ca-bundle.crt\"\n \ - name: \"ETCDCTL_CERT\"\n value: \"/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.crt\"\n \ - name: \"ETCDCTL_ENDPOINTS\"\n value: \"https://192.168.32.10:2379\"\n \ - name: \"ETCDCTL_KEY\"\n value: \"/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.key\"\n \ - name: \"ETCD_CIPHER_SUITES\"\n value: \"TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256\"\n \ - name: \"ETCD_DATA_DIR\"\n value: \"/var/lib/etcd\"\n - name: \"ETCD_ELECTION_TIMEOUT\"\n \ value: \"2500\"\n - name: \"ETCD_ENABLE_PPROF\"\n value: \"true\"\n \ - name: \"ETCD_EXPERIMENTAL_MAX_LEARNERS\"\n value: \"1\"\n - name: \"ETCD_EXPERIMENTAL_WARNING_APPLY_DURATION\"\n value: \"200ms\"\n - name: \"ETCD_EXPERIMENTAL_WATCH_PROGRESS_NOTIFY_INTERVAL\"\n value: \"5s\"\n \ - name: \"ETCD_HEARTBEAT_INTERVAL\"\n value: \"500\"\n - name: \"ETCD_IMAGE\"\n \ value: \"quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:8bed6766df40c0c172611f3e4555cd20db639eb505b2345abed6d5babdcbb5e3\"\n \ - name: \"ETCD_INITIAL_CLUSTER_STATE\"\n value: \"existing\"\n - name: \"ETCD_QUOTA_BACKEND_BYTES\"\n value: \"8589934592\"\n - name: \"ETCD_SOCKET_REUSE_ADDRESS\"\n value: \"true\"\n - name: \"ETCD_TLS_MIN_VERSION\"\n \ value: \"TLS1.2\"\n - name: \"NODE_master_0_ETCD_NAME\"\n value: \"master-0\"\n - name: \"NODE_master_0_ETCD_URL_HOST\"\n value: \"192.168.32.10\"\n \ - name: \"NODE_master_0_IP\"\n value: \"192.168.32.10\"\n volumeMounts:\n \ - mountPath: /var/log/etcd/\n name: log-dir\n - mountPath: /etc/kubernetes/static-pod-certs\n name: cert-dir\n - name: etcd-rev\n \ image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:6dd9324942b3d09b4b9a768f36b47be4e555d947910ee3d115fc5448c95f7399\n \ imagePullPolicy: IfNotPresent\n terminationMessagePolicy: FallbackToLogsOnError\n \ command:\n - /bin/sh\n - -c\n - |\n #!/bin/sh\n set -euo pipefail\n \n cluster-etcd-operator rev \\\n --endpoints=$(ALL_ETCD_ENDPOINTS) \\\n --client-cert-file=$(ETCDCTL_CERT) \\\n --client-key-file=$(ETCDCTL_KEY) \\\n --client-cacert-file=$(ETCDCTL_CACERT)\n securityContext:\n \ privileged: true\n resources:\n requests:\n memory: 50Mi\n \ cpu: 10m\n env:\n - name: \"ALL_ETCD_ENDPOINTS\"\n value: \"https://192.168.32.10:2379\"\n - name: \"ETCDCTL_API\"\n value: \"3\"\n \ - name: \"ETCDCTL_CACERT\"\n value: \"/etc/kubernetes/static-pod-certs/configmaps/etcd-all-bundles/server-ca-bundle.crt\"\n \ - name: \"ETCDCTL_CERT\"\n value: \"/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.crt\"\n \ - name: \"ETCDCTL_ENDPOINTS\"\n value: \"https://192.168.32.10:2379\"\n \ - name: \"ETCDCTL_KEY\"\n value: \"/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.key\"\n \ - name: \"ETCD_CIPHER_SUITES\"\n value: \"TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256\"\n \ - name: \"ETCD_DATA_DIR\"\n value: \"/var/lib/etcd\"\n - name: \"ETCD_ELECTION_TIMEOUT\"\n \ value: \"2500\"\n - name: \"ETCD_ENABLE_PPROF\"\n value: \"true\"\n \ - name: \"ETCD_EXPERIMENTAL_MAX_LEARNERS\"\n value: \"1\"\n - name: \"ETCD_EXPERIMENTAL_WARNING_APPLY_DURATION\"\n value: \"200ms\"\n - name: \"ETCD_EXPERIMENTAL_WATCH_PROGRESS_NOTIFY_INTERVAL\"\n value: \"5s\"\n \ - name: \"ETCD_HEARTBEAT_INTERVAL\"\n value: \"500\"\n - name: \"ETCD_IMAGE\"\n \ value: \"quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:8bed6766df40c0c172611f3e4555cd20db639eb505b2345abed6d5babdcbb5e3\"\n \ - name: \"ETCD_INITIAL_CLUSTER_STATE\"\n value: \"existing\"\n - name: \"ETCD_QUOTA_BACKEND_BYTES\"\n value: \"8589934592\"\n - name: \"ETCD_SOCKET_REUSE_ADDRESS\"\n value: \"true\"\n - name: \"ETCD_TLS_MIN_VERSION\"\n \ value: \"TLS1.2\"\n - name: \"NODE_master_0_ETCD_NAME\"\n value: \"master-0\"\n - name: \"NODE_master_0_ETCD_URL_HOST\"\n value: \"192.168.32.10\"\n \ - name: \"NODE_master_0_IP\"\n value: \"192.168.32.10\"\n volumeMounts:\n \ - mountPath: /var/lib/etcd\n name: data-dir\n - mountPath: /etc/kubernetes/static-pod-certs\n \ name: cert-dir\n hostNetwork: true\n priorityClassName: system-node-critical\n \ tolerations:\n - operator: \"Exists\"\n volumes:\n - hostPath:\n path: /etc/kubernetes/manifests\n name: static-pod-dir\n - hostPath:\n path: /etc/kubernetes/static-pod-resources/etcd-pod-REVISION\n name: resource-dir\n \ - hostPath:\n path: /etc/kubernetes/static-pod-resources/etcd-certs\n \ name: cert-dir\n - hostPath:\n path: /var/lib/etcd\n type: \"\"\n name: data-dir\n - hostPath:\n path: /usr/local/bin\n \ name: usr-local-bin\n - hostPath:\n path: /var/log/etcd\n name: log-dir\n - hostPath:\n path: /etc/kubernetes\n name: config-dir\n \ - hostPath:\n path: /var/lib/etcd-auto-backup\n name: etcd-auto-backup-dir\n" version: 4.18.0-202601171614.p2.g5a69ce1.assembly.stream.el9-5a69ce1 kind: ConfigMap metadata: creationTimestamp: "2026-02-16T20:57:21Z" managedFields: - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:data: .: {} f:forceRedeploymentReason: {} f:pod.yaml: {} f:version: {} manager: cluster-etcd-operator operation: Update time: "2026-02-16T20:57:21Z" name: etcd-pod namespace: openshift-etcd resourceVersion: "5265" uid: b8e645c1-6d84-44fd-b3b4-a41423b06b55 - apiVersion: v1 data: forceRedeploymentReason: "" pod.yaml: "apiVersion: v1\nkind: Pod\nmetadata:\n name: etcd\n namespace: openshift-etcd\n \ annotations:\n kubectl.kubernetes.io/default-container: etcd\n target.workload.openshift.io/management: '{\"effect\": \"PreferredDuringScheduling\"}'\n labels:\n app: etcd\n k8s-app: etcd\n etcd: \"true\"\n revision: \"REVISION\"\nspec:\n initContainers:\n \ - name: setup\n image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:8bed6766df40c0c172611f3e4555cd20db639eb505b2345abed6d5babdcbb5e3\n \ imagePullPolicy: IfNotPresent\n terminationMessagePolicy: FallbackToLogsOnError\n \ command:\n - /bin/sh\n - -c\n - |\n #!/bin/sh\n \ echo -n \"Fixing etcd log permissions.\"\n mkdir -p /var/log/etcd \ && chmod 0600 /var/log/etcd\n echo -n \"Fixing etcd auto backup permissions.\"\n \ mkdir -p /var/lib/etcd-auto-backup && chmod 0600 /var/lib/etcd-auto-backup\n \ securityContext:\n privileged: true\n resources:\n requests:\n \ memory: 50Mi\n cpu: 5m\n volumeMounts:\n - mountPath: /var/log/etcd\n name: log-dir\n - name: etcd-ensure-env-vars\n image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:8bed6766df40c0c172611f3e4555cd20db639eb505b2345abed6d5babdcbb5e3\n \ imagePullPolicy: IfNotPresent\n terminationMessagePolicy: FallbackToLogsOnError\n \ command:\n - /bin/sh\n - -c\n - |\n #!/bin/sh\n \ set -euo pipefail\n\n : \"${NODE_NODE_ENVVAR_NAME_ETCD_URL_HOST?not set}\"\n : \"${NODE_NODE_ENVVAR_NAME_ETCD_NAME?not set}\"\n : \"${NODE_NODE_ENVVAR_NAME_IP?not set}\"\n\n # check for ipv4 addresses as well as ipv6 addresses with extra square brackets\n if [[ \"${NODE_NODE_ENVVAR_NAME_IP}\" != \"${NODE_IP}\" && \"${NODE_NODE_ENVVAR_NAME_IP}\" != \"[${NODE_IP}]\" ]]; then\n # echo the error message to stderr\n echo \"Expected node IP to be ${NODE_IP} got ${NODE_NODE_ENVVAR_NAME_IP}\" >&2\n exit 1\n fi\n\n # check for ipv4 addresses as well as ipv6 addresses with extra square brackets\n if [[ \"${NODE_NODE_ENVVAR_NAME_ETCD_URL_HOST}\" != \"${NODE_IP}\" && \"${NODE_NODE_ENVVAR_NAME_ETCD_URL_HOST}\" != \"[${NODE_IP}]\" ]]; then\n # echo the error message to stderr\n echo \"Expected etcd url host to be ${NODE_IP} got ${NODE_NODE_ENVVAR_NAME_ETCD_URL_HOST}\" >&2\n exit 1\n fi\n\n resources:\n requests:\n \ memory: 60Mi\n cpu: 10m\n securityContext:\n privileged: true\n env:\n - name: \"ALL_ETCD_ENDPOINTS\"\n value: \"https://192.168.32.10:2379\"\n \ - name: \"ETCDCTL_API\"\n value: \"3\"\n - name: \"ETCDCTL_CACERT\"\n \ value: \"/etc/kubernetes/static-pod-certs/configmaps/etcd-all-bundles/server-ca-bundle.crt\"\n \ - name: \"ETCDCTL_CERT\"\n value: \"/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.crt\"\n \ - name: \"ETCDCTL_ENDPOINTS\"\n value: \"https://192.168.32.10:2379\"\n \ - name: \"ETCDCTL_KEY\"\n value: \"/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.key\"\n \ - name: \"ETCD_CIPHER_SUITES\"\n value: \"TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256\"\n \ - name: \"ETCD_DATA_DIR\"\n value: \"/var/lib/etcd\"\n - name: \"ETCD_ELECTION_TIMEOUT\"\n value: \"2500\"\n - name: \"ETCD_ENABLE_PPROF\"\n \ value: \"true\"\n - name: \"ETCD_EXPERIMENTAL_MAX_LEARNERS\"\n \ value: \"1\"\n - name: \"ETCD_EXPERIMENTAL_WARNING_APPLY_DURATION\"\n \ value: \"200ms\"\n - name: \"ETCD_EXPERIMENTAL_WATCH_PROGRESS_NOTIFY_INTERVAL\"\n \ value: \"5s\"\n - name: \"ETCD_HEARTBEAT_INTERVAL\"\n value: \"500\"\n - name: \"ETCD_IMAGE\"\n value: \"quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:8bed6766df40c0c172611f3e4555cd20db639eb505b2345abed6d5babdcbb5e3\"\n \ - name: \"ETCD_INITIAL_CLUSTER_STATE\"\n value: \"existing\"\n \ - name: \"ETCD_QUOTA_BACKEND_BYTES\"\n value: \"8589934592\"\n \ - name: \"ETCD_SOCKET_REUSE_ADDRESS\"\n value: \"true\"\n - name: \"ETCD_TLS_MIN_VERSION\"\n value: \"TLS1.2\"\n - name: \"NODE_master_0_ETCD_NAME\"\n \ value: \"master-0\"\n - name: \"NODE_master_0_ETCD_URL_HOST\"\n \ value: \"192.168.32.10\"\n - name: \"NODE_master_0_IP\"\n value: \"192.168.32.10\"\n - name: NODE_IP\n valueFrom:\n fieldRef:\n \ fieldPath: status.podIP\n - name: etcd-resources-copy\n image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:8bed6766df40c0c172611f3e4555cd20db639eb505b2345abed6d5babdcbb5e3\n \ imagePullPolicy: IfNotPresent\n terminationMessagePolicy: FallbackToLogsOnError\n \ command:\n - /bin/sh\n - -c\n - |\n #!/bin/sh\n \ set -euo pipefail\n\n rm -f $(grep -l '^### Created by cluster-etcd-operator' /usr/local/bin/*)\n cp -p /etc/kubernetes/static-pod-certs/configmaps/etcd-scripts/*.sh /usr/local/bin\n\n resources:\n requests:\n memory: 60Mi\n \ cpu: 10m\n securityContext:\n privileged: true\n volumeMounts:\n \ - mountPath: /etc/kubernetes/static-pod-resources\n name: resource-dir\n \ - mountPath: /etc/kubernetes/static-pod-certs\n name: cert-dir\n \ - mountPath: /usr/local/bin\n name: usr-local-bin\n containers:\n \ # The etcdctl container should always be first. It is intended to be used\n \ # to open a remote shell via `oc rsh` that is ready to run `etcdctl`.\n - name: etcdctl\n image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:8bed6766df40c0c172611f3e4555cd20db639eb505b2345abed6d5babdcbb5e3\n \ imagePullPolicy: IfNotPresent\n terminationMessagePolicy: FallbackToLogsOnError\n \ command:\n - \"/bin/bash\"\n - \"-c\"\n - \"trap TERM INT; sleep infinity & wait\"\n resources:\n requests:\n memory: 60Mi\n \ cpu: 10m\n volumeMounts:\n - mountPath: /etc/kubernetes/manifests\n \ name: static-pod-dir\n - mountPath: /etc/kubernetes/static-pod-resources\n \ name: resource-dir\n - mountPath: /etc/kubernetes/static-pod-certs\n \ name: cert-dir\n - mountPath: /var/lib/etcd/\n name: data-dir\n \ env:\n - name: \"ALL_ETCD_ENDPOINTS\"\n value: \"https://192.168.32.10:2379\"\n \ - name: \"ETCDCTL_API\"\n value: \"3\"\n - name: \"ETCDCTL_CACERT\"\n \ value: \"/etc/kubernetes/static-pod-certs/configmaps/etcd-all-bundles/server-ca-bundle.crt\"\n \ - name: \"ETCDCTL_CERT\"\n value: \"/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.crt\"\n \ - name: \"ETCDCTL_ENDPOINTS\"\n value: \"https://192.168.32.10:2379\"\n \ - name: \"ETCDCTL_KEY\"\n value: \"/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.key\"\n \ - name: \"ETCD_CIPHER_SUITES\"\n value: \"TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256\"\n \ - name: \"ETCD_DATA_DIR\"\n value: \"/var/lib/etcd\"\n - name: \"ETCD_ELECTION_TIMEOUT\"\n \ value: \"2500\"\n - name: \"ETCD_ENABLE_PPROF\"\n value: \"true\"\n \ - name: \"ETCD_EXPERIMENTAL_MAX_LEARNERS\"\n value: \"1\"\n - name: \"ETCD_EXPERIMENTAL_WARNING_APPLY_DURATION\"\n value: \"200ms\"\n - name: \"ETCD_EXPERIMENTAL_WATCH_PROGRESS_NOTIFY_INTERVAL\"\n value: \"5s\"\n \ - name: \"ETCD_HEARTBEAT_INTERVAL\"\n value: \"500\"\n - name: \"ETCD_IMAGE\"\n \ value: \"quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:8bed6766df40c0c172611f3e4555cd20db639eb505b2345abed6d5babdcbb5e3\"\n \ - name: \"ETCD_INITIAL_CLUSTER_STATE\"\n value: \"existing\"\n - name: \"ETCD_QUOTA_BACKEND_BYTES\"\n value: \"8589934592\"\n - name: \"ETCD_SOCKET_REUSE_ADDRESS\"\n value: \"true\"\n - name: \"ETCD_TLS_MIN_VERSION\"\n \ value: \"TLS1.2\"\n - name: \"NODE_master_0_ETCD_NAME\"\n value: \"master-0\"\n - name: \"NODE_master_0_ETCD_URL_HOST\"\n value: \"192.168.32.10\"\n \ - name: \"NODE_master_0_IP\"\n value: \"192.168.32.10\"\n - name: \"ETCD_STATIC_POD_VERSION\"\n value: \"REVISION\"\n\n - name: etcd\n image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:8bed6766df40c0c172611f3e4555cd20db639eb505b2345abed6d5babdcbb5e3\n \ imagePullPolicy: IfNotPresent\n terminationMessagePolicy: FallbackToLogsOnError\n \ command:\n - /bin/sh\n - -c\n - |\n #!/bin/sh\n set -euo pipefail\n\n etcdctl member list || true\n\n # this has a non-zero return code if the command is non-zero. If you use an export first, it doesn't and you\n # will succeed when you should fail.\n ETCD_INITIAL_CLUSTER=$(discover-etcd-initial-cluster \\\n --cacert=/etc/kubernetes/static-pod-certs/configmaps/etcd-all-bundles/server-ca-bundle.crt \\\n --cert=/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.crt \\\n --key=/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.key \\\n --endpoints=${ALL_ETCD_ENDPOINTS} \\\n --data-dir=/var/lib/etcd \\\n --target-peer-url-host=${NODE_NODE_ENVVAR_NAME_ETCD_URL_HOST} \\\n --target-name=NODE_NAME)\n export ETCD_INITIAL_CLUSTER\n\n \ # we cannot use the \"normal\" port conflict initcontainer because when we upgrade, the existing static pod will never yield,\n # so we do the detection in etcd container itself.\n echo -n \"Waiting for ports 2379, 2380 and 9978 to be released.\"\n time while [ -n \"$(ss -Htan '( sport = 2379 or sport = 2380 or sport = 9978 )')\" ]; do\n echo -n \".\"\n \ sleep 1\n done\n\n export ETCD_NAME=${NODE_NODE_ENVVAR_NAME_ETCD_NAME}\n \ env | grep ETCD | grep -v NODE\n\n set -x\n # See https://etcd.io/docs/v3.4.0/tuning/ for why we use ionice\n exec nice -n -19 ionice -c2 -n0 etcd \\\n --logger=zap \\\n --log-level=info \\\n --experimental-initial-corrupt-check=true \\\n --snapshot-count=10000 \\\n --initial-advertise-peer-urls=https://${NODE_NODE_ENVVAR_NAME_IP}:2380 \\\n --cert-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-serving-NODE_NAME.crt \\\n --key-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-serving-NODE_NAME.key \\\n --trusted-ca-file=/etc/kubernetes/static-pod-certs/configmaps/etcd-all-bundles/server-ca-bundle.crt \\\n --client-cert-auth=true \\\n --peer-cert-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.crt \\\n --peer-key-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.key \\\n --peer-trusted-ca-file=/etc/kubernetes/static-pod-certs/configmaps/etcd-all-bundles/server-ca-bundle.crt \\\n --peer-client-cert-auth=true \\\n --advertise-client-urls=https://${NODE_NODE_ENVVAR_NAME_IP}:2379 \\\n --listen-client-urls=https://0.0.0.0:2379,unixs://${NODE_NODE_ENVVAR_NAME_IP}:0 \\\n --listen-peer-urls=https://0.0.0.0:2380 \\\n --metrics=extensive \\\n --listen-metrics-urls=https://0.0.0.0:9978 || mv /etc/kubernetes/etcd-backup-dir/etcd-member.yaml /etc/kubernetes/manifests\n ports:\n - containerPort: 2379\n name: etcd\n protocol: TCP\n - containerPort: 2380\n name: etcd-peer\n \ protocol: TCP\n - containerPort: 9978\n name: etcd-metrics\n protocol: TCP\n env:\n - name: \"ALL_ETCD_ENDPOINTS\"\n value: \"https://192.168.32.10:2379\"\n \ - name: \"ETCDCTL_API\"\n value: \"3\"\n - name: \"ETCDCTL_CACERT\"\n \ value: \"/etc/kubernetes/static-pod-certs/configmaps/etcd-all-bundles/server-ca-bundle.crt\"\n \ - name: \"ETCDCTL_CERT\"\n value: \"/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.crt\"\n \ - name: \"ETCDCTL_ENDPOINTS\"\n value: \"https://192.168.32.10:2379\"\n \ - name: \"ETCDCTL_KEY\"\n value: \"/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.key\"\n \ - name: \"ETCD_CIPHER_SUITES\"\n value: \"TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256\"\n \ - name: \"ETCD_DATA_DIR\"\n value: \"/var/lib/etcd\"\n - name: \"ETCD_ELECTION_TIMEOUT\"\n \ value: \"2500\"\n - name: \"ETCD_ENABLE_PPROF\"\n value: \"true\"\n \ - name: \"ETCD_EXPERIMENTAL_MAX_LEARNERS\"\n value: \"1\"\n - name: \"ETCD_EXPERIMENTAL_WARNING_APPLY_DURATION\"\n value: \"200ms\"\n - name: \"ETCD_EXPERIMENTAL_WATCH_PROGRESS_NOTIFY_INTERVAL\"\n value: \"5s\"\n \ - name: \"ETCD_HEARTBEAT_INTERVAL\"\n value: \"500\"\n - name: \"ETCD_IMAGE\"\n \ value: \"quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:8bed6766df40c0c172611f3e4555cd20db639eb505b2345abed6d5babdcbb5e3\"\n \ - name: \"ETCD_INITIAL_CLUSTER_STATE\"\n value: \"existing\"\n - name: \"ETCD_QUOTA_BACKEND_BYTES\"\n value: \"8589934592\"\n - name: \"ETCD_SOCKET_REUSE_ADDRESS\"\n value: \"true\"\n - name: \"ETCD_TLS_MIN_VERSION\"\n \ value: \"TLS1.2\"\n - name: \"NODE_master_0_ETCD_NAME\"\n value: \"master-0\"\n - name: \"NODE_master_0_ETCD_URL_HOST\"\n value: \"192.168.32.10\"\n \ - name: \"NODE_master_0_IP\"\n value: \"192.168.32.10\"\n - name: \"ETCD_STATIC_POD_VERSION\"\n value: \"REVISION\"\n resources:\n requests:\n \ memory: 600Mi\n cpu: 300m\n readinessProbe:\n httpGet:\n \ port: 9980\n path: readyz\n scheme: HTTPS\n timeoutSeconds: 30\n failureThreshold: 5\n periodSeconds: 5\n successThreshold: 1\n livenessProbe:\n httpGet:\n path: healthz\n port: 9980\n scheme: HTTPS\n timeoutSeconds: 30\n periodSeconds: 5\n successThreshold: 1\n failureThreshold: 5\n startupProbe:\n \ httpGet:\n port: 9980\n path: readyz\n scheme: HTTPS\n \ initialDelaySeconds: 10\n timeoutSeconds: 1\n periodSeconds: 10\n successThreshold: 1\n failureThreshold: 18\n securityContext:\n \ privileged: true\n volumeMounts:\n - mountPath: /etc/kubernetes/manifests\n \ name: static-pod-dir\n - mountPath: /etc/kubernetes/static-pod-resources\n \ name: resource-dir\n - mountPath: /etc/kubernetes/static-pod-certs\n \ name: cert-dir\n - mountPath: /var/lib/etcd/\n name: data-dir\n\n \ - name: etcd-metrics\n image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:8bed6766df40c0c172611f3e4555cd20db639eb505b2345abed6d5babdcbb5e3\n \ imagePullPolicy: IfNotPresent\n terminationMessagePolicy: FallbackToLogsOnError\n \ command:\n - /bin/sh\n - -c\n - |\n #!/bin/sh\n set -euo pipefail\n\n export ETCD_NAME=${NODE_NODE_ENVVAR_NAME_ETCD_NAME}\n\n \ exec nice -n -18 etcd grpc-proxy start \\\n --endpoints https://${NODE_NODE_ENVVAR_NAME_ETCD_URL_HOST}:9978 \\\n --metrics-addr https://0.0.0.0:9979 \\\n --listen-addr 127.0.0.1:9977 \\\n --advertise-client-url \"\" \\\n --key /etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.key \\\n --key-file /etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-serving-metrics-NODE_NAME.key \\\n --cert /etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.crt \\\n --cert-file /etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-serving-metrics-NODE_NAME.crt \\\n --cacert /etc/kubernetes/static-pod-certs/configmaps/etcd-all-bundles/server-ca-bundle.crt \\\n --trusted-ca-file /etc/kubernetes/static-pod-certs/configmaps/etcd-all-bundles/metrics-ca-bundle.crt \\\n --listen-cipher-suites TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 \\\n --tls-min-version $(ETCD_TLS_MIN_VERSION)\n ports:\n - containerPort: 9979\n name: proxy-metrics\n protocol: TCP\n env:\n - name: \"ALL_ETCD_ENDPOINTS\"\n value: \"https://192.168.32.10:2379\"\n \n \ - name: \"ETCDCTL_API\"\n value: \"3\"\n \n - name: \"ETCDCTL_CACERT\"\n \ value: \"/etc/kubernetes/static-pod-certs/configmaps/etcd-all-bundles/server-ca-bundle.crt\"\n \ \n - name: \"ETCDCTL_CERT\"\n value: \"/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.crt\"\n \ \n - name: \"ETCDCTL_ENDPOINTS\"\n value: \"https://192.168.32.10:2379\"\n \ \n - name: \"ETCDCTL_KEY\"\n value: \"/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.key\"\n \ \n - name: \"ETCD_CIPHER_SUITES\"\n value: \"TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256\"\n \ \n - name: \"ETCD_DATA_DIR\"\n value: \"/var/lib/etcd\"\n \n \ - name: \"ETCD_ELECTION_TIMEOUT\"\n value: \"2500\"\n \n - name: \"ETCD_ENABLE_PPROF\"\n value: \"true\"\n \n - name: \"ETCD_EXPERIMENTAL_MAX_LEARNERS\"\n \ value: \"1\"\n \n - name: \"ETCD_EXPERIMENTAL_WARNING_APPLY_DURATION\"\n \ value: \"200ms\"\n \n - name: \"ETCD_EXPERIMENTAL_WATCH_PROGRESS_NOTIFY_INTERVAL\"\n \ value: \"5s\"\n \n - name: \"ETCD_HEARTBEAT_INTERVAL\"\n value: \"500\"\n \n - name: \"ETCD_IMAGE\"\n value: \"quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:8bed6766df40c0c172611f3e4555cd20db639eb505b2345abed6d5babdcbb5e3\"\n \ \n - name: \"ETCD_INITIAL_CLUSTER_STATE\"\n value: \"existing\"\n \ \n - name: \"ETCD_QUOTA_BACKEND_BYTES\"\n value: \"8589934592\"\n \ \n - name: \"ETCD_SOCKET_REUSE_ADDRESS\"\n value: \"true\"\n \n \ - name: \"ETCD_TLS_MIN_VERSION\"\n value: \"TLS1.2\"\n \n - name: \"NODE_master_0_ETCD_NAME\"\n value: \"master-0\"\n \n - name: \"NODE_master_0_ETCD_URL_HOST\"\n \ value: \"192.168.32.10\"\n \n - name: \"NODE_master_0_IP\"\n value: \"192.168.32.10\"\n - name: \"ETCD_STATIC_POD_VERSION\"\n value: \"REVISION\"\n \ resources:\n requests:\n memory: 200Mi\n cpu: 40m\n securityContext:\n \ privileged: true\n volumeMounts:\n - mountPath: /etc/kubernetes/static-pod-resources\n \ name: resource-dir\n - mountPath: /etc/kubernetes/static-pod-certs\n \ name: cert-dir\n - mountPath: /var/lib/etcd/\n name: data-dir\n \ - name: etcd-readyz\n image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:6dd9324942b3d09b4b9a768f36b47be4e555d947910ee3d115fc5448c95f7399\n \ imagePullPolicy: IfNotPresent\n terminationMessagePolicy: FallbackToLogsOnError\n \ command:\n - /bin/sh\n - -c\n - |\n #!/bin/sh\n set -euo pipefail\n \n exec nice -n -18 cluster-etcd-operator readyz \\\n --target=https://localhost:2379 \\\n --listen-port=9980 \\\n --serving-cert-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-serving-NODE_NAME.crt \\\n --serving-key-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-serving-NODE_NAME.key \\\n --client-cert-file=$(ETCDCTL_CERT) \\\n --client-key-file=$(ETCDCTL_KEY) \\\n --client-cacert-file=$(ETCDCTL_CACERT) \\\n --listen-cipher-suites TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 \\\n --listen-tls-min-version=$(ETCD_TLS_MIN_VERSION)\n securityContext:\n \ privileged: true\n ports:\n - containerPort: 9980\n name: readyz\n \ protocol: TCP\n resources:\n requests:\n memory: 50Mi\n \ cpu: 10m\n env:\n - name: \"ALL_ETCD_ENDPOINTS\"\n value: \"https://192.168.32.10:2379\"\n - name: \"ETCDCTL_API\"\n value: \"3\"\n \ - name: \"ETCDCTL_CACERT\"\n value: \"/etc/kubernetes/static-pod-certs/configmaps/etcd-all-bundles/server-ca-bundle.crt\"\n \ - name: \"ETCDCTL_CERT\"\n value: \"/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.crt\"\n \ - name: \"ETCDCTL_ENDPOINTS\"\n value: \"https://192.168.32.10:2379\"\n \ - name: \"ETCDCTL_KEY\"\n value: \"/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.key\"\n \ - name: \"ETCD_CIPHER_SUITES\"\n value: \"TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256\"\n \ - name: \"ETCD_DATA_DIR\"\n value: \"/var/lib/etcd\"\n - name: \"ETCD_ELECTION_TIMEOUT\"\n \ value: \"2500\"\n - name: \"ETCD_ENABLE_PPROF\"\n value: \"true\"\n \ - name: \"ETCD_EXPERIMENTAL_MAX_LEARNERS\"\n value: \"1\"\n - name: \"ETCD_EXPERIMENTAL_WARNING_APPLY_DURATION\"\n value: \"200ms\"\n - name: \"ETCD_EXPERIMENTAL_WATCH_PROGRESS_NOTIFY_INTERVAL\"\n value: \"5s\"\n \ - name: \"ETCD_HEARTBEAT_INTERVAL\"\n value: \"500\"\n - name: \"ETCD_IMAGE\"\n \ value: \"quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:8bed6766df40c0c172611f3e4555cd20db639eb505b2345abed6d5babdcbb5e3\"\n \ - name: \"ETCD_INITIAL_CLUSTER_STATE\"\n value: \"existing\"\n - name: \"ETCD_QUOTA_BACKEND_BYTES\"\n value: \"8589934592\"\n - name: \"ETCD_SOCKET_REUSE_ADDRESS\"\n value: \"true\"\n - name: \"ETCD_TLS_MIN_VERSION\"\n \ value: \"TLS1.2\"\n - name: \"NODE_master_0_ETCD_NAME\"\n value: \"master-0\"\n - name: \"NODE_master_0_ETCD_URL_HOST\"\n value: \"192.168.32.10\"\n \ - name: \"NODE_master_0_IP\"\n value: \"192.168.32.10\"\n volumeMounts:\n \ - mountPath: /var/log/etcd/\n name: log-dir\n - mountPath: /etc/kubernetes/static-pod-certs\n name: cert-dir\n - name: etcd-rev\n \ image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:6dd9324942b3d09b4b9a768f36b47be4e555d947910ee3d115fc5448c95f7399\n \ imagePullPolicy: IfNotPresent\n terminationMessagePolicy: FallbackToLogsOnError\n \ command:\n - /bin/sh\n - -c\n - |\n #!/bin/sh\n set -euo pipefail\n \n cluster-etcd-operator rev \\\n --endpoints=$(ALL_ETCD_ENDPOINTS) \\\n --client-cert-file=$(ETCDCTL_CERT) \\\n --client-key-file=$(ETCDCTL_KEY) \\\n --client-cacert-file=$(ETCDCTL_CACERT)\n securityContext:\n \ privileged: true\n resources:\n requests:\n memory: 50Mi\n \ cpu: 10m\n env:\n - name: \"ALL_ETCD_ENDPOINTS\"\n value: \"https://192.168.32.10:2379\"\n - name: \"ETCDCTL_API\"\n value: \"3\"\n \ - name: \"ETCDCTL_CACERT\"\n value: \"/etc/kubernetes/static-pod-certs/configmaps/etcd-all-bundles/server-ca-bundle.crt\"\n \ - name: \"ETCDCTL_CERT\"\n value: \"/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.crt\"\n \ - name: \"ETCDCTL_ENDPOINTS\"\n value: \"https://192.168.32.10:2379\"\n \ - name: \"ETCDCTL_KEY\"\n value: \"/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.key\"\n \ - name: \"ETCD_CIPHER_SUITES\"\n value: \"TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256\"\n \ - name: \"ETCD_DATA_DIR\"\n value: \"/var/lib/etcd\"\n - name: \"ETCD_ELECTION_TIMEOUT\"\n \ value: \"2500\"\n - name: \"ETCD_ENABLE_PPROF\"\n value: \"true\"\n \ - name: \"ETCD_EXPERIMENTAL_MAX_LEARNERS\"\n value: \"1\"\n - name: \"ETCD_EXPERIMENTAL_WARNING_APPLY_DURATION\"\n value: \"200ms\"\n - name: \"ETCD_EXPERIMENTAL_WATCH_PROGRESS_NOTIFY_INTERVAL\"\n value: \"5s\"\n \ - name: \"ETCD_HEARTBEAT_INTERVAL\"\n value: \"500\"\n - name: \"ETCD_IMAGE\"\n \ value: \"quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:8bed6766df40c0c172611f3e4555cd20db639eb505b2345abed6d5babdcbb5e3\"\n \ - name: \"ETCD_INITIAL_CLUSTER_STATE\"\n value: \"existing\"\n - name: \"ETCD_QUOTA_BACKEND_BYTES\"\n value: \"8589934592\"\n - name: \"ETCD_SOCKET_REUSE_ADDRESS\"\n value: \"true\"\n - name: \"ETCD_TLS_MIN_VERSION\"\n \ value: \"TLS1.2\"\n - name: \"NODE_master_0_ETCD_NAME\"\n value: \"master-0\"\n - name: \"NODE_master_0_ETCD_URL_HOST\"\n value: \"192.168.32.10\"\n \ - name: \"NODE_master_0_IP\"\n value: \"192.168.32.10\"\n volumeMounts:\n \ - mountPath: /var/lib/etcd\n name: data-dir\n - mountPath: /etc/kubernetes/static-pod-certs\n \ name: cert-dir\n hostNetwork: true\n priorityClassName: system-node-critical\n \ tolerations:\n - operator: \"Exists\"\n volumes:\n - hostPath:\n path: /etc/kubernetes/manifests\n name: static-pod-dir\n - hostPath:\n path: /etc/kubernetes/static-pod-resources/etcd-pod-REVISION\n name: resource-dir\n \ - hostPath:\n path: /etc/kubernetes/static-pod-resources/etcd-certs\n \ name: cert-dir\n - hostPath:\n path: /var/lib/etcd\n type: \"\"\n name: data-dir\n - hostPath:\n path: /usr/local/bin\n \ name: usr-local-bin\n - hostPath:\n path: /var/log/etcd\n name: log-dir\n - hostPath:\n path: /etc/kubernetes\n name: config-dir\n \ - hostPath:\n path: /var/lib/etcd-auto-backup\n name: etcd-auto-backup-dir\n" version: 4.18.0-202601171614.p2.g5a69ce1.assembly.stream.el9-5a69ce1 kind: ConfigMap metadata: creationTimestamp: "2026-02-16T20:57:24Z" labels: operator.openshift.io/controller-instance-name: etcd-RevisionController managedFields: - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:data: .: {} f:forceRedeploymentReason: {} f:pod.yaml: {} f:version: {} f:metadata: f:labels: .: {} f:operator.openshift.io/controller-instance-name: {} f:ownerReferences: .: {} k:{"uid":"4573af90-cd9b-4f73-8c30-4e259f1b31e3"}: {} manager: cluster-etcd-operator operation: Update time: "2026-02-16T20:57:24Z" name: etcd-pod-1 namespace: openshift-etcd ownerReferences: - apiVersion: v1 kind: ConfigMap name: revision-status-1 uid: 4573af90-cd9b-4f73-8c30-4e259f1b31e3 resourceVersion: "5516" uid: a95802bf-57a9-4406-a10c-2b22db7f24e9 - apiVersion: v1 data: forceRedeploymentReason: "" pod.yaml: "apiVersion: v1\nkind: Pod\nmetadata:\n name: etcd\n namespace: openshift-etcd\n \ annotations:\n kubectl.kubernetes.io/default-container: etcd\n target.workload.openshift.io/management: '{\"effect\": \"PreferredDuringScheduling\"}'\n labels:\n app: etcd\n k8s-app: etcd\n etcd: \"true\"\n revision: \"REVISION\"\nspec:\n initContainers:\n \ - name: setup\n image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:8bed6766df40c0c172611f3e4555cd20db639eb505b2345abed6d5babdcbb5e3\n \ imagePullPolicy: IfNotPresent\n terminationMessagePolicy: FallbackToLogsOnError\n \ command:\n - /bin/sh\n - -c\n - |\n #!/bin/sh\n \ echo -n \"Fixing etcd log permissions.\"\n mkdir -p /var/log/etcd \ && chmod 0600 /var/log/etcd\n echo -n \"Fixing etcd auto backup permissions.\"\n \ mkdir -p /var/lib/etcd-auto-backup && chmod 0600 /var/lib/etcd-auto-backup\n \ securityContext:\n privileged: true\n resources:\n requests:\n \ memory: 50Mi\n cpu: 5m\n volumeMounts:\n - mountPath: /var/log/etcd\n name: log-dir\n - name: etcd-ensure-env-vars\n image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:8bed6766df40c0c172611f3e4555cd20db639eb505b2345abed6d5babdcbb5e3\n \ imagePullPolicy: IfNotPresent\n terminationMessagePolicy: FallbackToLogsOnError\n \ command:\n - /bin/sh\n - -c\n - |\n #!/bin/sh\n \ set -euo pipefail\n\n : \"${NODE_NODE_ENVVAR_NAME_ETCD_URL_HOST?not set}\"\n : \"${NODE_NODE_ENVVAR_NAME_ETCD_NAME?not set}\"\n : \"${NODE_NODE_ENVVAR_NAME_IP?not set}\"\n\n # check for ipv4 addresses as well as ipv6 addresses with extra square brackets\n if [[ \"${NODE_NODE_ENVVAR_NAME_IP}\" != \"${NODE_IP}\" && \"${NODE_NODE_ENVVAR_NAME_IP}\" != \"[${NODE_IP}]\" ]]; then\n # echo the error message to stderr\n echo \"Expected node IP to be ${NODE_IP} got ${NODE_NODE_ENVVAR_NAME_IP}\" >&2\n exit 1\n fi\n\n # check for ipv4 addresses as well as ipv6 addresses with extra square brackets\n if [[ \"${NODE_NODE_ENVVAR_NAME_ETCD_URL_HOST}\" != \"${NODE_IP}\" && \"${NODE_NODE_ENVVAR_NAME_ETCD_URL_HOST}\" != \"[${NODE_IP}]\" ]]; then\n # echo the error message to stderr\n echo \"Expected etcd url host to be ${NODE_IP} got ${NODE_NODE_ENVVAR_NAME_ETCD_URL_HOST}\" >&2\n exit 1\n fi\n\n resources:\n requests:\n \ memory: 60Mi\n cpu: 10m\n securityContext:\n privileged: true\n env:\n - name: \"ALL_ETCD_ENDPOINTS\"\n value: \"https://192.168.32.10:2379\"\n \ - name: \"ETCDCTL_API\"\n value: \"3\"\n - name: \"ETCDCTL_CACERT\"\n \ value: \"/etc/kubernetes/static-pod-certs/configmaps/etcd-all-bundles/server-ca-bundle.crt\"\n \ - name: \"ETCDCTL_CERT\"\n value: \"/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.crt\"\n \ - name: \"ETCDCTL_ENDPOINTS\"\n value: \"https://192.168.32.10:2379\"\n \ - name: \"ETCDCTL_KEY\"\n value: \"/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.key\"\n \ - name: \"ETCD_CIPHER_SUITES\"\n value: \"TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256\"\n \ - name: \"ETCD_DATA_DIR\"\n value: \"/var/lib/etcd\"\n - name: \"ETCD_ELECTION_TIMEOUT\"\n value: \"2500\"\n - name: \"ETCD_ENABLE_PPROF\"\n \ value: \"true\"\n - name: \"ETCD_EXPERIMENTAL_MAX_LEARNERS\"\n \ value: \"1\"\n - name: \"ETCD_EXPERIMENTAL_WARNING_APPLY_DURATION\"\n \ value: \"200ms\"\n - name: \"ETCD_EXPERIMENTAL_WATCH_PROGRESS_NOTIFY_INTERVAL\"\n \ value: \"5s\"\n - name: \"ETCD_HEARTBEAT_INTERVAL\"\n value: \"500\"\n - name: \"ETCD_IMAGE\"\n value: \"quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:8bed6766df40c0c172611f3e4555cd20db639eb505b2345abed6d5babdcbb5e3\"\n \ - name: \"ETCD_INITIAL_CLUSTER_STATE\"\n value: \"existing\"\n \ - name: \"ETCD_QUOTA_BACKEND_BYTES\"\n value: \"8589934592\"\n \ - name: \"ETCD_SOCKET_REUSE_ADDRESS\"\n value: \"true\"\n - name: \"ETCD_TLS_MIN_VERSION\"\n value: \"TLS1.2\"\n - name: \"NODE_master_0_ETCD_NAME\"\n \ value: \"master-0\"\n - name: \"NODE_master_0_ETCD_URL_HOST\"\n \ value: \"192.168.32.10\"\n - name: \"NODE_master_0_IP\"\n value: \"192.168.32.10\"\n - name: NODE_IP\n valueFrom:\n fieldRef:\n \ fieldPath: status.podIP\n - name: etcd-resources-copy\n image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:8bed6766df40c0c172611f3e4555cd20db639eb505b2345abed6d5babdcbb5e3\n \ imagePullPolicy: IfNotPresent\n terminationMessagePolicy: FallbackToLogsOnError\n \ command:\n - /bin/sh\n - -c\n - |\n #!/bin/sh\n \ set -euo pipefail\n\n rm -f $(grep -l '^### Created by cluster-etcd-operator' /usr/local/bin/*)\n cp -p /etc/kubernetes/static-pod-certs/configmaps/etcd-scripts/*.sh /usr/local/bin\n\n resources:\n requests:\n memory: 60Mi\n \ cpu: 10m\n securityContext:\n privileged: true\n volumeMounts:\n \ - mountPath: /etc/kubernetes/static-pod-resources\n name: resource-dir\n \ - mountPath: /etc/kubernetes/static-pod-certs\n name: cert-dir\n \ - mountPath: /usr/local/bin\n name: usr-local-bin\n containers:\n \ # The etcdctl container should always be first. It is intended to be used\n \ # to open a remote shell via `oc rsh` that is ready to run `etcdctl`.\n - name: etcdctl\n image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:8bed6766df40c0c172611f3e4555cd20db639eb505b2345abed6d5babdcbb5e3\n \ imagePullPolicy: IfNotPresent\n terminationMessagePolicy: FallbackToLogsOnError\n \ command:\n - \"/bin/bash\"\n - \"-c\"\n - \"trap TERM INT; sleep infinity & wait\"\n resources:\n requests:\n memory: 60Mi\n \ cpu: 10m\n volumeMounts:\n - mountPath: /etc/kubernetes/manifests\n \ name: static-pod-dir\n - mountPath: /etc/kubernetes/static-pod-resources\n \ name: resource-dir\n - mountPath: /etc/kubernetes/static-pod-certs\n \ name: cert-dir\n - mountPath: /var/lib/etcd/\n name: data-dir\n \ env:\n - name: \"ALL_ETCD_ENDPOINTS\"\n value: \"https://192.168.32.10:2379\"\n \ - name: \"ETCDCTL_API\"\n value: \"3\"\n - name: \"ETCDCTL_CACERT\"\n \ value: \"/etc/kubernetes/static-pod-certs/configmaps/etcd-all-bundles/server-ca-bundle.crt\"\n \ - name: \"ETCDCTL_CERT\"\n value: \"/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.crt\"\n \ - name: \"ETCDCTL_ENDPOINTS\"\n value: \"https://192.168.32.10:2379\"\n \ - name: \"ETCDCTL_KEY\"\n value: \"/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.key\"\n \ - name: \"ETCD_CIPHER_SUITES\"\n value: \"TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256\"\n \ - name: \"ETCD_DATA_DIR\"\n value: \"/var/lib/etcd\"\n - name: \"ETCD_ELECTION_TIMEOUT\"\n \ value: \"2500\"\n - name: \"ETCD_ENABLE_PPROF\"\n value: \"true\"\n \ - name: \"ETCD_EXPERIMENTAL_MAX_LEARNERS\"\n value: \"1\"\n - name: \"ETCD_EXPERIMENTAL_WARNING_APPLY_DURATION\"\n value: \"200ms\"\n - name: \"ETCD_EXPERIMENTAL_WATCH_PROGRESS_NOTIFY_INTERVAL\"\n value: \"5s\"\n \ - name: \"ETCD_HEARTBEAT_INTERVAL\"\n value: \"500\"\n - name: \"ETCD_IMAGE\"\n \ value: \"quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:8bed6766df40c0c172611f3e4555cd20db639eb505b2345abed6d5babdcbb5e3\"\n \ - name: \"ETCD_INITIAL_CLUSTER_STATE\"\n value: \"existing\"\n - name: \"ETCD_QUOTA_BACKEND_BYTES\"\n value: \"8589934592\"\n - name: \"ETCD_SOCKET_REUSE_ADDRESS\"\n value: \"true\"\n - name: \"ETCD_TLS_MIN_VERSION\"\n \ value: \"TLS1.2\"\n - name: \"NODE_master_0_ETCD_NAME\"\n value: \"master-0\"\n - name: \"NODE_master_0_ETCD_URL_HOST\"\n value: \"192.168.32.10\"\n \ - name: \"NODE_master_0_IP\"\n value: \"192.168.32.10\"\n - name: \"ETCD_STATIC_POD_VERSION\"\n value: \"REVISION\"\n\n - name: etcd\n image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:8bed6766df40c0c172611f3e4555cd20db639eb505b2345abed6d5babdcbb5e3\n \ imagePullPolicy: IfNotPresent\n terminationMessagePolicy: FallbackToLogsOnError\n \ command:\n - /bin/sh\n - -c\n - |\n #!/bin/sh\n set -euo pipefail\n\n etcdctl member list || true\n\n # this has a non-zero return code if the command is non-zero. If you use an export first, it doesn't and you\n # will succeed when you should fail.\n ETCD_INITIAL_CLUSTER=$(discover-etcd-initial-cluster \\\n --cacert=/etc/kubernetes/static-pod-certs/configmaps/etcd-all-bundles/server-ca-bundle.crt \\\n --cert=/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.crt \\\n --key=/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.key \\\n --endpoints=${ALL_ETCD_ENDPOINTS} \\\n --data-dir=/var/lib/etcd \\\n --target-peer-url-host=${NODE_NODE_ENVVAR_NAME_ETCD_URL_HOST} \\\n --target-name=NODE_NAME)\n export ETCD_INITIAL_CLUSTER\n\n \ # we cannot use the \"normal\" port conflict initcontainer because when we upgrade, the existing static pod will never yield,\n # so we do the detection in etcd container itself.\n echo -n \"Waiting for ports 2379, 2380 and 9978 to be released.\"\n time while [ -n \"$(ss -Htan '( sport = 2379 or sport = 2380 or sport = 9978 )')\" ]; do\n echo -n \".\"\n \ sleep 1\n done\n\n export ETCD_NAME=${NODE_NODE_ENVVAR_NAME_ETCD_NAME}\n \ env | grep ETCD | grep -v NODE\n\n set -x\n # See https://etcd.io/docs/v3.4.0/tuning/ for why we use ionice\n exec nice -n -19 ionice -c2 -n0 etcd \\\n --logger=zap \\\n --log-level=info \\\n --experimental-initial-corrupt-check=true \\\n --snapshot-count=10000 \\\n --initial-advertise-peer-urls=https://${NODE_NODE_ENVVAR_NAME_IP}:2380 \\\n --cert-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-serving-NODE_NAME.crt \\\n --key-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-serving-NODE_NAME.key \\\n --trusted-ca-file=/etc/kubernetes/static-pod-certs/configmaps/etcd-all-bundles/server-ca-bundle.crt \\\n --client-cert-auth=true \\\n --peer-cert-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.crt \\\n --peer-key-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.key \\\n --peer-trusted-ca-file=/etc/kubernetes/static-pod-certs/configmaps/etcd-all-bundles/server-ca-bundle.crt \\\n --peer-client-cert-auth=true \\\n --advertise-client-urls=https://${NODE_NODE_ENVVAR_NAME_IP}:2379 \\\n --listen-client-urls=https://0.0.0.0:2379,unixs://${NODE_NODE_ENVVAR_NAME_IP}:0 \\\n --listen-peer-urls=https://0.0.0.0:2380 \\\n --metrics=extensive \\\n --listen-metrics-urls=https://0.0.0.0:9978 || mv /etc/kubernetes/etcd-backup-dir/etcd-member.yaml /etc/kubernetes/manifests\n ports:\n - containerPort: 2379\n name: etcd\n protocol: TCP\n - containerPort: 2380\n name: etcd-peer\n \ protocol: TCP\n - containerPort: 9978\n name: etcd-metrics\n protocol: TCP\n env:\n - name: \"ALL_ETCD_ENDPOINTS\"\n value: \"https://192.168.32.10:2379\"\n \ - name: \"ETCDCTL_API\"\n value: \"3\"\n - name: \"ETCDCTL_CACERT\"\n \ value: \"/etc/kubernetes/static-pod-certs/configmaps/etcd-all-bundles/server-ca-bundle.crt\"\n \ - name: \"ETCDCTL_CERT\"\n value: \"/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.crt\"\n \ - name: \"ETCDCTL_ENDPOINTS\"\n value: \"https://192.168.32.10:2379\"\n \ - name: \"ETCDCTL_KEY\"\n value: \"/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.key\"\n \ - name: \"ETCD_CIPHER_SUITES\"\n value: \"TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256\"\n \ - name: \"ETCD_DATA_DIR\"\n value: \"/var/lib/etcd\"\n - name: \"ETCD_ELECTION_TIMEOUT\"\n \ value: \"2500\"\n - name: \"ETCD_ENABLE_PPROF\"\n value: \"true\"\n \ - name: \"ETCD_EXPERIMENTAL_MAX_LEARNERS\"\n value: \"1\"\n - name: \"ETCD_EXPERIMENTAL_WARNING_APPLY_DURATION\"\n value: \"200ms\"\n - name: \"ETCD_EXPERIMENTAL_WATCH_PROGRESS_NOTIFY_INTERVAL\"\n value: \"5s\"\n \ - name: \"ETCD_HEARTBEAT_INTERVAL\"\n value: \"500\"\n - name: \"ETCD_IMAGE\"\n \ value: \"quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:8bed6766df40c0c172611f3e4555cd20db639eb505b2345abed6d5babdcbb5e3\"\n \ - name: \"ETCD_INITIAL_CLUSTER_STATE\"\n value: \"existing\"\n - name: \"ETCD_QUOTA_BACKEND_BYTES\"\n value: \"8589934592\"\n - name: \"ETCD_SOCKET_REUSE_ADDRESS\"\n value: \"true\"\n - name: \"ETCD_TLS_MIN_VERSION\"\n \ value: \"TLS1.2\"\n - name: \"NODE_master_0_ETCD_NAME\"\n value: \"master-0\"\n - name: \"NODE_master_0_ETCD_URL_HOST\"\n value: \"192.168.32.10\"\n \ - name: \"NODE_master_0_IP\"\n value: \"192.168.32.10\"\n - name: \"ETCD_STATIC_POD_VERSION\"\n value: \"REVISION\"\n resources:\n requests:\n \ memory: 600Mi\n cpu: 300m\n readinessProbe:\n httpGet:\n \ port: 9980\n path: readyz\n scheme: HTTPS\n timeoutSeconds: 30\n failureThreshold: 5\n periodSeconds: 5\n successThreshold: 1\n livenessProbe:\n httpGet:\n path: healthz\n port: 9980\n scheme: HTTPS\n timeoutSeconds: 30\n periodSeconds: 5\n successThreshold: 1\n failureThreshold: 5\n startupProbe:\n \ httpGet:\n port: 9980\n path: readyz\n scheme: HTTPS\n \ initialDelaySeconds: 10\n timeoutSeconds: 1\n periodSeconds: 10\n successThreshold: 1\n failureThreshold: 18\n securityContext:\n \ privileged: true\n volumeMounts:\n - mountPath: /etc/kubernetes/manifests\n \ name: static-pod-dir\n - mountPath: /etc/kubernetes/static-pod-resources\n \ name: resource-dir\n - mountPath: /etc/kubernetes/static-pod-certs\n \ name: cert-dir\n - mountPath: /var/lib/etcd/\n name: data-dir\n\n \ - name: etcd-metrics\n image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:8bed6766df40c0c172611f3e4555cd20db639eb505b2345abed6d5babdcbb5e3\n \ imagePullPolicy: IfNotPresent\n terminationMessagePolicy: FallbackToLogsOnError\n \ command:\n - /bin/sh\n - -c\n - |\n #!/bin/sh\n set -euo pipefail\n\n export ETCD_NAME=${NODE_NODE_ENVVAR_NAME_ETCD_NAME}\n\n \ exec nice -n -18 etcd grpc-proxy start \\\n --endpoints https://${NODE_NODE_ENVVAR_NAME_ETCD_URL_HOST}:9978 \\\n --metrics-addr https://0.0.0.0:9979 \\\n --listen-addr 127.0.0.1:9977 \\\n --advertise-client-url \"\" \\\n --key /etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.key \\\n --key-file /etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-serving-metrics-NODE_NAME.key \\\n --cert /etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.crt \\\n --cert-file /etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-serving-metrics-NODE_NAME.crt \\\n --cacert /etc/kubernetes/static-pod-certs/configmaps/etcd-all-bundles/server-ca-bundle.crt \\\n --trusted-ca-file /etc/kubernetes/static-pod-certs/configmaps/etcd-all-bundles/metrics-ca-bundle.crt \\\n --listen-cipher-suites TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 \\\n --tls-min-version $(ETCD_TLS_MIN_VERSION)\n ports:\n - containerPort: 9979\n name: proxy-metrics\n protocol: TCP\n env:\n - name: \"ALL_ETCD_ENDPOINTS\"\n value: \"https://192.168.32.10:2379\"\n \n \ - name: \"ETCDCTL_API\"\n value: \"3\"\n \n - name: \"ETCDCTL_CACERT\"\n \ value: \"/etc/kubernetes/static-pod-certs/configmaps/etcd-all-bundles/server-ca-bundle.crt\"\n \ \n - name: \"ETCDCTL_CERT\"\n value: \"/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.crt\"\n \ \n - name: \"ETCDCTL_ENDPOINTS\"\n value: \"https://192.168.32.10:2379\"\n \ \n - name: \"ETCDCTL_KEY\"\n value: \"/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.key\"\n \ \n - name: \"ETCD_CIPHER_SUITES\"\n value: \"TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256\"\n \ \n - name: \"ETCD_DATA_DIR\"\n value: \"/var/lib/etcd\"\n \n \ - name: \"ETCD_ELECTION_TIMEOUT\"\n value: \"2500\"\n \n - name: \"ETCD_ENABLE_PPROF\"\n value: \"true\"\n \n - name: \"ETCD_EXPERIMENTAL_MAX_LEARNERS\"\n \ value: \"1\"\n \n - name: \"ETCD_EXPERIMENTAL_WARNING_APPLY_DURATION\"\n \ value: \"200ms\"\n \n - name: \"ETCD_EXPERIMENTAL_WATCH_PROGRESS_NOTIFY_INTERVAL\"\n \ value: \"5s\"\n \n - name: \"ETCD_HEARTBEAT_INTERVAL\"\n value: \"500\"\n \n - name: \"ETCD_IMAGE\"\n value: \"quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:8bed6766df40c0c172611f3e4555cd20db639eb505b2345abed6d5babdcbb5e3\"\n \ \n - name: \"ETCD_INITIAL_CLUSTER_STATE\"\n value: \"existing\"\n \ \n - name: \"ETCD_QUOTA_BACKEND_BYTES\"\n value: \"8589934592\"\n \ \n - name: \"ETCD_SOCKET_REUSE_ADDRESS\"\n value: \"true\"\n \n \ - name: \"ETCD_TLS_MIN_VERSION\"\n value: \"TLS1.2\"\n \n - name: \"NODE_master_0_ETCD_NAME\"\n value: \"master-0\"\n \n - name: \"NODE_master_0_ETCD_URL_HOST\"\n \ value: \"192.168.32.10\"\n \n - name: \"NODE_master_0_IP\"\n value: \"192.168.32.10\"\n - name: \"ETCD_STATIC_POD_VERSION\"\n value: \"REVISION\"\n \ resources:\n requests:\n memory: 200Mi\n cpu: 40m\n securityContext:\n \ privileged: true\n volumeMounts:\n - mountPath: /etc/kubernetes/static-pod-resources\n \ name: resource-dir\n - mountPath: /etc/kubernetes/static-pod-certs\n \ name: cert-dir\n - mountPath: /var/lib/etcd/\n name: data-dir\n \ - name: etcd-readyz\n image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:6dd9324942b3d09b4b9a768f36b47be4e555d947910ee3d115fc5448c95f7399\n \ imagePullPolicy: IfNotPresent\n terminationMessagePolicy: FallbackToLogsOnError\n \ command:\n - /bin/sh\n - -c\n - |\n #!/bin/sh\n set -euo pipefail\n \n exec nice -n -18 cluster-etcd-operator readyz \\\n --target=https://localhost:2379 \\\n --listen-port=9980 \\\n --serving-cert-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-serving-NODE_NAME.crt \\\n --serving-key-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-serving-NODE_NAME.key \\\n --client-cert-file=$(ETCDCTL_CERT) \\\n --client-key-file=$(ETCDCTL_KEY) \\\n --client-cacert-file=$(ETCDCTL_CACERT) \\\n --listen-cipher-suites TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 \\\n --listen-tls-min-version=$(ETCD_TLS_MIN_VERSION)\n securityContext:\n \ privileged: true\n ports:\n - containerPort: 9980\n name: readyz\n \ protocol: TCP\n resources:\n requests:\n memory: 50Mi\n \ cpu: 10m\n env:\n - name: \"ALL_ETCD_ENDPOINTS\"\n value: \"https://192.168.32.10:2379\"\n - name: \"ETCDCTL_API\"\n value: \"3\"\n \ - name: \"ETCDCTL_CACERT\"\n value: \"/etc/kubernetes/static-pod-certs/configmaps/etcd-all-bundles/server-ca-bundle.crt\"\n \ - name: \"ETCDCTL_CERT\"\n value: \"/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.crt\"\n \ - name: \"ETCDCTL_ENDPOINTS\"\n value: \"https://192.168.32.10:2379\"\n \ - name: \"ETCDCTL_KEY\"\n value: \"/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.key\"\n \ - name: \"ETCD_CIPHER_SUITES\"\n value: \"TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256\"\n \ - name: \"ETCD_DATA_DIR\"\n value: \"/var/lib/etcd\"\n - name: \"ETCD_ELECTION_TIMEOUT\"\n \ value: \"2500\"\n - name: \"ETCD_ENABLE_PPROF\"\n value: \"true\"\n \ - name: \"ETCD_EXPERIMENTAL_MAX_LEARNERS\"\n value: \"1\"\n - name: \"ETCD_EXPERIMENTAL_WARNING_APPLY_DURATION\"\n value: \"200ms\"\n - name: \"ETCD_EXPERIMENTAL_WATCH_PROGRESS_NOTIFY_INTERVAL\"\n value: \"5s\"\n \ - name: \"ETCD_HEARTBEAT_INTERVAL\"\n value: \"500\"\n - name: \"ETCD_IMAGE\"\n \ value: \"quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:8bed6766df40c0c172611f3e4555cd20db639eb505b2345abed6d5babdcbb5e3\"\n \ - name: \"ETCD_INITIAL_CLUSTER_STATE\"\n value: \"existing\"\n - name: \"ETCD_QUOTA_BACKEND_BYTES\"\n value: \"8589934592\"\n - name: \"ETCD_SOCKET_REUSE_ADDRESS\"\n value: \"true\"\n - name: \"ETCD_TLS_MIN_VERSION\"\n \ value: \"TLS1.2\"\n - name: \"NODE_master_0_ETCD_NAME\"\n value: \"master-0\"\n - name: \"NODE_master_0_ETCD_URL_HOST\"\n value: \"192.168.32.10\"\n \ - name: \"NODE_master_0_IP\"\n value: \"192.168.32.10\"\n volumeMounts:\n \ - mountPath: /var/log/etcd/\n name: log-dir\n - mountPath: /etc/kubernetes/static-pod-certs\n name: cert-dir\n - name: etcd-rev\n \ image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:6dd9324942b3d09b4b9a768f36b47be4e555d947910ee3d115fc5448c95f7399\n \ imagePullPolicy: IfNotPresent\n terminationMessagePolicy: FallbackToLogsOnError\n \ command:\n - /bin/sh\n - -c\n - |\n #!/bin/sh\n set -euo pipefail\n \n cluster-etcd-operator rev \\\n --endpoints=$(ALL_ETCD_ENDPOINTS) \\\n --client-cert-file=$(ETCDCTL_CERT) \\\n --client-key-file=$(ETCDCTL_KEY) \\\n --client-cacert-file=$(ETCDCTL_CACERT)\n securityContext:\n \ privileged: true\n resources:\n requests:\n memory: 50Mi\n \ cpu: 10m\n env:\n - name: \"ALL_ETCD_ENDPOINTS\"\n value: \"https://192.168.32.10:2379\"\n - name: \"ETCDCTL_API\"\n value: \"3\"\n \ - name: \"ETCDCTL_CACERT\"\n value: \"/etc/kubernetes/static-pod-certs/configmaps/etcd-all-bundles/server-ca-bundle.crt\"\n \ - name: \"ETCDCTL_CERT\"\n value: \"/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.crt\"\n \ - name: \"ETCDCTL_ENDPOINTS\"\n value: \"https://192.168.32.10:2379\"\n \ - name: \"ETCDCTL_KEY\"\n value: \"/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.key\"\n \ - name: \"ETCD_CIPHER_SUITES\"\n value: \"TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256\"\n \ - name: \"ETCD_DATA_DIR\"\n value: \"/var/lib/etcd\"\n - name: \"ETCD_ELECTION_TIMEOUT\"\n \ value: \"2500\"\n - name: \"ETCD_ENABLE_PPROF\"\n value: \"true\"\n \ - name: \"ETCD_EXPERIMENTAL_MAX_LEARNERS\"\n value: \"1\"\n - name: \"ETCD_EXPERIMENTAL_WARNING_APPLY_DURATION\"\n value: \"200ms\"\n - name: \"ETCD_EXPERIMENTAL_WATCH_PROGRESS_NOTIFY_INTERVAL\"\n value: \"5s\"\n \ - name: \"ETCD_HEARTBEAT_INTERVAL\"\n value: \"500\"\n - name: \"ETCD_IMAGE\"\n \ value: \"quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:8bed6766df40c0c172611f3e4555cd20db639eb505b2345abed6d5babdcbb5e3\"\n \ - name: \"ETCD_INITIAL_CLUSTER_STATE\"\n value: \"existing\"\n - name: \"ETCD_QUOTA_BACKEND_BYTES\"\n value: \"8589934592\"\n - name: \"ETCD_SOCKET_REUSE_ADDRESS\"\n value: \"true\"\n - name: \"ETCD_TLS_MIN_VERSION\"\n \ value: \"TLS1.2\"\n - name: \"NODE_master_0_ETCD_NAME\"\n value: \"master-0\"\n - name: \"NODE_master_0_ETCD_URL_HOST\"\n value: \"192.168.32.10\"\n \ - name: \"NODE_master_0_IP\"\n value: \"192.168.32.10\"\n volumeMounts:\n \ - mountPath: /var/lib/etcd\n name: data-dir\n - mountPath: /etc/kubernetes/static-pod-certs\n \ name: cert-dir\n hostNetwork: true\n priorityClassName: system-node-critical\n \ tolerations:\n - operator: \"Exists\"\n volumes:\n - hostPath:\n path: /etc/kubernetes/manifests\n name: static-pod-dir\n - hostPath:\n path: /etc/kubernetes/static-pod-resources/etcd-pod-REVISION\n name: resource-dir\n \ - hostPath:\n path: /etc/kubernetes/static-pod-resources/etcd-certs\n \ name: cert-dir\n - hostPath:\n path: /var/lib/etcd\n type: \"\"\n name: data-dir\n - hostPath:\n path: /usr/local/bin\n \ name: usr-local-bin\n - hostPath:\n path: /var/log/etcd\n name: log-dir\n - hostPath:\n path: /etc/kubernetes\n name: config-dir\n \ - hostPath:\n path: /var/lib/etcd-auto-backup\n name: etcd-auto-backup-dir\n" version: 4.18.0-202601171614.p2.g5a69ce1.assembly.stream.el9-5a69ce1 kind: ConfigMap metadata: creationTimestamp: "2026-02-16T21:10:25Z" labels: operator.openshift.io/controller-instance-name: etcd-RevisionController managedFields: - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:data: .: {} f:forceRedeploymentReason: {} f:pod.yaml: {} f:version: {} f:metadata: f:labels: .: {} f:operator.openshift.io/controller-instance-name: {} f:ownerReferences: .: {} k:{"uid":"87a0a0cf-0e3c-4ac2-8337-176684c8e401"}: {} manager: cluster-etcd-operator operation: Update time: "2026-02-16T21:10:25Z" name: etcd-pod-2 namespace: openshift-etcd ownerReferences: - apiVersion: v1 kind: ConfigMap name: revision-status-2 uid: 87a0a0cf-0e3c-4ac2-8337-176684c8e401 resourceVersion: "11304" uid: cc0d485c-7a3f-4efe-ba00-a317d01d116d - apiVersion: v1 data: cluster-backup.sh: | #!/usr/bin/env bash ### Created by cluster-etcd-operator. DO NOT edit. set -o errexit set -o pipefail set -o errtrace # example # cluster-backup.sh $path-to-snapshot if [[ $EUID -ne 0 ]]; then echo "This script must be run as root" exit 1 fi function usage { echo 'Path to backup dir required: ./cluster-backup.sh [--force] ' exit 1 } IS_DIRTY="" if [ "$1" == "--force" ]; then IS_DIRTY="__POSSIBLY_DIRTY__" shift fi # If the first argument is missing, or it is an existing file, then print usage and exit if [ -z "$1" ] || [ -f "$1" ]; then usage fi if [ ! -d "$1" ]; then mkdir -p "$1" fi function check_if_operator_is_progressing { local operator="$1" if [ ! -f "${KUBECONFIG}" ]; then echo "Valid kubeconfig is not found in kube-apiserver-certs. Exiting!" exit 1 fi progressing=$(oc get co "${operator}" -o jsonpath='{.status.conditions[?(@.type=="Progressing")].status}') || true if [ "$progressing" == "" ]; then echo "Could not find the status of the $operator. Check if the API server is running. Pass the --force flag to skip checks." exit 1 elif [ "$progressing" != "False" ]; then echo "Currently the $operator operator is progressing. A reliable backup requires that a rollout is not in progress. Aborting!" exit 1 fi } # backup latest static pod resources function backup_latest_kube_static_resources { local backup_tar_file="$1" local backup_resource_list=("kube-apiserver" "kube-controller-manager" "kube-scheduler" "etcd") local latest_resource_dirs=() for resource in "${backup_resource_list[@]}"; do if [ ! -f "/etc/kubernetes/manifests/${resource}-pod.yaml" ]; then echo "error finding manifests for the ${resource} pod. please check if it is running." exit 1 fi local latest_resource latest_resource=$(grep -o -m 1 "/etc/kubernetes/static-pod-resources/${resource}-pod-[0-9]*" "/etc/kubernetes/manifests/${resource}-pod.yaml") || true if [ -z "${latest_resource}" ]; then echo "error finding static-pod-resources for the ${resource} pod. please check if it is running." exit 1 fi if [ "${IS_DIRTY}" == "" ]; then check_if_operator_is_progressing "${resource}" fi echo "found latest ${resource}: ${latest_resource}" latest_resource_dirs+=("${latest_resource#${CONFIG_FILE_DIR}/}") done # tar latest resources with the path relative to CONFIG_FILE_DIR tar -cpzf "$backup_tar_file" -C "${CONFIG_FILE_DIR}" "${latest_resource_dirs[@]}" chmod 600 "$backup_tar_file" } function source_required_dependency { local src_path="$1" if [ ! -f "${src_path}" ]; then echo "required dependencies not found, please ensure this script is run on a node with a functional etcd static pod" exit 1 fi # shellcheck disable=SC1090 source "${src_path}" } BACKUP_DIR="$1" DATESTRING=$(date "+%F_%H%M%S") BACKUP_TAR_FILE=${BACKUP_DIR}/static_kuberesources_${DATESTRING}${IS_DIRTY}.tar.gz SNAPSHOT_FILE="${BACKUP_DIR}/snapshot_${DATESTRING}${IS_DIRTY}.db" trap 'rm -f ${BACKUP_TAR_FILE} ${SNAPSHOT_FILE}' ERR source_required_dependency /etc/kubernetes/static-pod-resources/etcd-certs/configmaps/etcd-scripts/etcd.env source_required_dependency /etc/kubernetes/static-pod-resources/etcd-certs/configmaps/etcd-scripts/etcd-common-tools # replacing the value of variables sourced form etcd.env to use the local node folders if the script is not running into the cluster-backup pod if [ ! -f "${ETCDCTL_CACERT}" ]; then echo "Certificate ${ETCDCTL_CACERT} is missing. Checking in different directory" export ETCDCTL_CACERT=$(echo ${ETCDCTL_CACERT} | sed -e "s|static-pod-certs|static-pod-resources/etcd-certs|") export ETCDCTL_CERT=$(echo ${ETCDCTL_CERT} | sed -e "s|static-pod-certs|static-pod-resources/etcd-certs|") export ETCDCTL_KEY=$(echo ${ETCDCTL_KEY} | sed -e "s|static-pod-certs|static-pod-resources/etcd-certs|") if [ ! -f "${ETCDCTL_CACERT}" ]; then echo "Certificate ${ETCDCTL_CACERT} is also missing in the second directory. Exiting!" exit 1 else echo "Certificate ${ETCDCTL_CACERT} found!" fi fi backup_latest_kube_static_resources "${BACKUP_TAR_FILE}" # Download etcdctl and get the etcd snapshot dl_etcdctl # snapshot save will continue to stay in etcdctl ETCDCTL_ENDPOINTS="https://${NODE_NODE_ENVVAR_NAME_IP}:2379" etcdctl snapshot save "${SNAPSHOT_FILE}" # Check the integrity of the snapshot check_snapshot_status "${SNAPSHOT_FILE}" snapshot_failed=$? # If check_snapshot_status returned 1 it failed, so exit with code 1 if [[ $snapshot_failed -eq 1 ]]; then echo "snapshot failed with exit code ${snapshot_failed}" exit 1 fi echo "snapshot db and kube resources are successfully saved to ${BACKUP_DIR}" cluster-restore.sh: |+ #!/usr/bin/env bash ### Created by cluster-etcd-operator. DO NOT edit. set -o errexit set -o pipefail set -o errtrace # example # ./cluster-restore.sh $path-to-backup # ETCD_ETCDCTL_RESTORE - when set this script will use `etcdctl snapshot restore` instead of a restore pod yaml, # which can be used when restoring a single member (e.g. on single node OCP). # Syncing very big snapshots (>8GiB) from the leader might also be expensive, this aids in # keeping the amount of data pulled to a minimum. This option will neither rev-bump nor mark-compact. if [[ $EUID -ne 0 ]]; then echo "This script must be run as root" exit 1 fi function source_required_dependency { local src_path="$1" if [ ! -f "${src_path}" ]; then echo "required dependencies not found, please ensure this script is run on a node with a functional etcd static pod" exit 1 fi # shellcheck disable=SC1090 source "${src_path}" } source_required_dependency /etc/kubernetes/static-pod-resources/etcd-certs/configmaps/etcd-scripts/etcd.env source_required_dependency /etc/kubernetes/static-pod-resources/etcd-certs/configmaps/etcd-scripts/etcd-common-tools function usage() { echo 'Path to the directory containing backup files is required: ./cluster-restore.sh ' echo 'The backup directory is expected to be contain two files:' echo ' 1. etcd snapshot' echo ' 2. A copy of the Static POD resources at the time of backup' exit 1 } # If the argument is not passed, or if it is not a directory, print usage and exit. if [ "$1" == "" ] || [ ! -d "$1" ]; then usage fi function restore_static_pods() { local backup_file="$1" shift local static_pods=("$@") for pod_file_name in "${static_pods[@]}"; do backup_pod_path=$(tar -tvf "${backup_file}" "*${pod_file_name}" | awk '{ print $6 }') || true if [ -z "${backup_pod_path}" ]; then echo "${pod_file_name} does not exist in ${backup_file}" exit 1 fi echo "starting ${pod_file_name}" tar -xvf "${backup_file}" --strip-components=2 -C "${MANIFEST_DIR}"/ "${backup_pod_path}" done } BACKUP_DIR="$1" # shellcheck disable=SC2012 BACKUP_FILE=$(ls -vd "${BACKUP_DIR}"/static_kuberesources*.tar.gz | tail -1) || true # shellcheck disable=SC2012 SNAPSHOT_FILE=$(ls -vd "${BACKUP_DIR}"/snapshot*.db | tail -1) || true ETCD_STATIC_POD_LIST=("etcd-pod.yaml") ETCD_STATIC_POD_CONTAINERS=("etcd" "etcdctl" "etcd-metrics" "etcd-readyz" "etcd-rev" "etcd-backup-server") if [ ! -f "${SNAPSHOT_FILE}" ]; then echo "etcd snapshot ${SNAPSHOT_FILE} does not exist" exit 1 fi # Download etcdctl and check the snapshot status dl_etcdctl check_snapshot_status "${SNAPSHOT_FILE}" ETCD_CLIENT="${ETCD_ETCDCTL_BIN+etcdctl}" if [ -n "${ETCD_ETCDUTL_BIN}" ]; then ETCD_CLIENT="${ETCD_ETCDUTL_BIN}" fi # always move etcd pod and wait for all containers to exit mv_static_pods "${ETCD_STATIC_POD_LIST[@]}" wait_for_containers_to_stop "${ETCD_STATIC_POD_CONTAINERS[@]}" if [ ! -d "${ETCD_DATA_DIR_BACKUP}" ]; then mkdir -p "${ETCD_DATA_DIR_BACKUP}" fi # backup old data-dir if [ -d "${ETCD_DATA_DIR}/member" ]; then if [ -d "${ETCD_DATA_DIR_BACKUP}/member" ]; then echo "removing previous backup ${ETCD_DATA_DIR_BACKUP}/member" rm -rf "${ETCD_DATA_DIR_BACKUP}"/member fi echo "Moving etcd data-dir ${ETCD_DATA_DIR}/member to ${ETCD_DATA_DIR_BACKUP}" mv "${ETCD_DATA_DIR}"/member "${ETCD_DATA_DIR_BACKUP}"/ fi if [ -z "${ETCD_ETCDCTL_RESTORE}" ]; then # Restore static pod resources tar -C "${CONFIG_FILE_DIR}" -xzf "${BACKUP_FILE}" static-pod-resources # Copy snapshot to backupdir cp -p "${SNAPSHOT_FILE}" "${ETCD_DATA_DIR_BACKUP}"/snapshot.db # Move the revision.json when it exists [ ! -f "${ETCD_REV_JSON}" ] || mv -f "${ETCD_REV_JSON}" "${ETCD_DATA_DIR_BACKUP}"/revision.json # removing any fio perf files left behind that could be deleted without problems rm -f "${ETCD_DATA_DIR}"/etcd_perf* # ensure the folder is really empty, otherwise the restore pod will crash loop if [ -n "$(ls -A "${ETCD_DATA_DIR}")" ]; then echo "folder ${ETCD_DATA_DIR} is not empty, please review and remove all files in it" exit 1 fi echo "starting restore-etcd static pod" cp -p "${RESTORE_ETCD_POD_YAML}" "${MANIFEST_DIR}/etcd-pod.yaml" else echo "removing etcd data dir..." rm -rf "${ETCD_DATA_DIR}" mkdir -p "${ETCD_DATA_DIR}" echo "starting snapshot restore through etcdctl..." # We are never going to rev-bump here to ensure we don't cause a revision split between the # remainder of the running cluster and this restore member. Imagine your non-restore quorum members run at rev 100, # we would attempt to rev bump this with snapshot at rev 120, now this member is 20 revisions ahead and RAFT is confused. if ! ${ETCD_CLIENT} snapshot restore "${SNAPSHOT_FILE}" --data-dir="${ETCD_DATA_DIR}"; then echo "Snapshot restore failed. Aborting!" exit 1 fi # start the original etcd static pod again through the new snapshot echo "restoring old etcd pod to start etcd again" mv "${MANIFEST_STOPPED_DIR}/etcd-pod.yaml" "${MANIFEST_DIR}/etcd-pod.yaml" fi disable-etcd.sh: | #!/usr/bin/env bash ### Created by cluster-etcd-operator. DO NOT edit. set -o errexit set -o pipefail set -o errtrace # disable-etcd.sh # This script will move the etcd static pod into the home/core/assets/manifests-stopped folder and wait for all containers to exit. if [[ $EUID -ne 0 ]]; then echo "This script must be run as root" exit 1 fi function source_required_dependency { local src_path="$1" if [ ! -f "${src_path}" ]; then echo "required dependencies not found, please ensure this script is run on a node with a functional etcd static pod" exit 1 fi # shellcheck disable=SC1090 source "${src_path}" } source_required_dependency /etc/kubernetes/static-pod-resources/etcd-certs/configmaps/etcd-scripts/etcd.env source_required_dependency /etc/kubernetes/static-pod-resources/etcd-certs/configmaps/etcd-scripts/etcd-common-tools ETCD_STATIC_POD_LIST=("etcd-pod.yaml") ETCD_STATIC_POD_CONTAINERS=("etcd" "etcdctl" "etcd-metrics" "etcd-readyz" "etcd-rev" "etcd-backup-server") # always move etcd pod and wait for all containers to exit mv_static_pods "${ETCD_STATIC_POD_LIST[@]}" wait_for_containers_to_stop "${ETCD_STATIC_POD_CONTAINERS[@]}" etcd-common-tools: | # Common environment variables ASSET_DIR="/home/core/assets" CONFIG_FILE_DIR="/etc/kubernetes" MANIFEST_DIR="${CONFIG_FILE_DIR}/manifests" ETCD_DATA_DIR="/var/lib/etcd" ETCD_DATA_DIR_BACKUP="/var/lib/etcd-backup" ETCD_REV_JSON="${ETCD_DATA_DIR}/revision.json" MANIFEST_STOPPED_DIR="${ASSET_DIR}/manifests-stopped" RESTORE_ETCD_POD_YAML="${CONFIG_FILE_DIR}/static-pod-resources/etcd-certs/configmaps/restore-etcd-pod/pod.yaml" QUORUM_RESTORE_ETCD_POD_YAML="${CONFIG_FILE_DIR}/static-pod-resources/etcd-certs/configmaps/restore-etcd-pod/quorum-restore-pod.yaml" ETCDCTL_BIN_DIR="${CONFIG_FILE_DIR}/static-pod-resources/bin" PATH=${PATH}:${ETCDCTL_BIN_DIR} export KUBECONFIG="/etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/node-kubeconfigs/localhost.kubeconfig" export ETCD_ETCDCTL_BIN="etcdctl" # download etcdctl from download release image function dl_etcdctl { # Avoid caching the binary when podman exists, the etcd image is always available locally and we need a way to update etcdctl. # When we're running from an etcd image there's no podman and we can continue without a download. if ([ -n "$(command -v podman)" ]); then local etcdimg=${ETCD_IMAGE} local etcdctr=$(podman create --authfile=/var/lib/kubelet/config.json ${etcdimg}) local etcdmnt=$(podman mount "${etcdctr}") [ ! -d ${ETCDCTL_BIN_DIR} ] && mkdir -p ${ETCDCTL_BIN_DIR} cp ${etcdmnt}/bin/etcdctl ${ETCDCTL_BIN_DIR}/ if [ -f "${etcdmnt}/bin/etcdutl" ]; then cp ${etcdmnt}/bin/etcdutl ${ETCDCTL_BIN_DIR}/ export ETCD_ETCDUTL_BIN=etcdutl fi if ! [ -x "$(command -v jq)" ]; then cp ${etcdmnt}/bin/jq ${ETCDCTL_BIN_DIR}/ fi umount "${etcdmnt}" podman rm "${etcdctr}" etcdctl version return fi if ([ -x "$(command -v etcdctl)" ]); then echo "etcdctl is already installed" if [ -x "$(command -v etcdutl)" ]; then echo "etcdutl is already installed" export ETCD_ETCDUTL_BIN=etcdutl fi return fi echo "Could neither pull etcdctl nor find it locally in cache. Aborting!" exit 1 } function check_snapshot_status() { local snap_file="$1" ETCD_CLIENT="${ETCD_ETCDCTL_BIN}" if [ -n "${ETCD_ETCDUTL_BIN}" ]; then ETCD_CLIENT="${ETCD_ETCDUTL_BIN}" fi if ! ${ETCD_CLIENT} snapshot status "${snap_file}" -w json; then echo "Backup integrity verification failed. Backup appears corrupted. Aborting!" return 1 fi } function wait_for_containers_to_stop() { local containers=("$@") for container_name in "${containers[@]}"; do echo "Waiting for container ${container_name} to stop" while [[ -n $(crictl ps --label io.kubernetes.container.name="${container_name}" -q) ]]; do echo -n "." sleep 1 done echo "complete" done } function mv_static_pods() { local containers=("$@") # Move manifests and stop static pods if [ ! -d "$MANIFEST_STOPPED_DIR" ]; then mkdir -p "$MANIFEST_STOPPED_DIR" fi for POD_FILE_NAME in "${containers[@]}"; do echo "...stopping ${POD_FILE_NAME}" [ ! -f "${MANIFEST_DIR}/${POD_FILE_NAME}" ] && continue mv "${MANIFEST_DIR}/${POD_FILE_NAME}" "${MANIFEST_STOPPED_DIR}" done } etcd.env: | export ALL_ETCD_ENDPOINTS="https://192.168.32.10:2379" export ETCDCTL_API="3" export ETCDCTL_CACERT="/etc/kubernetes/static-pod-certs/configmaps/etcd-all-bundles/server-ca-bundle.crt" export ETCDCTL_CERT="/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.crt" export ETCDCTL_ENDPOINTS="https://192.168.32.10:2379" export ETCDCTL_KEY="/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.key" export ETCD_CIPHER_SUITES="TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256" export ETCD_DATA_DIR="/var/lib/etcd" export ETCD_ELECTION_TIMEOUT="2500" export ETCD_ENABLE_PPROF="true" export ETCD_EXPERIMENTAL_MAX_LEARNERS="1" export ETCD_EXPERIMENTAL_WARNING_APPLY_DURATION="200ms" export ETCD_EXPERIMENTAL_WATCH_PROGRESS_NOTIFY_INTERVAL="5s" export ETCD_HEARTBEAT_INTERVAL="500" export ETCD_IMAGE="quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:8bed6766df40c0c172611f3e4555cd20db639eb505b2345abed6d5babdcbb5e3" export ETCD_INITIAL_CLUSTER_STATE="existing" export ETCD_QUOTA_BACKEND_BYTES="8589934592" export ETCD_SOCKET_REUSE_ADDRESS="true" export ETCD_TLS_MIN_VERSION="TLS1.2" export NODE_master_0_ETCD_NAME="master-0" export NODE_master_0_ETCD_URL_HOST="192.168.32.10" export NODE_master_0_IP="192.168.32.10" quorum-restore.sh: | #!/usr/bin/env bash ### Created by cluster-etcd-operator. DO NOT edit. set -o errexit set -o pipefail set -o errtrace # ./quorum-restore.sh # This script attempts to restore quorum by spawning a revision-bumped etcd without membership information. if [[ $EUID -ne 0 ]]; then echo "This script must be run as root" exit 1 fi function source_required_dependency { local src_path="$1" if [ ! -f "${src_path}" ]; then echo "required dependencies not found, please ensure this script is run on a node with a functional etcd static pod" exit 1 fi # shellcheck disable=SC1090 source "${src_path}" } source_required_dependency /etc/kubernetes/static-pod-resources/etcd-certs/configmaps/etcd-scripts/etcd.env source_required_dependency /etc/kubernetes/static-pod-resources/etcd-certs/configmaps/etcd-scripts/etcd-common-tools ETCD_STATIC_POD_LIST=("etcd-pod.yaml") ETCD_STATIC_POD_CONTAINERS=("etcd" "etcdctl" "etcd-metrics" "etcd-readyz" "etcd-rev" "etcd-backup-server") # always move etcd pod and wait for all containers to exit mv_static_pods "${ETCD_STATIC_POD_LIST[@]}" wait_for_containers_to_stop "${ETCD_STATIC_POD_CONTAINERS[@]}" echo "starting restore-etcd static pod" cp "${QUORUM_RESTORE_ETCD_POD_YAML}" "${MANIFEST_DIR}/etcd-pod.yaml" kind: ConfigMap metadata: creationTimestamp: "2026-02-16T20:57:21Z" managedFields: - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:data: .: {} f:cluster-backup.sh: {} f:cluster-restore.sh: {} f:disable-etcd.sh: {} f:etcd-common-tools: {} f:etcd.env: {} f:quorum-restore.sh: {} manager: cluster-etcd-operator operation: Update time: "2026-02-16T20:57:21Z" name: etcd-scripts namespace: openshift-etcd resourceVersion: "5251" uid: d6c576be-2c17-4cab-b876-1a3cf9044ab5 - apiVersion: v1 data: ca.crt: | -----BEGIN CERTIFICATE----- MIIDMjCCAhqgAwIBAgIIJT2ddADo4QYwDQYJKoZIhvcNAQELBQAwNzESMBAGA1UE CxMJb3BlbnNoaWZ0MSEwHwYDVQQDExhrdWJlLWFwaXNlcnZlci1sYi1zaWduZXIw HhcNMjYwMjE2MjA0MDMyWhcNMzYwMjE0MjA0MDMyWjA3MRIwEAYDVQQLEwlvcGVu c2hpZnQxITAfBgNVBAMTGGt1YmUtYXBpc2VydmVyLWxiLXNpZ25lcjCCASIwDQYJ KoZIhvcNAQEBBQADggEPADCCAQoCggEBANY1lNKZcmwNjiSxCHwDlefGnQq4kzzJ ORbXQmeep2IzznSO7kwq3K4f/sMsIqfNNDvw3MQ110voXkywL3u4q3ryKC8I7jGn 8o1hZTiGR91SACGv+NrI7eGkPd9d3hK/glVsn2xAMGYDo4UA+x8MCWXfdTrv0dzY +S/85q+0jsk5x39GBwWQl4gjM2WywSIjs/lZjPDlEsBFIyH5aDP74rdErN+ebRld Dt5GUXDRr+KdRtbqYjLMC5801R0bi8wLGjjt9vIRa02meNiUlPDR7cBvk040sr5l Rg/plZFrl1K0vwEImKsmhmOSmr8w7HnQY8uwSyt+WUYmaD5+V5gsfAUCAwEAAaNC MEAwDgYDVR0PAQH/BAQDAgKkMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFOjN c0h7uxSw4xDqc0DDxDqZRgbNMA0GCSqGSIb3DQEBCwUAA4IBAQDMde8KI6pOSzfB Sp8Q9sB1iOO9vmniMw8NS1za+6uhZxVQXJ+1ldfUDb2p95kN4rwi2m+9f7uwsYHI 2BwV7gik/RVER/X3rYP4EHBkGJ5QXJum258KuIJl6SpnKIp2CzgrRPu1xiIQM8Eo 6LmVAKZamAOjKG3/zyIu6en47ICxOaHYkVoVfgPfrGd1qLa0KElZK8S3W5JmZnNa dH2WtfObQ2X6RF0X2BxMzTUjcy1kIL99ud/J/2QOGMOxbMji1Azps3/7qzbwdQrk Et107ayPNdb03/oodOfkRfIKfTXRz0G6JH06Zq0mvU+TFJX75YjbYIB8vA0W2yRz ID8mh8Pd -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIDQDCCAiigAwIBAgIIfmdsyh9qc9QwDQYJKoZIhvcNAQELBQAwPjESMBAGA1UE CxMJb3BlbnNoaWZ0MSgwJgYDVQQDEx9rdWJlLWFwaXNlcnZlci1sb2NhbGhvc3Qt c2lnbmVyMB4XDTI2MDIxNjIwNDAzMloXDTM2MDIxNDIwNDAzMlowPjESMBAGA1UE CxMJb3BlbnNoaWZ0MSgwJgYDVQQDEx9rdWJlLWFwaXNlcnZlci1sb2NhbGhvc3Qt c2lnbmVyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA8QThrIWWe7x2 eEk8XORWsQFlDWSn0SNC2FBB30f+lrkHkrUNU0+zLHi2SS6K+86CGP+8WvGwi33y atRbSo14rTOiXfHwFDIfbbT/qJR88uawvct4ND2TAotfrCn1YdefjX9o2zT9IjsX 1DLi7KZn/vDRljJok6ocIa2LxZHYJatwb+kNbImmzs/nIciDq+pCR/xb0ivPqTnD c6Tc8qf9OdUxAqmxUa20j6ju6yIoS3BplrC/WWF+yNexT+yjKbiGvfdqQbp24T7q xqoX/N+TBHJSrnSgsaOjXU3Bk8muvxUAn3j8HqdSGrSFG9bgcH0/vMXNKGRMTnRt SbctraeztwIDAQABo0IwQDAOBgNVHQ8BAf8EBAMCAqQwDwYDVR0TAQH/BAUwAwEB /zAdBgNVHQ4EFgQUao/aSqRQ2QSqZlf/UdmTmnD8k/swDQYJKoZIhvcNAQELBQAD ggEBAEKjNH0ggrfJOJd53p0Hov21foM4lSVnyEAxD3WCKsvqpz0OLHRlH0C0KbeV x1/aALb6ocAqP4sX3krVb4P9qRqAXqFo0L4grbn1XUDkYxXl6xpnqbIY9BHEwD3r nEa+deswIAR0EPKpOLpXhnJnVJz+fO5axkxg4AmO+Lsa0ttx8x8zqNiCL+qM/GVD B3h+9GVNNuYe1rk/aL9H93GxqR0erdZQ6DjBnu5iCz3JU3/EhzLGGfYmjL935vLU RG7JOCqMdCJav3/YsjFQlYlrKdsxTSixKXb8vEQap3qb7P9EdaKiBimFSYWiX3f6 2SLH74czo7ywoQbB/705YEcw2W0= -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIDTDCCAjSgAwIBAgIIYsh1siphLLUwDQYJKoZIhvcNAQELBQAwRDESMBAGA1UE CxMJb3BlbnNoaWZ0MS4wLAYDVQQDEyVrdWJlLWFwaXNlcnZlci1zZXJ2aWNlLW5l dHdvcmstc2lnbmVyMB4XDTI2MDIxNjIwNDAzMloXDTM2MDIxNDIwNDAzMlowRDES MBAGA1UECxMJb3BlbnNoaWZ0MS4wLAYDVQQDEyVrdWJlLWFwaXNlcnZlci1zZXJ2 aWNlLW5ldHdvcmstc2lnbmVyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC AQEAlwNVDp+gJLbJSuPwOUSb5MDV/sGJNfJFYa34ZaFquJzaMeVmgBc7uskDtJ1u 0J+BFytebtKx0F8WGdIWL+LGVyxqCXkuneUo9oWK74teAQmrAGjiA30zyyWAVhvs fYGzkWr9qvW81a9rRYbQxF+GfAGT0C1lCoPwZfUjhwHTI0rjq7mbhp+8AjRi713o cTYeTd4zji/VR0ysrt1yhC4yI4ixjEoGNQRcHbby6z90ONWwHJB1qy38h+vmrch5 emzafvP/P3nDQQVAPZ6JwSXc/tOWWq5ZgzgNegsxnn8UEHMh/70/A+/PyOM4v1FW WtH/WyVI7i8n2D2dOWNj2niAywIDAQABo0IwQDAOBgNVHQ8BAf8EBAMCAqQwDwYD VR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUbw5tw+z4odA6zdyfwmqxS9fUs9swDQYJ KoZIhvcNAQELBQADggEBACyIObITNi3DbsEG7I3ZRow5hjxknQ0FyCHt8UyUqm5L cpSnRoMChn0bnMRxjAGxpxFhyaAyCGMDYy9Ba1pCF/NIGDuge46kIQtYGsh8x1VW qyxogUbIM535m9AlL2Lk5YMFVz6TFKlIKfFkvDwxpQGzrY4PBt4GnRc+WdXLOtaa MPAuzOZjzwAJosviGMK0UbwO0rEdTnPk8YYJAiWI/LwhPtjUkXs3CxgFF7q05hGy HJ19hFQSJPImcUH6Ef36MjxFZCkjbfQXvc3/uF4hdmmTWpGlu3h2nI8iqyaZjSii gFW6D0henox1wqX9dNzvFJQkT0PcvQwyi6cFp4HNcZQ= -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIDlzCCAn+gAwIBAgIIJZkGzRv9AeswDQYJKoZIhvcNAQELBQAwWTFXMFUGA1UE AwxOb3BlbnNoaWZ0LWt1YmUtYXBpc2VydmVyLW9wZXJhdG9yX2xvY2FsaG9zdC1y ZWNvdmVyeS1zZXJ2aW5nLXNpZ25lckAxNzcxMjc1NDIyMB4XDTI2MDIxNjIwNTcw MVoXDTM2MDIxNDIwNTcwMlowWTFXMFUGA1UEAwxOb3BlbnNoaWZ0LWt1YmUtYXBp c2VydmVyLW9wZXJhdG9yX2xvY2FsaG9zdC1yZWNvdmVyeS1zZXJ2aW5nLXNpZ25l ckAxNzcxMjc1NDIyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqZ/g FwmKvnwQdV2vIu/Ntz15Y0cUbnrqTu5XhWwK10CV9H55VCnBm4608grwjuuoq3ok e7bTHic39hShAQcRzViCwQ63HKkVkvdprbR/HAdPjFq83+gfYzlrMroozfsSjRRP C90QII6zOO0cUowrW3r9jDAmFQzFrZsaYj5I0CXlp4hrzmEP4jPGkjRrks6r68mz Y4Rp1WJBSufiXxzKfoLuXy4PYYy53tFaP9n00C+hY75lvZMkzQuUIVWMKZC+W7hb ocNXUBuWJ8fX5qWJlF3529WHH8KNEELFoTChQ0l0aqBcQzzh695e6j/dvE8Vf3Tt F2XQ/jpWLhrFefZqQwIDAQABo2MwYTAOBgNVHQ8BAf8EBAMCAqQwDwYDVR0TAQH/ BAUwAwEB/zAdBgNVHQ4EFgQUCZwdr7LFtbyC4NGNEedY8uJ1TkYwHwYDVR0jBBgw FoAUCZwdr7LFtbyC4NGNEedY8uJ1TkYwDQYJKoZIhvcNAQELBQADggEBAAYsB+m/ j9qpY9T+JnrsNdtjuSnBNi+vh80wP8hgNRQM17XUIGQ1to+ITsiPe8+S77hVI5lj 6Sa7Bz9X6jTGbllxqrlJRYbHoL6Yd45F6T0+VROKwQTvOSeGTIDi+xRcBorZ/tg2 o1RX4ShsPcgk9WAFnZcUsKYtwfl3pcJCsheOfTWUrvIwqscuy6hJrD3GnNL/5SSq e+XS/LdUiM0tGEelsGLnMAlDFi98Uh3xh13P0gqIymLhaliF6TgIOSrzHSKBnTeI ZKKj6fZdcyEjgqzv/II1aRnoxpG//D2i/zJF1tW7oUNyuvJiasy0SRkX/Koza7Vm SBBjo3qxNtKTGZw= -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIDZzCCAk+gAwIBAgIIcdWnCNYdEAowDQYJKoZIhvcNAQELBQAwJjEkMCIGA1UE AwwbaW5ncmVzcy1vcGVyYXRvckAxNzcxMjc1NDUxMB4XDTI2MDIxNjIwNTczMVoX DTI4MDIxNjIwNTczMlowIzEhMB8GA1UEAwwYKi5hcHBzLnNuby5vcGVuc3RhY2su bGFiMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAx5edcwzkUoHWDzZo HRNwRSpiouo+MxNKosK/z6ZdrIfUhBQcDgERtlXemwpEp78QuNaYe+28+J/gv/CD ihvWMrm5ITMD7Y93ZbG4HazMJtqN/KVKJ5KXeHuFXTWwcRsTNUX9LZtkEfVVOou1 iMeSb91Ypj2rRq8GZjAPANwOyQl3+8Bit6mBmWyc4n4ZtWzY32PCpEFfP5cPEMJf /pqOikGWMxxy8iu/Hcjmy2PbL1LPNN006wgzq9FDilnoI9D+KryLZdgiFN+uzkyN Cj5EjRQaLMUdRvYyMICwqGPzILJr0OcvTQzfljhG05zaa2qdY60bejG2Pkr/w9UH a7e/rwIDAQABo4GbMIGYMA4GA1UdDwEB/wQEAwIFoDATBgNVHSUEDDAKBggrBgEF BQcDATAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBQ7lr77R37a+6F0tCoWmp2pW/kq hTAfBgNVHSMEGDAWgBSTAFPSc4f3pmrjikOAZf5jKiTfVTAjBgNVHREEHDAaghgq LmFwcHMuc25vLm9wZW5zdGFjay5sYWIwDQYJKoZIhvcNAQELBQADggEBAJhLMSFn 0OpAuW/qO+5xibPCl657sBr1ofhLK9ZTSh06KqLz2tXhZVJ548ba3e714aFV1TZZ BBJ+S/HsH14iFPmFtH9ehZTnAmafI46ofXRJZ/wNojR/sLExXmqMrrz42+J73UKq 2Thwb8nQLzpOKr6pn2vL5NuAr6uSWD7Eh86KG+ATNd7w4h7oJ9mbd+Winx36/a9i 7kvmklOAwGoTCdFI12Vlj1Zu6Wr3O1O6gAM6LF9J1OXQHhJE+D70i9U6nYkhm+GV TiYYZWBJs00gmsdY4I2Y4Qrv/bjybKB/8n1vTq4z7IN8F+LvOpi4qGxxHkhAN7um UWsNsjvGyZMGrsI= -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIDDDCCAfSgAwIBAgIBATANBgkqhkiG9w0BAQsFADAmMSQwIgYDVQQDDBtpbmdy ZXNzLW9wZXJhdG9yQDE3NzEyNzU0NTEwHhcNMjYwMjE2MjA1NzMwWhcNMjgwMjE2 MjA1NzMxWjAmMSQwIgYDVQQDDBtpbmdyZXNzLW9wZXJhdG9yQDE3NzEyNzU0NTEw ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDDnprda6Ua1SJxKXDc8e5c VX2kqscTOmuIW0/2OXn51Ds8/X25ssAEBJOjgjm/XQGEelzvUUOO0JbJMWpembJh zsiCxiR4/c1fTSs09Ztl8wiGxDaZKkY3RiYcNmCyu+CMVmyMEJ5FiY7fc4DerKT7 h+nBBDtMqKx/P8brvE4z2B0SRUOa3DyHQezm2+FUlKQSagoDStPPr7kxaB13KwZD vDqdFbAcr19ncFF707ARqW0wAaPrMtbbvXLJHoFMQRSqPcukD9DTIsz7N+gnYAu1 bWoGmfCSMLLmtYvFAGIYCamAxzw0Liu77TejRMsKX01YibQrNVBjKdPocC5z4blV AgMBAAGjRTBDMA4GA1UdDwEB/wQEAwICpDASBgNVHRMBAf8ECDAGAQH/AgEAMB0G A1UdDgQWBBSTAFPSc4f3pmrjikOAZf5jKiTfVTANBgkqhkiG9w0BAQsFAAOCAQEA k1XYo8TW2beoUdLqkLKGYU944iAtzrKewiXwMGycqK2J37iEcA+ZVdzo1qxA+sTv GoFNivd/Zg6nIl7SPPE6P4G6Kkjwphf+rYIExsB5uZYYOG2/OYEI6cZL+niloIfW ymWCwl+rulzbUgbGqEIFf9HrmBfpCLum06idgN/1lINxorOz2LAD5/qZ81thx6kC A6h06S8KHxxFYTiyDtmXmS/p6gnTc7FU9/keAFg/tchJzEYpTzM6Sw4a4NFg4FmB sbc2rh+Bc6WC4rMfebv7Y/m8v/vLSK1KevHN+y3oBGH1sSrM1BkP8NR8c970l3IG dMsZrpFsDcy72vbTOjHSNQ== -----END CERTIFICATE----- kind: ConfigMap metadata: annotations: kubernetes.io/description: Contains a CA bundle that can be used to verify the kube-apiserver when using internal endpoints such as the internal service IP or kubernetes.default.svc. No other usage is guaranteed across distributions of Kubernetes clusters. creationTimestamp: "2026-02-16T20:51:21Z" managedFields: - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:data: .: {} f:ca.crt: {} f:metadata: f:annotations: .: {} f:kubernetes.io/description: {} manager: kube-controller-manager operation: Update time: "2026-02-16T21:22:53Z" name: kube-root-ca.crt namespace: openshift-etcd resourceVersion: "13408" uid: 120f15f3-3347-4542-b47d-180fa560052b - apiVersion: v1 data: service-ca.crt: | -----BEGIN CERTIFICATE----- MIIDUTCCAjmgAwIBAgIICuXYwdEjZKAwDQYJKoZIhvcNAQELBQAwNjE0MDIGA1UE Awwrb3BlbnNoaWZ0LXNlcnZpY2Utc2VydmluZy1zaWduZXJAMTc3MTI3NTQzMjAe Fw0yNjAyMTYyMDU3MTJaFw0yODA0MTYyMDU3MTNaMDYxNDAyBgNVBAMMK29wZW5z aGlmdC1zZXJ2aWNlLXNlcnZpbmctc2lnbmVyQDE3NzEyNzU0MzIwggEiMA0GCSqG SIb3DQEBAQUAA4IBDwAwggEKAoIBAQC5JiE8vbHSclG6ghHY5dpUzDaY2vTc6puL rM4EJM1+5jrhAxhYplETCWTSwFW9KKSiOzdai+Py6uMtJ3NvhumNkkjSajEs5Jof VHFi04EM6NIJsRy0r71UIxAEqZAtKAYST6wcZb75tnTf+DEt9sJrTe/JDtnluYra wyAcis2g0Jr+j2ncPc4/JW5uMGitjNjLsvktpJ2jOvf+OrUosRoEDZGjgEU1rRQN tnCodtTTjRJBolNE0sCjF8Jr/Y8FGBQdZBviEDAU654MjO6rMf9/KJUmuWPLSwjg GwA9MPYi4qWtqVTWdvrGijUy+pRYWWBTxelfcp3A8fX1RBPC9cZxAgMBAAGjYzBh MA4GA1UdDwEB/wQEAwICpDAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBT9LJRR obCKMA7iCmuDBpmA45h+ejAfBgNVHSMEGDAWgBT9LJRRobCKMA7iCmuDBpmA45h+ ejANBgkqhkiG9w0BAQsFAAOCAQEAF6vxxElrG1W6DJ/HzfKHkcvQd/5hBfsPpKKK K5m9Yw64Mwym37uIuL1s87BqhoQR7/N1WUcrhtd77F2k53i8UxQotWiSJ3+woJVI 6mCGRIK/tEgcAdrxsrRSZ3iwptrCfBBnq5pMbIL++144speeJUq36OPCNFsNk5w2 1N1Rc7tzGqCk0uwJRBq7fnAUoVPT5ZWqZye3CRGXTVaslJmjdaPIe2SnAVyAFDcD Zjsq6YI+yc/0OglGZNrZnc678jJnih50nlrDy2zLKwJzqpqHadtE4CIdG4ufhn/L af80uveiv7pmvaxMAXQtb3fd4ZdAjLltzMheR1YkxEjr6P11iQ== -----END CERTIFICATE----- kind: ConfigMap metadata: annotations: service.beta.openshift.io/inject-cabundle: "true" creationTimestamp: "2026-02-16T20:51:21Z" managedFields: - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:data: {} f:metadata: f:annotations: .: {} f:service.beta.openshift.io/inject-cabundle: {} manager: kube-controller-manager operation: Update time: "2026-02-16T20:51:21Z" - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:data: f:service-ca.crt: {} manager: service-ca-operator operation: Update time: "2026-02-16T20:57:21Z" name: openshift-service-ca.crt namespace: openshift-etcd resourceVersion: "5253" uid: 061959c2-b342-48e9-bde9-88f5d6ac303a - apiVersion: v1 data: forceRedeploymentReason: "" pod.yaml: "apiVersion: v1\nkind: Pod\nmetadata:\n name: etcd\n namespace: openshift-etcd\n \ labels:\n app: etcd\n k8s-app: etcd\n etcd: \"true\"\n revision: \"REVISION\"\nspec:\n containers:\n - name: etcd\n image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:8bed6766df40c0c172611f3e4555cd20db639eb505b2345abed6d5babdcbb5e3\n \ imagePullPolicy: IfNotPresent\n terminationMessagePolicy: FallbackToLogsOnError\n \ command:\n - /bin/sh\n - -c\n - |\n #!/bin/sh\n set -euo pipefail\n \n export ETCD_NAME=${NODE_NODE_ENVVAR_NAME_ETCD_NAME}\n \ export ETCD_INITIAL_CLUSTER=\"${ETCD_NAME}=https://${NODE_NODE_ENVVAR_NAME_ETCD_URL_HOST}:2380\"\n \ env | grep ETCD | grep -v NODE\n export ETCD_NODE_PEER_URL=https://${NODE_NODE_ENVVAR_NAME_ETCD_URL_HOST}:2380\n \ export REV_JSON=\"/var/lib/etcd-backup/revision.json\"\n export SNAPSHOT_FILE=\"/var/lib/etcd-backup/snapshot.db\"\n\n # checking if data directory is empty, if not etcdctl restore will fail \n if [ -n \"$(ls -A \"/var/lib/etcd\")\" ]; then\n echo \"please delete the contents of the /var/lib/etcd directory before restoring, running the restore script will do this for you\"\n exit 1\n fi\n \n ETCD_ETCDCTL_BIN=\"etcdctl\"\n \ if [ -x \"$(command -v etcdutl)\" ]; then\n echo \"found etcdutl, using that instead of etcdctl for local operations\"\n ETCD_ETCDCTL_BIN=\"etcdutl\"\n \ fi \n\n # check if we have backup file to be restored\n \ # if the file exist, check if it has not changed size in last 5 seconds\n \ if [ ! -f \"${SNAPSHOT_FILE}\" ]; then\n echo \"please make a copy of the snapshot db file, then move that copy to ${SNAPSHOT_FILE}\"\n \ exit 1\n else\n filesize=$(stat --format=%s \"${SNAPSHOT_FILE}\")\n \ sleep 5\n newfilesize=$(stat --format=%s \"${SNAPSHOT_FILE}\")\n \ if [ \"$filesize\" != \"$newfilesize\" ]; then\n echo \"file size has changed since last 5 seconds, retry sometime after copying is complete\"\n \ exit 1\n fi\n fi\n \n SNAPSHOT_REV=$(etcdutl snapshot status -wjson \"$SNAPSHOT_FILE\" | jq -r \".revision\")\n echo \"snapshot is at revision ${SNAPSHOT_REV}\"\n \n if [ -n \"$(ls -A \"${REV_JSON}\")\" ]; then\n # this will bump by the amount of the last known live revision + 20% slack.\n # Note: the bump amount is an addition to the current revision stored in the snapshot.\n # We're avoiding to do any math with SNAPSHOT_REV, uint64 has plenty of space to double revisions\n # and we're assuming that full disaster restores are a very rare occurrence anyway.\n BUMP_REV=$(jq -r \"(.maxRaftIndex*1.2|floor)\" \"${REV_JSON}\")\n echo \"bumping revisions by ${BUMP_REV}\"\n else\n \ # we can't take SNAPSHOT_REV as an indicator here, because the snapshot might be much older\n # than any currently live served revision. \n \ # 1bn would be an etcd running at 1000 writes/s for about eleven days.\n echo \"no revision.json found, assuming a 1bn revision bump\"\n \ BUMP_REV=1000000000\n fi\n \n UUID=$(uuidgen)\n \ echo \"restoring to a single node cluster\"\n ${ETCD_ETCDCTL_BIN} snapshot restore \"${SNAPSHOT_FILE}\" \\\n --name $ETCD_NAME \\\n --initial-cluster=$ETCD_INITIAL_CLUSTER \\\n --initial-cluster-token \"openshift-etcd-${UUID}\" \\\n --initial-advertise-peer-urls $ETCD_NODE_PEER_URL \\\n --data-dir=\"/var/lib/etcd/restore-${UUID}\" \\\n --mark-compacted \\\n --bump-revision \"${BUMP_REV}\"\n\n \ mv /var/lib/etcd/restore-${UUID}/* /var/lib/etcd/\n # copy the revision.json back in case a second restore needs to be run afterwards\n if [ -n \"$(ls -A \"${REV_JSON}\")\" ]; then\n cp ${REV_JSON} /var/lib/etcd/\n \ fi\n\n rmdir /var/lib/etcd/restore-${UUID}\n rm /var/lib/etcd-backup/snapshot.db\n\n \ set -x\n exec etcd \\\n --logger=zap \\\n --log-level=info \\\n --initial-advertise-peer-urls=https://${NODE_NODE_ENVVAR_NAME_IP}:2380 \\\n --cert-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-serving-NODE_NAME.crt \\\n --key-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-serving-NODE_NAME.key \\\n --trusted-ca-file=/etc/kubernetes/static-pod-certs/configmaps/etcd-all-bundles/server-ca-bundle.crt \\\n --client-cert-auth=true \\\n --peer-cert-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.crt \\\n --peer-key-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.key \\\n --peer-trusted-ca-file=/etc/kubernetes/static-pod-certs/configmaps/etcd-all-bundles/server-ca-bundle.crt \\\n --peer-client-cert-auth=true \\\n --advertise-client-urls=https://${NODE_NODE_ENVVAR_NAME_IP}:2379 \\\n --listen-client-urls=https://0.0.0.0:2379 \\\n --listen-peer-urls=https://0.0.0.0:2380 \\\n --metrics=extensive \\\n --listen-metrics-urls=https://0.0.0.0:9978\n \ env:\n - name: \"ALL_ETCD_ENDPOINTS\"\n value: \"https://192.168.32.10:2379\"\n \ - name: \"ETCDCTL_API\"\n value: \"3\"\n - name: \"ETCDCTL_CACERT\"\n \ value: \"/etc/kubernetes/static-pod-certs/configmaps/etcd-all-bundles/server-ca-bundle.crt\"\n \ - name: \"ETCDCTL_CERT\"\n value: \"/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.crt\"\n \ - name: \"ETCDCTL_ENDPOINTS\"\n value: \"https://192.168.32.10:2379\"\n \ - name: \"ETCDCTL_KEY\"\n value: \"/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.key\"\n \ - name: \"ETCD_CIPHER_SUITES\"\n value: \"TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256\"\n \ - name: \"ETCD_DATA_DIR\"\n value: \"/var/lib/etcd\"\n - name: \"ETCD_ELECTION_TIMEOUT\"\n value: \"2500\"\n - name: \"ETCD_ENABLE_PPROF\"\n \ value: \"true\"\n - name: \"ETCD_EXPERIMENTAL_MAX_LEARNERS\"\n \ value: \"1\"\n - name: \"ETCD_EXPERIMENTAL_WARNING_APPLY_DURATION\"\n \ value: \"200ms\"\n - name: \"ETCD_EXPERIMENTAL_WATCH_PROGRESS_NOTIFY_INTERVAL\"\n \ value: \"5s\"\n - name: \"ETCD_HEARTBEAT_INTERVAL\"\n value: \"500\"\n - name: \"ETCD_IMAGE\"\n value: \"quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:8bed6766df40c0c172611f3e4555cd20db639eb505b2345abed6d5babdcbb5e3\"\n \ - name: \"ETCD_INITIAL_CLUSTER_STATE\"\n value: \"existing\"\n \ - name: \"ETCD_QUOTA_BACKEND_BYTES\"\n value: \"8589934592\"\n \ - name: \"ETCD_SOCKET_REUSE_ADDRESS\"\n value: \"true\"\n - name: \"ETCD_TLS_MIN_VERSION\"\n value: \"TLS1.2\"\n - name: \"NODE_master_0_ETCD_NAME\"\n \ value: \"master-0\"\n - name: \"NODE_master_0_ETCD_URL_HOST\"\n \ value: \"192.168.32.10\"\n - name: \"NODE_master_0_IP\"\n value: \"192.168.32.10\"\n - name: \"ETCD_STATIC_POD_REV\"\n value: \"REVISION\"\n \ resources:\n requests:\n memory: 600Mi\n cpu: 300m\n \ readinessProbe:\n tcpSocket:\n port: 2380\n failureThreshold: 3\n initialDelaySeconds: 3\n periodSeconds: 5\n successThreshold: 1\n timeoutSeconds: 5\n securityContext:\n privileged: true\n volumeMounts:\n \ - mountPath: /etc/kubernetes/manifests\n name: static-pod-dir\n \ - mountPath: /etc/kubernetes/static-pod-certs\n name: cert-dir\n \ - mountPath: /var/lib/etcd/\n name: data-dir\n - mountPath: /var/lib/etcd-backup/\n name: backup-dir\n - name: etcd-readyz\n image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:6dd9324942b3d09b4b9a768f36b47be4e555d947910ee3d115fc5448c95f7399\n \ imagePullPolicy: IfNotPresent\n terminationMessagePolicy: FallbackToLogsOnError\n \ command:\n - /bin/sh\n - -c\n - |\n #!/bin/sh\n set -euo pipefail\n \n exec nice -n -18 cluster-etcd-operator readyz \\\n --target=https://localhost:2379 \\\n --listen-port=9980 \\\n --serving-cert-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-serving-NODE_NAME.crt \\\n --serving-key-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-serving-NODE_NAME.key \\\n --client-cert-file=$(ETCDCTL_CERT) \\\n --client-key-file=$(ETCDCTL_KEY) \\\n --client-cacert-file=$(ETCDCTL_CACERT) \\\n --listen-cipher-suites=$(ETCD_CIPHER_SUITES)\n \ securityContext:\n privileged: true\n ports:\n - containerPort: 9980\n name: readyz\n protocol: TCP\n resources:\n requests:\n \ memory: 50Mi\n cpu: 10m\n env:\n - name: \"ALL_ETCD_ENDPOINTS\"\n \ value: \"https://192.168.32.10:2379\"\n - name: \"ETCDCTL_API\"\n \ value: \"3\"\n - name: \"ETCDCTL_CACERT\"\n value: \"/etc/kubernetes/static-pod-certs/configmaps/etcd-all-bundles/server-ca-bundle.crt\"\n \ - name: \"ETCDCTL_CERT\"\n value: \"/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.crt\"\n \ - name: \"ETCDCTL_ENDPOINTS\"\n value: \"https://192.168.32.10:2379\"\n \ - name: \"ETCDCTL_KEY\"\n value: \"/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.key\"\n \ - name: \"ETCD_CIPHER_SUITES\"\n value: \"TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256\"\n \ - name: \"ETCD_DATA_DIR\"\n value: \"/var/lib/etcd\"\n - name: \"ETCD_ELECTION_TIMEOUT\"\n value: \"2500\"\n - name: \"ETCD_ENABLE_PPROF\"\n \ value: \"true\"\n - name: \"ETCD_EXPERIMENTAL_MAX_LEARNERS\"\n \ value: \"1\"\n - name: \"ETCD_EXPERIMENTAL_WARNING_APPLY_DURATION\"\n \ value: \"200ms\"\n - name: \"ETCD_EXPERIMENTAL_WATCH_PROGRESS_NOTIFY_INTERVAL\"\n \ value: \"5s\"\n - name: \"ETCD_HEARTBEAT_INTERVAL\"\n value: \"500\"\n - name: \"ETCD_IMAGE\"\n value: \"quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:8bed6766df40c0c172611f3e4555cd20db639eb505b2345abed6d5babdcbb5e3\"\n \ - name: \"ETCD_INITIAL_CLUSTER_STATE\"\n value: \"existing\"\n \ - name: \"ETCD_QUOTA_BACKEND_BYTES\"\n value: \"8589934592\"\n \ - name: \"ETCD_SOCKET_REUSE_ADDRESS\"\n value: \"true\"\n - name: \"ETCD_TLS_MIN_VERSION\"\n value: \"TLS1.2\"\n - name: \"NODE_master_0_ETCD_NAME\"\n \ value: \"master-0\"\n - name: \"NODE_master_0_ETCD_URL_HOST\"\n \ value: \"192.168.32.10\"\n - name: \"NODE_master_0_IP\"\n value: \"192.168.32.10\"\n volumeMounts:\n - mountPath: /etc/kubernetes/static-pod-certs\n \ name: cert-dir\n hostNetwork: true\n priorityClassName: system-node-critical\n \ tolerations:\n - operator: \"Exists\"\n volumes:\n - hostPath:\n path: /etc/kubernetes/manifests\n name: static-pod-dir\n - hostPath:\n path: /etc/kubernetes/static-pod-resources/etcd-certs\n name: cert-dir\n - hostPath:\n path: /var/lib/etcd\n type: \"\"\n name: data-dir\n \ - hostPath:\n path: /var/lib/etcd-backup\n type: \"\"\n name: backup-dir\n" quorum-restore-pod.yaml: "apiVersion: v1\nkind: Pod\nmetadata:\n name: etcd\n \ namespace: openshift-etcd\n labels:\n app: etcd\n k8s-app: etcd\n etcd: \"true\"\n revision: \"REVISION\"\nspec:\n containers:\n - name: etcd\n \ image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:8bed6766df40c0c172611f3e4555cd20db639eb505b2345abed6d5babdcbb5e3\n \ imagePullPolicy: IfNotPresent\n terminationMessagePolicy: FallbackToLogsOnError\n \ command:\n - /bin/sh\n - -c\n - |\n #!/bin/sh\n set -euo pipefail\n \n export REV_JSON=\"/var/lib/etcd/revision.json\"\n \ \n if [ -n \"$(ls -A \"${REV_JSON}\")\" ]; then\n # this will bump by the amount of 20% of the last known live revision. \n \ BUMP_REV=$(jq -r \"(.maxRaftIndex*0.2|floor)\" \"${REV_JSON}\")\n \ echo \"bumping revisions by ${BUMP_REV}\"\n else\n # 1bn would be an etcd running at 1000 writes/s for about eleven days.\n echo \"no revision.json found, assuming a 1bn revision bump\"\n BUMP_REV=1000000000\n \ fi\n \n set -x\n exec etcd \\\n --logger=zap \\\n --log-level=info \\\n --force-new-cluster \\\n --force-new-cluster-bump-amount=\"${BUMP_REV}\" \\\n --name=\"${NODE_NODE_ENVVAR_NAME_ETCD_NAME}\" \\\n --initial-cluster=\"${NODE_NODE_ENVVAR_NAME_ETCD_NAME}=https://${NODE_NODE_ENVVAR_NAME_ETCD_URL_HOST}:2380\" \\\n --initial-advertise-peer-urls=https://${NODE_NODE_ENVVAR_NAME_IP}:2380 \\\n --cert-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-serving-NODE_NAME.crt \\\n --key-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-serving-NODE_NAME.key \\\n --trusted-ca-file=/etc/kubernetes/static-pod-certs/configmaps/etcd-all-bundles/server-ca-bundle.crt \\\n --client-cert-auth=true \\\n --peer-cert-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.crt \\\n --peer-key-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.key \\\n --peer-trusted-ca-file=/etc/kubernetes/static-pod-certs/configmaps/etcd-all-bundles/server-ca-bundle.crt \\\n --peer-client-cert-auth=true \\\n --advertise-client-urls=https://${NODE_NODE_ENVVAR_NAME_IP}:2379 \\\n --listen-client-urls=https://0.0.0.0:2379 \\\n --listen-peer-urls=https://0.0.0.0:2380 \\\n --metrics=extensive \\\n --listen-metrics-urls=https://0.0.0.0:9978\n \ env:\n - name: \"ALL_ETCD_ENDPOINTS\"\n value: \"https://192.168.32.10:2379\"\n \ - name: \"ETCDCTL_API\"\n value: \"3\"\n - name: \"ETCDCTL_CACERT\"\n \ value: \"/etc/kubernetes/static-pod-certs/configmaps/etcd-all-bundles/server-ca-bundle.crt\"\n \ - name: \"ETCDCTL_CERT\"\n value: \"/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.crt\"\n \ - name: \"ETCDCTL_ENDPOINTS\"\n value: \"https://192.168.32.10:2379\"\n \ - name: \"ETCDCTL_KEY\"\n value: \"/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.key\"\n \ - name: \"ETCD_CIPHER_SUITES\"\n value: \"TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256\"\n \ - name: \"ETCD_DATA_DIR\"\n value: \"/var/lib/etcd\"\n - name: \"ETCD_ELECTION_TIMEOUT\"\n value: \"2500\"\n - name: \"ETCD_ENABLE_PPROF\"\n \ value: \"true\"\n - name: \"ETCD_EXPERIMENTAL_MAX_LEARNERS\"\n \ value: \"1\"\n - name: \"ETCD_EXPERIMENTAL_WARNING_APPLY_DURATION\"\n \ value: \"200ms\"\n - name: \"ETCD_EXPERIMENTAL_WATCH_PROGRESS_NOTIFY_INTERVAL\"\n \ value: \"5s\"\n - name: \"ETCD_HEARTBEAT_INTERVAL\"\n value: \"500\"\n - name: \"ETCD_IMAGE\"\n value: \"quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:8bed6766df40c0c172611f3e4555cd20db639eb505b2345abed6d5babdcbb5e3\"\n \ - name: \"ETCD_INITIAL_CLUSTER_STATE\"\n value: \"existing\"\n \ - name: \"ETCD_QUOTA_BACKEND_BYTES\"\n value: \"8589934592\"\n \ - name: \"ETCD_SOCKET_REUSE_ADDRESS\"\n value: \"true\"\n - name: \"ETCD_TLS_MIN_VERSION\"\n value: \"TLS1.2\"\n - name: \"NODE_master_0_ETCD_NAME\"\n \ value: \"master-0\"\n - name: \"NODE_master_0_ETCD_URL_HOST\"\n \ value: \"192.168.32.10\"\n - name: \"NODE_master_0_IP\"\n value: \"192.168.32.10\"\n - name: \"ETCD_STATIC_POD_REV\"\n value: \"REVISION\"\n \ resources:\n requests:\n memory: 600Mi\n cpu: 300m\n \ readinessProbe:\n tcpSocket:\n port: 2380\n failureThreshold: 3\n initialDelaySeconds: 3\n periodSeconds: 5\n successThreshold: 1\n timeoutSeconds: 5\n securityContext:\n privileged: true\n volumeMounts:\n \ - mountPath: /etc/kubernetes/manifests\n name: static-pod-dir\n \ - mountPath: /etc/kubernetes/static-pod-certs\n name: cert-dir\n \ - mountPath: /var/lib/etcd/\n name: data-dir\n - mountPath: /var/lib/etcd-backup/\n name: backup-dir\n - name: etcd-readyz\n image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:6dd9324942b3d09b4b9a768f36b47be4e555d947910ee3d115fc5448c95f7399\n \ imagePullPolicy: IfNotPresent\n terminationMessagePolicy: FallbackToLogsOnError\n \ command:\n - /bin/sh\n - -c\n - |\n #!/bin/sh\n set -euo pipefail\n \n exec nice -n -18 cluster-etcd-operator readyz \\\n --target=https://localhost:2379 \\\n --listen-port=9980 \\\n --serving-cert-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-serving-NODE_NAME.crt \\\n --serving-key-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-serving-NODE_NAME.key \\\n --client-cert-file=$(ETCDCTL_CERT) \\\n --client-key-file=$(ETCDCTL_KEY) \\\n --client-cacert-file=$(ETCDCTL_CACERT) \\\n --listen-cipher-suites=$(ETCD_CIPHER_SUITES)\n \ securityContext:\n privileged: true\n ports:\n - containerPort: 9980\n name: readyz\n protocol: TCP\n resources:\n requests:\n \ memory: 50Mi\n cpu: 10m\n env:\n - name: \"ALL_ETCD_ENDPOINTS\"\n \ value: \"https://192.168.32.10:2379\"\n - name: \"ETCDCTL_API\"\n \ value: \"3\"\n - name: \"ETCDCTL_CACERT\"\n value: \"/etc/kubernetes/static-pod-certs/configmaps/etcd-all-bundles/server-ca-bundle.crt\"\n \ - name: \"ETCDCTL_CERT\"\n value: \"/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.crt\"\n \ - name: \"ETCDCTL_ENDPOINTS\"\n value: \"https://192.168.32.10:2379\"\n \ - name: \"ETCDCTL_KEY\"\n value: \"/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.key\"\n \ - name: \"ETCD_CIPHER_SUITES\"\n value: \"TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256\"\n \ - name: \"ETCD_DATA_DIR\"\n value: \"/var/lib/etcd\"\n - name: \"ETCD_ELECTION_TIMEOUT\"\n value: \"2500\"\n - name: \"ETCD_ENABLE_PPROF\"\n \ value: \"true\"\n - name: \"ETCD_EXPERIMENTAL_MAX_LEARNERS\"\n \ value: \"1\"\n - name: \"ETCD_EXPERIMENTAL_WARNING_APPLY_DURATION\"\n \ value: \"200ms\"\n - name: \"ETCD_EXPERIMENTAL_WATCH_PROGRESS_NOTIFY_INTERVAL\"\n \ value: \"5s\"\n - name: \"ETCD_HEARTBEAT_INTERVAL\"\n value: \"500\"\n - name: \"ETCD_IMAGE\"\n value: \"quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:8bed6766df40c0c172611f3e4555cd20db639eb505b2345abed6d5babdcbb5e3\"\n \ - name: \"ETCD_INITIAL_CLUSTER_STATE\"\n value: \"existing\"\n \ - name: \"ETCD_QUOTA_BACKEND_BYTES\"\n value: \"8589934592\"\n \ - name: \"ETCD_SOCKET_REUSE_ADDRESS\"\n value: \"true\"\n - name: \"ETCD_TLS_MIN_VERSION\"\n value: \"TLS1.2\"\n - name: \"NODE_master_0_ETCD_NAME\"\n \ value: \"master-0\"\n - name: \"NODE_master_0_ETCD_URL_HOST\"\n \ value: \"192.168.32.10\"\n - name: \"NODE_master_0_IP\"\n value: \"192.168.32.10\"\n volumeMounts:\n - mountPath: /etc/kubernetes/static-pod-certs\n \ name: cert-dir\n hostNetwork: true\n priorityClassName: system-node-critical\n \ tolerations:\n - operator: \"Exists\"\n volumes:\n - hostPath:\n path: /etc/kubernetes/manifests\n name: static-pod-dir\n - hostPath:\n path: /etc/kubernetes/static-pod-resources/etcd-certs\n name: cert-dir\n - hostPath:\n path: /var/lib/etcd\n type: \"\"\n name: data-dir\n \ - hostPath:\n path: /var/lib/etcd-backup\n type: \"\"\n name: backup-dir\n" version: 4.18.0-202601171614.p2.g5a69ce1.assembly.stream.el9-5a69ce1 kind: ConfigMap metadata: creationTimestamp: "2026-02-16T20:57:24Z" managedFields: - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:data: .: {} f:forceRedeploymentReason: {} f:pod.yaml: {} f:quorum-restore-pod.yaml: {} f:version: {} manager: cluster-etcd-operator operation: Update time: "2026-02-16T20:57:24Z" name: restore-etcd-pod namespace: openshift-etcd resourceVersion: "5491" uid: 85355d51-7c9a-4984-80eb-b53df02bd898 - apiVersion: v1 data: reason: configmap "etcd-pod-0" not found revision: "1" kind: ConfigMap metadata: annotations: operator.openshift.io/revision-ready: "true" creationTimestamp: "2026-02-16T20:57:22Z" labels: operator.openshift.io/controller-instance-name: etcd-RevisionController managedFields: - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:data: .: {} f:reason: {} f:revision: {} f:metadata: f:annotations: .: {} f:operator.openshift.io/revision-ready: {} f:labels: .: {} f:operator.openshift.io/controller-instance-name: {} manager: cluster-etcd-operator operation: Update time: "2026-02-16T20:57:28Z" name: revision-status-1 namespace: openshift-etcd resourceVersion: "5793" uid: 4573af90-cd9b-4f73-8c30-4e259f1b31e3 - apiVersion: v1 data: reason: required configmap/etcd-endpoints has changed revision: "2" kind: ConfigMap metadata: annotations: operator.openshift.io/revision-ready: "true" creationTimestamp: "2026-02-16T21:10:23Z" labels: operator.openshift.io/controller-instance-name: etcd-RevisionController managedFields: - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:data: .: {} f:reason: {} f:revision: {} f:metadata: f:annotations: .: {} f:operator.openshift.io/revision-ready: {} f:labels: .: {} f:operator.openshift.io/controller-instance-name: {} manager: cluster-etcd-operator operation: Update time: "2026-02-16T21:10:30Z" name: revision-status-2 namespace: openshift-etcd resourceVersion: "11328" uid: 87a0a0cf-0e3c-4ac2-8337-176684c8e401 kind: ConfigMapList metadata: resourceVersion: "56171"