--- apiVersion: v1 items: - apiVersion: v1 data: install-config: | additionalTrustBundlePolicy: Proxyonly apiVersion: v1 baseDomain: openstack.lab bootstrapInPlace: installationDisk: /dev/disk/by-path/pci-0000:00:06.0 compute: - architecture: amd64 hyperthreading: Enabled name: worker platform: {} replicas: 0 controlPlane: architecture: amd64 hyperthreading: Enabled name: master platform: {} replicas: 1 metadata: creationTimestamp: null name: sno networking: clusterNetwork: - cidr: 10.128.0.0/16 hostPrefix: 23 machineNetwork: - cidr: 192.168.32.0/24 networkType: OVNKubernetes serviceNetwork: - 172.30.0.0/16 platform: none: {} publish: External pullSecret: "" sshKey: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC7mW7zdgmOnq1mrQ0AqDmsz6DFHh2jP/Eq4l33rcXUUEMOGLSx3srLjcukbt/dmIfUV6UsoJzRVb/lAqi6TsanPnt3g2Il3e2xYLHJ2sfuawjrMMj1N5xhxL1P3/k15ZdBp/PA0Zq59UXjWOr2itEOLEcDFo20eTRQrrhTOHq1ySDKCuLg7TAZ7dgxITe+J6TIfXgShpdKEcJscWE723DjhX8uKy+MNfMMNZhlIoSmxNnifdW/mLMeM844K2ozhfcnG9/tLNdEGWESSm5TfEzt+Bf5yHn3Owxi1CMZ4AdFb4T+nsA2io9/mClIEebQTd67rJkKBIgL/8QWpMJJ4lRp kind: ConfigMap metadata: annotations: kubernetes.io/description: The install-config content used to create the cluster. The cluster configuration may have evolved since installation, so check cluster configuration resources directly if you are interested in the current cluster state. creationTimestamp: "2026-03-12T14:12:39Z" managedFields: - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:data: .: {} f:install-config: {} f:metadata: f:annotations: .: {} f:kubernetes.io/description: {} manager: cluster-etcd-operator operation: Update time: "2026-03-12T14:12:39Z" name: cluster-config-v1 namespace: openshift-etcd resourceVersion: "5491" uid: 869b8b4e-3635-409e-89c5-cfc64e7fedf1 - apiVersion: v1 data: metrics-ca-bundle.crt: | -----BEGIN CERTIFICATE----- MIIDUzCCAjugAwIBAgIIF2dX4kPf2W4wDQYJKoZIhvcNAQELBQAwNzE1MDMGA1UE Awwsb3BlbnNoaWZ0LWV0Y2RfZXRjZC1tZXRyaWMtc2lnbmVyQDE3NzMzMjQyNzcw HhcNMjYwMzEyMTQwNDM2WhcNMzEwMzExMTQwNDM3WjA3MTUwMwYDVQQDDCxvcGVu c2hpZnQtZXRjZF9ldGNkLW1ldHJpYy1zaWduZXJAMTc3MzMyNDI3NzCCASIwDQYJ KoZIhvcNAQEBBQADggEPADCCAQoCggEBAKhSUawjSq8DrWPTWZErlnXW3EIaBbKl 8s0Ct33Jm5HzJOTWft6ZTL62k6e99qi1XtoFTy8XVdQ5yiv/8f3Xkq0fgqbKI29V u9qnel54h6E366V1i1YP6WJCeX784O+Rqoey6JYT4wXr3DswCVTFSU8OUW5yjn3D cqIZIEzjOSkRUVha689yDCaPxjSBVyGyQnrg3MZKkhMHLwxgHrYug+PdWpHjrWo+ 2gkzfxHBYVw33i28HwacmUWIL/7hNJdBTfYFaX20KvxV4qD+40i8hL0aNGOwAQgR AEqW2SSRHPhHGyU7Q9HGfNesbpKzN+bOyH5MD0UoraxA+NYEUWi2/VkCAwEAAaNj MGEwDgYDVR0PAQH/BAQDAgKkMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFOqd kwP4RDGceDRSDpDcBzUhVPrPMB8GA1UdIwQYMBaAFOqdkwP4RDGceDRSDpDcBzUh VPrPMA0GCSqGSIb3DQEBCwUAA4IBAQAsAwuIG0hQBHsXS2vOchwLShQJ/sWAQhUt 4Le2ztEztfrZzX2lM6XUYqMnagPRlkCtPOEDsCxfCU30MSkFodwu5uwrBJS/0Ewk +gipvoHjOEWQyD14i6Ndqdg22dPgHLgnpOXaQ//YaEFiqt9XneRTM5nW83GJg4G3 80eEgWKKXvRO7NgDJ/wfao8y9tfohHuFxNZtxKGLFm2NyNg7Z1zd6tulPMhRIOti /+F9eIBDkun0Zno6Vt2Wrktpxy444PXBe0Bob32lCGC4C+8AgPaR+tjtlUIYTzxV LC13nkSZm7bdm6DWovd1eJeh6CDeoNX4xLOiHJN9wXOFXxymapVf -----END CERTIFICATE----- server-ca-bundle.crt: | -----BEGIN CERTIFICATE----- MIIDRTCCAi2gAwIBAgIIJQ/DuN+mjnYwDQYJKoZIhvcNAQELBQAwMDEuMCwGA1UE Awwlb3BlbnNoaWZ0LWV0Y2RfZXRjZC1zaWduZXJAMTc3MzMyNDI3NzAeFw0yNjAz MTIxNDA0MzZaFw0zMTAzMTExNDA0MzdaMDAxLjAsBgNVBAMMJW9wZW5zaGlmdC1l dGNkX2V0Y2Qtc2lnbmVyQDE3NzMzMjQyNzcwggEiMA0GCSqGSIb3DQEBAQUAA4IB DwAwggEKAoIBAQDTGsjuyMCtLSUTJ6LAsfbpXphdcvH/OY/N+uygBp7TVXQc3NwS 9S3iBmYZ6GJl6o3UD1mBjm5bGjrQJHoK8JaEt1tr/8MJjtVU1MTfRuov47YhIIuG sR4EYFMTJcV5iQowdQkDeQ4CwHROx213c4eZ5ZtQcYCzilZANkbShdrtDmeyEBDb Rz1bGzMGmC2xFDIiwJOhVm2zLb+DLcmTZwVU+oS47t5/Q4Ts1+72ulCmCD/6xpXH fIyHr2pN0RAnS0Xn3/oVyxUOQZTaAWLtFMRQ99V5haHaGMJ1JP12Po1ItXKYDAxX V9YFs6GbTlU2SX2W+QEm5k+cnpSvYhIvMDEdAgMBAAGjYzBhMA4GA1UdDwEB/wQE AwICpDAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBQF5g1MqJTjtINacYBRmids EhCmpzAfBgNVHSMEGDAWgBQF5g1MqJTjtINacYBRmidsEhCmpzANBgkqhkiG9w0B AQsFAAOCAQEAAaOsKzP0Q19+8eQvEgTUJ3MMWFw7qSyIdjo7KPllvW7OHZAkipuF E5I8dJlBQwhKkZP6kToIqceHLAIiekDI06yizeEcLKWL9BltOsfPcBR5xx+61pfq i0nQuNS/M4Vt0TApxwZ6Jqdypm9ui9cThK6DR+pmFoGL6ff02znideyppiwR0MfA Lw2TTzNnLotqNwdTZyx7jVYjGt1Vebgv4WqXjt9xzj75nRjuMVDCEtNBSgdvFqqM VjRf1h+JvJdEsLjGXBbloqNrgdtcooZavxe6jjly2Z8WEyJ4UEmX/6SDQSHpCI5R HcZQrPbZJHzr7ilc1NRPDPgNqGReipvq5A== -----END CERTIFICATE----- kind: ConfigMap metadata: annotations: openshift.io/ceo-bundle-rollout-revision: "0" openshift.io/owning-component: Etcd creationTimestamp: "2026-03-12T14:06:45Z" managedFields: - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:data: .: {} f:metrics-ca-bundle.crt: {} f:server-ca-bundle.crt: {} f:metadata: f:annotations: .: {} f:openshift.io/ceo-bundle-rollout-revision: {} f:openshift.io/owning-component: {} manager: cluster-bootstrap operation: Update time: "2026-03-12T14:06:45Z" name: etcd-all-bundles namespace: openshift-etcd resourceVersion: "586" uid: 07e1ce3a-ed7f-4d37-8eec-0e458df918dd - apiVersion: v1 data: metrics-ca-bundle.crt: | -----BEGIN CERTIFICATE----- MIIDUzCCAjugAwIBAgIIF2dX4kPf2W4wDQYJKoZIhvcNAQELBQAwNzE1MDMGA1UE Awwsb3BlbnNoaWZ0LWV0Y2RfZXRjZC1tZXRyaWMtc2lnbmVyQDE3NzMzMjQyNzcw HhcNMjYwMzEyMTQwNDM2WhcNMzEwMzExMTQwNDM3WjA3MTUwMwYDVQQDDCxvcGVu c2hpZnQtZXRjZF9ldGNkLW1ldHJpYy1zaWduZXJAMTc3MzMyNDI3NzCCASIwDQYJ KoZIhvcNAQEBBQADggEPADCCAQoCggEBAKhSUawjSq8DrWPTWZErlnXW3EIaBbKl 8s0Ct33Jm5HzJOTWft6ZTL62k6e99qi1XtoFTy8XVdQ5yiv/8f3Xkq0fgqbKI29V u9qnel54h6E366V1i1YP6WJCeX784O+Rqoey6JYT4wXr3DswCVTFSU8OUW5yjn3D cqIZIEzjOSkRUVha689yDCaPxjSBVyGyQnrg3MZKkhMHLwxgHrYug+PdWpHjrWo+ 2gkzfxHBYVw33i28HwacmUWIL/7hNJdBTfYFaX20KvxV4qD+40i8hL0aNGOwAQgR AEqW2SSRHPhHGyU7Q9HGfNesbpKzN+bOyH5MD0UoraxA+NYEUWi2/VkCAwEAAaNj MGEwDgYDVR0PAQH/BAQDAgKkMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFOqd kwP4RDGceDRSDpDcBzUhVPrPMB8GA1UdIwQYMBaAFOqdkwP4RDGceDRSDpDcBzUh VPrPMA0GCSqGSIb3DQEBCwUAA4IBAQAsAwuIG0hQBHsXS2vOchwLShQJ/sWAQhUt 4Le2ztEztfrZzX2lM6XUYqMnagPRlkCtPOEDsCxfCU30MSkFodwu5uwrBJS/0Ewk +gipvoHjOEWQyD14i6Ndqdg22dPgHLgnpOXaQ//YaEFiqt9XneRTM5nW83GJg4G3 80eEgWKKXvRO7NgDJ/wfao8y9tfohHuFxNZtxKGLFm2NyNg7Z1zd6tulPMhRIOti /+F9eIBDkun0Zno6Vt2Wrktpxy444PXBe0Bob32lCGC4C+8AgPaR+tjtlUIYTzxV LC13nkSZm7bdm6DWovd1eJeh6CDeoNX4xLOiHJN9wXOFXxymapVf -----END CERTIFICATE----- server-ca-bundle.crt: | -----BEGIN CERTIFICATE----- MIIDRTCCAi2gAwIBAgIIJQ/DuN+mjnYwDQYJKoZIhvcNAQELBQAwMDEuMCwGA1UE Awwlb3BlbnNoaWZ0LWV0Y2RfZXRjZC1zaWduZXJAMTc3MzMyNDI3NzAeFw0yNjAz MTIxNDA0MzZaFw0zMTAzMTExNDA0MzdaMDAxLjAsBgNVBAMMJW9wZW5zaGlmdC1l dGNkX2V0Y2Qtc2lnbmVyQDE3NzMzMjQyNzcwggEiMA0GCSqGSIb3DQEBAQUAA4IB DwAwggEKAoIBAQDTGsjuyMCtLSUTJ6LAsfbpXphdcvH/OY/N+uygBp7TVXQc3NwS 9S3iBmYZ6GJl6o3UD1mBjm5bGjrQJHoK8JaEt1tr/8MJjtVU1MTfRuov47YhIIuG sR4EYFMTJcV5iQowdQkDeQ4CwHROx213c4eZ5ZtQcYCzilZANkbShdrtDmeyEBDb Rz1bGzMGmC2xFDIiwJOhVm2zLb+DLcmTZwVU+oS47t5/Q4Ts1+72ulCmCD/6xpXH fIyHr2pN0RAnS0Xn3/oVyxUOQZTaAWLtFMRQ99V5haHaGMJ1JP12Po1ItXKYDAxX V9YFs6GbTlU2SX2W+QEm5k+cnpSvYhIvMDEdAgMBAAGjYzBhMA4GA1UdDwEB/wQE AwICpDAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBQF5g1MqJTjtINacYBRmids EhCmpzAfBgNVHSMEGDAWgBQF5g1MqJTjtINacYBRmidsEhCmpzANBgkqhkiG9w0B AQsFAAOCAQEAAaOsKzP0Q19+8eQvEgTUJ3MMWFw7qSyIdjo7KPllvW7OHZAkipuF E5I8dJlBQwhKkZP6kToIqceHLAIiekDI06yizeEcLKWL9BltOsfPcBR5xx+61pfq i0nQuNS/M4Vt0TApxwZ6Jqdypm9ui9cThK6DR+pmFoGL6ff02znideyppiwR0MfA Lw2TTzNnLotqNwdTZyx7jVYjGt1Vebgv4WqXjt9xzj75nRjuMVDCEtNBSgdvFqqM VjRf1h+JvJdEsLjGXBbloqNrgdtcooZavxe6jjly2Z8WEyJ4UEmX/6SDQSHpCI5R HcZQrPbZJHzr7ilc1NRPDPgNqGReipvq5A== -----END CERTIFICATE----- kind: ConfigMap metadata: annotations: openshift.io/ceo-bundle-rollout-revision: "0" openshift.io/owning-component: Etcd creationTimestamp: "2026-03-12T14:13:03Z" labels: operator.openshift.io/controller-instance-name: etcd-RevisionController managedFields: - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:data: .: {} f:metrics-ca-bundle.crt: {} f:server-ca-bundle.crt: {} f:metadata: f:annotations: .: {} f:openshift.io/ceo-bundle-rollout-revision: {} f:openshift.io/owning-component: {} f:labels: .: {} f:operator.openshift.io/controller-instance-name: {} f:ownerReferences: .: {} k:{"uid":"7d2c7f66-09d2-41a3-9bc1-351331f18fb4"}: {} manager: cluster-etcd-operator operation: Update time: "2026-03-12T14:13:03Z" name: etcd-all-bundles-1 namespace: openshift-etcd ownerReferences: - apiVersion: v1 kind: ConfigMap name: revision-status-1 uid: 7d2c7f66-09d2-41a3-9bc1-351331f18fb4 resourceVersion: "7348" uid: 18af7cdf-73f3-491c-ad06-0d45c5280975 - apiVersion: v1 data: metrics-ca-bundle.crt: | -----BEGIN CERTIFICATE----- MIIDUzCCAjugAwIBAgIIF2dX4kPf2W4wDQYJKoZIhvcNAQELBQAwNzE1MDMGA1UE Awwsb3BlbnNoaWZ0LWV0Y2RfZXRjZC1tZXRyaWMtc2lnbmVyQDE3NzMzMjQyNzcw HhcNMjYwMzEyMTQwNDM2WhcNMzEwMzExMTQwNDM3WjA3MTUwMwYDVQQDDCxvcGVu c2hpZnQtZXRjZF9ldGNkLW1ldHJpYy1zaWduZXJAMTc3MzMyNDI3NzCCASIwDQYJ KoZIhvcNAQEBBQADggEPADCCAQoCggEBAKhSUawjSq8DrWPTWZErlnXW3EIaBbKl 8s0Ct33Jm5HzJOTWft6ZTL62k6e99qi1XtoFTy8XVdQ5yiv/8f3Xkq0fgqbKI29V u9qnel54h6E366V1i1YP6WJCeX784O+Rqoey6JYT4wXr3DswCVTFSU8OUW5yjn3D cqIZIEzjOSkRUVha689yDCaPxjSBVyGyQnrg3MZKkhMHLwxgHrYug+PdWpHjrWo+ 2gkzfxHBYVw33i28HwacmUWIL/7hNJdBTfYFaX20KvxV4qD+40i8hL0aNGOwAQgR AEqW2SSRHPhHGyU7Q9HGfNesbpKzN+bOyH5MD0UoraxA+NYEUWi2/VkCAwEAAaNj MGEwDgYDVR0PAQH/BAQDAgKkMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFOqd kwP4RDGceDRSDpDcBzUhVPrPMB8GA1UdIwQYMBaAFOqdkwP4RDGceDRSDpDcBzUh VPrPMA0GCSqGSIb3DQEBCwUAA4IBAQAsAwuIG0hQBHsXS2vOchwLShQJ/sWAQhUt 4Le2ztEztfrZzX2lM6XUYqMnagPRlkCtPOEDsCxfCU30MSkFodwu5uwrBJS/0Ewk +gipvoHjOEWQyD14i6Ndqdg22dPgHLgnpOXaQ//YaEFiqt9XneRTM5nW83GJg4G3 80eEgWKKXvRO7NgDJ/wfao8y9tfohHuFxNZtxKGLFm2NyNg7Z1zd6tulPMhRIOti /+F9eIBDkun0Zno6Vt2Wrktpxy444PXBe0Bob32lCGC4C+8AgPaR+tjtlUIYTzxV LC13nkSZm7bdm6DWovd1eJeh6CDeoNX4xLOiHJN9wXOFXxymapVf -----END CERTIFICATE----- server-ca-bundle.crt: | -----BEGIN CERTIFICATE----- MIIDRTCCAi2gAwIBAgIIJQ/DuN+mjnYwDQYJKoZIhvcNAQELBQAwMDEuMCwGA1UE Awwlb3BlbnNoaWZ0LWV0Y2RfZXRjZC1zaWduZXJAMTc3MzMyNDI3NzAeFw0yNjAz MTIxNDA0MzZaFw0zMTAzMTExNDA0MzdaMDAxLjAsBgNVBAMMJW9wZW5zaGlmdC1l dGNkX2V0Y2Qtc2lnbmVyQDE3NzMzMjQyNzcwggEiMA0GCSqGSIb3DQEBAQUAA4IB DwAwggEKAoIBAQDTGsjuyMCtLSUTJ6LAsfbpXphdcvH/OY/N+uygBp7TVXQc3NwS 9S3iBmYZ6GJl6o3UD1mBjm5bGjrQJHoK8JaEt1tr/8MJjtVU1MTfRuov47YhIIuG sR4EYFMTJcV5iQowdQkDeQ4CwHROx213c4eZ5ZtQcYCzilZANkbShdrtDmeyEBDb Rz1bGzMGmC2xFDIiwJOhVm2zLb+DLcmTZwVU+oS47t5/Q4Ts1+72ulCmCD/6xpXH fIyHr2pN0RAnS0Xn3/oVyxUOQZTaAWLtFMRQ99V5haHaGMJ1JP12Po1ItXKYDAxX V9YFs6GbTlU2SX2W+QEm5k+cnpSvYhIvMDEdAgMBAAGjYzBhMA4GA1UdDwEB/wQE AwICpDAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBQF5g1MqJTjtINacYBRmids EhCmpzAfBgNVHSMEGDAWgBQF5g1MqJTjtINacYBRmidsEhCmpzANBgkqhkiG9w0B AQsFAAOCAQEAAaOsKzP0Q19+8eQvEgTUJ3MMWFw7qSyIdjo7KPllvW7OHZAkipuF E5I8dJlBQwhKkZP6kToIqceHLAIiekDI06yizeEcLKWL9BltOsfPcBR5xx+61pfq i0nQuNS/M4Vt0TApxwZ6Jqdypm9ui9cThK6DR+pmFoGL6ff02znideyppiwR0MfA Lw2TTzNnLotqNwdTZyx7jVYjGt1Vebgv4WqXjt9xzj75nRjuMVDCEtNBSgdvFqqM VjRf1h+JvJdEsLjGXBbloqNrgdtcooZavxe6jjly2Z8WEyJ4UEmX/6SDQSHpCI5R HcZQrPbZJHzr7ilc1NRPDPgNqGReipvq5A== -----END CERTIFICATE----- kind: ConfigMap metadata: annotations: openshift.io/ceo-bundle-rollout-revision: "0" openshift.io/owning-component: Etcd creationTimestamp: "2026-03-12T14:16:15Z" labels: operator.openshift.io/controller-instance-name: etcd-RevisionController managedFields: - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:data: .: {} f:metrics-ca-bundle.crt: {} f:server-ca-bundle.crt: {} f:metadata: f:annotations: .: {} f:openshift.io/ceo-bundle-rollout-revision: {} f:openshift.io/owning-component: {} f:labels: .: {} f:operator.openshift.io/controller-instance-name: {} f:ownerReferences: .: {} k:{"uid":"ac330b93-7c0b-4438-8875-ec23ce5f1933"}: {} manager: cluster-etcd-operator operation: Update time: "2026-03-12T14:16:15Z" name: etcd-all-bundles-2 namespace: openshift-etcd ownerReferences: - apiVersion: v1 kind: ConfigMap name: revision-status-2 uid: ac330b93-7c0b-4438-8875-ec23ce5f1933 resourceVersion: "10809" uid: 079d75c2-2606-4461-9868-23673dbe915a - apiVersion: v1 data: ca-bundle.crt: | -----BEGIN CERTIFICATE----- MIIDRTCCAi2gAwIBAgIIJQ/DuN+mjnYwDQYJKoZIhvcNAQELBQAwMDEuMCwGA1UE Awwlb3BlbnNoaWZ0LWV0Y2RfZXRjZC1zaWduZXJAMTc3MzMyNDI3NzAeFw0yNjAz MTIxNDA0MzZaFw0zMTAzMTExNDA0MzdaMDAxLjAsBgNVBAMMJW9wZW5zaGlmdC1l dGNkX2V0Y2Qtc2lnbmVyQDE3NzMzMjQyNzcwggEiMA0GCSqGSIb3DQEBAQUAA4IB DwAwggEKAoIBAQDTGsjuyMCtLSUTJ6LAsfbpXphdcvH/OY/N+uygBp7TVXQc3NwS 9S3iBmYZ6GJl6o3UD1mBjm5bGjrQJHoK8JaEt1tr/8MJjtVU1MTfRuov47YhIIuG sR4EYFMTJcV5iQowdQkDeQ4CwHROx213c4eZ5ZtQcYCzilZANkbShdrtDmeyEBDb Rz1bGzMGmC2xFDIiwJOhVm2zLb+DLcmTZwVU+oS47t5/Q4Ts1+72ulCmCD/6xpXH fIyHr2pN0RAnS0Xn3/oVyxUOQZTaAWLtFMRQ99V5haHaGMJ1JP12Po1ItXKYDAxX V9YFs6GbTlU2SX2W+QEm5k+cnpSvYhIvMDEdAgMBAAGjYzBhMA4GA1UdDwEB/wQE AwICpDAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBQF5g1MqJTjtINacYBRmids EhCmpzAfBgNVHSMEGDAWgBQF5g1MqJTjtINacYBRmidsEhCmpzANBgkqhkiG9w0B AQsFAAOCAQEAAaOsKzP0Q19+8eQvEgTUJ3MMWFw7qSyIdjo7KPllvW7OHZAkipuF E5I8dJlBQwhKkZP6kToIqceHLAIiekDI06yizeEcLKWL9BltOsfPcBR5xx+61pfq i0nQuNS/M4Vt0TApxwZ6Jqdypm9ui9cThK6DR+pmFoGL6ff02znideyppiwR0MfA Lw2TTzNnLotqNwdTZyx7jVYjGt1Vebgv4WqXjt9xzj75nRjuMVDCEtNBSgdvFqqM VjRf1h+JvJdEsLjGXBbloqNrgdtcooZavxe6jjly2Z8WEyJ4UEmX/6SDQSHpCI5R HcZQrPbZJHzr7ilc1NRPDPgNqGReipvq5A== -----END CERTIFICATE----- kind: ConfigMap metadata: annotations: openshift.io/description: Generated by cluster-etcd-operator for etcd and is used to authenticate clients and peers of etcd. openshift.io/owning-component: etcd creationTimestamp: "2026-03-12T14:06:46Z" labels: auth.openshift.io/managed-certificate-type: ca-bundle managedFields: - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:data: .: {} f:ca-bundle.crt: {} f:metadata: f:annotations: .: {} f:openshift.io/description: {} f:openshift.io/owning-component: {} f:labels: .: {} f:auth.openshift.io/managed-certificate-type: {} manager: cluster-bootstrap operation: Update time: "2026-03-12T14:06:46Z" name: etcd-ca-bundle namespace: openshift-etcd resourceVersion: "592" uid: 1af08448-1000-4011-8eea-24dc001422ff - apiVersion: v1 data: 91eb892c5ee87610: 192.168.32.10 kind: ConfigMap metadata: creationTimestamp: "2026-03-12T14:06:55Z" managedFields: - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:data: {} manager: cluster-bootstrap operation: Update time: "2026-03-12T14:06:55Z" - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:data: f:91eb892c5ee87610: {} manager: cluster-etcd-operator operation: Update time: "2026-03-12T14:13:45Z" name: etcd-endpoints namespace: openshift-etcd resourceVersion: "8643" uid: 179f0b26-c928-4417-8a38-cb3225e8ea0f - apiVersion: v1 data: MTkyLjE2OC4zMi4xMA: 192.168.32.10 kind: ConfigMap metadata: creationTimestamp: "2026-03-12T14:13:02Z" labels: operator.openshift.io/controller-instance-name: etcd-RevisionController managedFields: - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:data: .: {} f:MTkyLjE2OC4zMi4xMA: {} f:metadata: f:labels: .: {} f:operator.openshift.io/controller-instance-name: {} f:ownerReferences: .: {} k:{"uid":"7d2c7f66-09d2-41a3-9bc1-351331f18fb4"}: {} manager: cluster-etcd-operator operation: Update time: "2026-03-12T14:13:02Z" name: etcd-endpoints-1 namespace: openshift-etcd ownerReferences: - apiVersion: v1 kind: ConfigMap name: revision-status-1 uid: 7d2c7f66-09d2-41a3-9bc1-351331f18fb4 resourceVersion: "7212" uid: 0296691a-65ba-4f02-979b-dd621b3e61a1 - apiVersion: v1 data: 91eb892c5ee87610: 192.168.32.10 kind: ConfigMap metadata: creationTimestamp: "2026-03-12T14:16:14Z" labels: operator.openshift.io/controller-instance-name: etcd-RevisionController managedFields: - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:data: .: {} f:91eb892c5ee87610: {} f:metadata: f:labels: .: {} f:operator.openshift.io/controller-instance-name: {} f:ownerReferences: .: {} k:{"uid":"ac330b93-7c0b-4438-8875-ec23ce5f1933"}: {} manager: cluster-etcd-operator operation: Update time: "2026-03-12T14:16:14Z" name: etcd-endpoints-2 namespace: openshift-etcd ownerReferences: - apiVersion: v1 kind: ConfigMap name: revision-status-2 uid: ac330b93-7c0b-4438-8875-ec23ce5f1933 resourceVersion: "10737" uid: 626b3c9f-5de5-4cf1-9bcb-7fea8e17312d - apiVersion: v1 data: ca-bundle.crt: | -----BEGIN CERTIFICATE----- MIIDUzCCAjugAwIBAgIIF2dX4kPf2W4wDQYJKoZIhvcNAQELBQAwNzE1MDMGA1UE Awwsb3BlbnNoaWZ0LWV0Y2RfZXRjZC1tZXRyaWMtc2lnbmVyQDE3NzMzMjQyNzcw HhcNMjYwMzEyMTQwNDM2WhcNMzEwMzExMTQwNDM3WjA3MTUwMwYDVQQDDCxvcGVu c2hpZnQtZXRjZF9ldGNkLW1ldHJpYy1zaWduZXJAMTc3MzMyNDI3NzCCASIwDQYJ KoZIhvcNAQEBBQADggEPADCCAQoCggEBAKhSUawjSq8DrWPTWZErlnXW3EIaBbKl 8s0Ct33Jm5HzJOTWft6ZTL62k6e99qi1XtoFTy8XVdQ5yiv/8f3Xkq0fgqbKI29V u9qnel54h6E366V1i1YP6WJCeX784O+Rqoey6JYT4wXr3DswCVTFSU8OUW5yjn3D cqIZIEzjOSkRUVha689yDCaPxjSBVyGyQnrg3MZKkhMHLwxgHrYug+PdWpHjrWo+ 2gkzfxHBYVw33i28HwacmUWIL/7hNJdBTfYFaX20KvxV4qD+40i8hL0aNGOwAQgR AEqW2SSRHPhHGyU7Q9HGfNesbpKzN+bOyH5MD0UoraxA+NYEUWi2/VkCAwEAAaNj MGEwDgYDVR0PAQH/BAQDAgKkMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFOqd kwP4RDGceDRSDpDcBzUhVPrPMB8GA1UdIwQYMBaAFOqdkwP4RDGceDRSDpDcBzUh VPrPMA0GCSqGSIb3DQEBCwUAA4IBAQAsAwuIG0hQBHsXS2vOchwLShQJ/sWAQhUt 4Le2ztEztfrZzX2lM6XUYqMnagPRlkCtPOEDsCxfCU30MSkFodwu5uwrBJS/0Ewk +gipvoHjOEWQyD14i6Ndqdg22dPgHLgnpOXaQ//YaEFiqt9XneRTM5nW83GJg4G3 80eEgWKKXvRO7NgDJ/wfao8y9tfohHuFxNZtxKGLFm2NyNg7Z1zd6tulPMhRIOti /+F9eIBDkun0Zno6Vt2Wrktpxy444PXBe0Bob32lCGC4C+8AgPaR+tjtlUIYTzxV LC13nkSZm7bdm6DWovd1eJeh6CDeoNX4xLOiHJN9wXOFXxymapVf -----END CERTIFICATE----- kind: ConfigMap metadata: annotations: openshift.io/description: Generated by cluster-etcd-operator for etcd and is used to authenticate Prometheus ServiceMonitors reaching etcd. openshift.io/owning-component: etcd creationTimestamp: "2026-03-12T14:06:47Z" labels: auth.openshift.io/managed-certificate-type: ca-bundle managedFields: - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:data: .: {} f:ca-bundle.crt: {} f:metadata: f:annotations: .: {} f:openshift.io/description: {} f:openshift.io/owning-component: {} f:labels: .: {} f:auth.openshift.io/managed-certificate-type: {} manager: cluster-bootstrap operation: Update time: "2026-03-12T14:06:47Z" name: etcd-metrics-ca-bundle namespace: openshift-etcd resourceVersion: "597" uid: 7f10f062-6999-44e9-8a30-a7b9b81487c8 - apiVersion: v1 data: forceRedeploymentReason: "" pod.yaml: "apiVersion: v1\nkind: Pod\nmetadata:\n name: etcd\n namespace: openshift-etcd\n \ annotations:\n kubectl.kubernetes.io/default-container: etcd\n target.workload.openshift.io/management: '{\"effect\": \"PreferredDuringScheduling\"}'\n labels:\n app: etcd\n k8s-app: etcd\n etcd: \"true\"\n revision: \"REVISION\"\nspec:\n initContainers:\n \ - name: setup\n image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:cc20748723f55f960cfb6328d1591880bbd1b3452155633996d4f41fc7c5f46b\n \ imagePullPolicy: IfNotPresent\n terminationMessagePolicy: FallbackToLogsOnError\n \ command:\n - /bin/sh\n - -c\n - |\n #!/bin/sh\n \ echo -n \"Fixing etcd log permissions.\"\n mkdir -p /var/log/etcd \ && chmod 0600 /var/log/etcd\n echo -n \"Fixing etcd auto backup permissions.\"\n \ mkdir -p /var/lib/etcd-auto-backup && chmod 0600 /var/lib/etcd-auto-backup\n \ securityContext:\n privileged: true\n resources:\n requests:\n \ memory: 50Mi\n cpu: 5m\n volumeMounts:\n - mountPath: /var/log/etcd\n name: log-dir\n - name: etcd-ensure-env-vars\n image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:cc20748723f55f960cfb6328d1591880bbd1b3452155633996d4f41fc7c5f46b\n \ imagePullPolicy: IfNotPresent\n terminationMessagePolicy: FallbackToLogsOnError\n \ command:\n - /bin/sh\n - -c\n - |\n #!/bin/sh\n \ set -euo pipefail\n\n : \"${NODE_NODE_ENVVAR_NAME_ETCD_URL_HOST?not set}\"\n : \"${NODE_NODE_ENVVAR_NAME_ETCD_NAME?not set}\"\n : \"${NODE_NODE_ENVVAR_NAME_IP?not set}\"\n\n # check for ipv4 addresses as well as ipv6 addresses with extra square brackets\n if [[ \"${NODE_NODE_ENVVAR_NAME_IP}\" != \"${NODE_IP}\" && \"${NODE_NODE_ENVVAR_NAME_IP}\" != \"[${NODE_IP}]\" ]]; then\n # echo the error message to stderr\n echo \"Expected node IP to be ${NODE_IP} got ${NODE_NODE_ENVVAR_NAME_IP}\" >&2\n exit 1\n fi\n\n # check for ipv4 addresses as well as ipv6 addresses with extra square brackets\n if [[ \"${NODE_NODE_ENVVAR_NAME_ETCD_URL_HOST}\" != \"${NODE_IP}\" && \"${NODE_NODE_ENVVAR_NAME_ETCD_URL_HOST}\" != \"[${NODE_IP}]\" ]]; then\n # echo the error message to stderr\n echo \"Expected etcd url host to be ${NODE_IP} got ${NODE_NODE_ENVVAR_NAME_ETCD_URL_HOST}\" >&2\n exit 1\n fi\n\n resources:\n requests:\n \ memory: 60Mi\n cpu: 10m\n securityContext:\n privileged: true\n env:\n - name: \"ALL_ETCD_ENDPOINTS\"\n value: \"https://192.168.32.10:2379\"\n \ - name: \"ETCDCTL_API\"\n value: \"3\"\n - name: \"ETCDCTL_CACERT\"\n \ value: \"/etc/kubernetes/static-pod-certs/configmaps/etcd-all-bundles/server-ca-bundle.crt\"\n \ - name: \"ETCDCTL_CERT\"\n value: \"/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.crt\"\n \ - name: \"ETCDCTL_ENDPOINTS\"\n value: \"https://192.168.32.10:2379\"\n \ - name: \"ETCDCTL_KEY\"\n value: \"/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.key\"\n \ - name: \"ETCD_CIPHER_SUITES\"\n value: \"TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256\"\n \ - name: \"ETCD_DATA_DIR\"\n value: \"/var/lib/etcd\"\n - name: \"ETCD_ELECTION_TIMEOUT\"\n value: \"2500\"\n - name: \"ETCD_ENABLE_PPROF\"\n \ value: \"true\"\n - name: \"ETCD_EXPERIMENTAL_MAX_LEARNERS\"\n \ value: \"1\"\n - name: \"ETCD_EXPERIMENTAL_WARNING_APPLY_DURATION\"\n \ value: \"200ms\"\n - name: \"ETCD_EXPERIMENTAL_WATCH_PROGRESS_NOTIFY_INTERVAL\"\n \ value: \"5s\"\n - name: \"ETCD_HEARTBEAT_INTERVAL\"\n value: \"500\"\n - name: \"ETCD_IMAGE\"\n value: \"quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:cc20748723f55f960cfb6328d1591880bbd1b3452155633996d4f41fc7c5f46b\"\n \ - name: \"ETCD_INITIAL_CLUSTER_STATE\"\n value: \"existing\"\n \ - name: \"ETCD_QUOTA_BACKEND_BYTES\"\n value: \"8589934592\"\n \ - name: \"ETCD_SOCKET_REUSE_ADDRESS\"\n value: \"true\"\n - name: \"ETCD_TLS_MIN_VERSION\"\n value: \"TLS1.2\"\n - name: \"NODE_master_0_ETCD_NAME\"\n \ value: \"master-0\"\n - name: \"NODE_master_0_ETCD_URL_HOST\"\n \ value: \"192.168.32.10\"\n - name: \"NODE_master_0_IP\"\n value: \"192.168.32.10\"\n - name: NODE_IP\n valueFrom:\n fieldRef:\n \ fieldPath: status.podIP\n - name: etcd-resources-copy\n image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:cc20748723f55f960cfb6328d1591880bbd1b3452155633996d4f41fc7c5f46b\n \ imagePullPolicy: IfNotPresent\n terminationMessagePolicy: FallbackToLogsOnError\n \ command:\n - /bin/sh\n - -c\n - |\n #!/bin/sh\n \ set -euo pipefail\n\n rm -f $(grep -l '^### Created by cluster-etcd-operator' /usr/local/bin/*)\n cp -p /etc/kubernetes/static-pod-certs/configmaps/etcd-scripts/*.sh /usr/local/bin\n\n resources:\n requests:\n memory: 60Mi\n \ cpu: 10m\n securityContext:\n privileged: true\n volumeMounts:\n \ - mountPath: /etc/kubernetes/static-pod-resources\n name: resource-dir\n \ - mountPath: /etc/kubernetes/static-pod-certs\n name: cert-dir\n \ - mountPath: /usr/local/bin\n name: usr-local-bin\n containers:\n \ # The etcdctl container should always be first. It is intended to be used\n \ # to open a remote shell via `oc rsh` that is ready to run `etcdctl`.\n - name: etcdctl\n image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:cc20748723f55f960cfb6328d1591880bbd1b3452155633996d4f41fc7c5f46b\n \ imagePullPolicy: IfNotPresent\n terminationMessagePolicy: FallbackToLogsOnError\n \ command:\n - \"/bin/bash\"\n - \"-c\"\n - \"trap TERM INT; sleep infinity & wait\"\n resources:\n requests:\n memory: 60Mi\n \ cpu: 10m\n volumeMounts:\n - mountPath: /etc/kubernetes/manifests\n \ name: static-pod-dir\n - mountPath: /etc/kubernetes/static-pod-resources\n \ name: resource-dir\n - mountPath: /etc/kubernetes/static-pod-certs\n \ name: cert-dir\n - mountPath: /var/lib/etcd/\n name: data-dir\n \ env:\n - name: \"ALL_ETCD_ENDPOINTS\"\n value: \"https://192.168.32.10:2379\"\n \ - name: \"ETCDCTL_API\"\n value: \"3\"\n - name: \"ETCDCTL_CACERT\"\n \ value: \"/etc/kubernetes/static-pod-certs/configmaps/etcd-all-bundles/server-ca-bundle.crt\"\n \ - name: \"ETCDCTL_CERT\"\n value: \"/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.crt\"\n \ - name: \"ETCDCTL_ENDPOINTS\"\n value: \"https://192.168.32.10:2379\"\n \ - name: \"ETCDCTL_KEY\"\n value: \"/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.key\"\n \ - name: \"ETCD_CIPHER_SUITES\"\n value: \"TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256\"\n \ - name: \"ETCD_DATA_DIR\"\n value: \"/var/lib/etcd\"\n - name: \"ETCD_ELECTION_TIMEOUT\"\n \ value: \"2500\"\n - name: \"ETCD_ENABLE_PPROF\"\n value: \"true\"\n \ - name: \"ETCD_EXPERIMENTAL_MAX_LEARNERS\"\n value: \"1\"\n - name: \"ETCD_EXPERIMENTAL_WARNING_APPLY_DURATION\"\n value: \"200ms\"\n - name: \"ETCD_EXPERIMENTAL_WATCH_PROGRESS_NOTIFY_INTERVAL\"\n value: \"5s\"\n \ - name: \"ETCD_HEARTBEAT_INTERVAL\"\n value: \"500\"\n - name: \"ETCD_IMAGE\"\n \ value: \"quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:cc20748723f55f960cfb6328d1591880bbd1b3452155633996d4f41fc7c5f46b\"\n \ - name: \"ETCD_INITIAL_CLUSTER_STATE\"\n value: \"existing\"\n - name: \"ETCD_QUOTA_BACKEND_BYTES\"\n value: \"8589934592\"\n - name: \"ETCD_SOCKET_REUSE_ADDRESS\"\n value: \"true\"\n - name: \"ETCD_TLS_MIN_VERSION\"\n \ value: \"TLS1.2\"\n - name: \"NODE_master_0_ETCD_NAME\"\n value: \"master-0\"\n - name: \"NODE_master_0_ETCD_URL_HOST\"\n value: \"192.168.32.10\"\n \ - name: \"NODE_master_0_IP\"\n value: \"192.168.32.10\"\n - name: \"ETCD_STATIC_POD_VERSION\"\n value: \"REVISION\"\n\n - name: etcd\n image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:cc20748723f55f960cfb6328d1591880bbd1b3452155633996d4f41fc7c5f46b\n \ imagePullPolicy: IfNotPresent\n terminationMessagePolicy: FallbackToLogsOnError\n \ command:\n - /bin/sh\n - -c\n - |\n #!/bin/sh\n set -euo pipefail\n\n etcdctl member list || true\n\n # this has a non-zero return code if the command is non-zero. If you use an export first, it doesn't and you\n # will succeed when you should fail.\n ETCD_INITIAL_CLUSTER=$(discover-etcd-initial-cluster \\\n --cacert=/etc/kubernetes/static-pod-certs/configmaps/etcd-all-bundles/server-ca-bundle.crt \\\n --cert=/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.crt \\\n --key=/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.key \\\n --endpoints=${ALL_ETCD_ENDPOINTS} \\\n --data-dir=/var/lib/etcd \\\n --target-peer-url-host=${NODE_NODE_ENVVAR_NAME_ETCD_URL_HOST} \\\n --target-name=NODE_NAME)\n export ETCD_INITIAL_CLUSTER\n\n \ # we cannot use the \"normal\" port conflict initcontainer because when we upgrade, the existing static pod will never yield,\n # so we do the detection in etcd container itself.\n echo -n \"Waiting for ports 2379, 2380 and 9978 to be released.\"\n time while [ -n \"$(ss -Htan '( sport = 2379 or sport = 2380 or sport = 9978 )')\" ]; do\n echo -n \".\"\n \ sleep 1\n done\n\n export ETCD_NAME=${NODE_NODE_ENVVAR_NAME_ETCD_NAME}\n \ env | grep ETCD | grep -v NODE\n\n set -x\n # See https://etcd.io/docs/v3.4.0/tuning/ for why we use ionice\n exec nice -n -19 ionice -c2 -n0 etcd \\\n --logger=zap \\\n --log-level=info \\\n --experimental-initial-corrupt-check=true \\\n --snapshot-count=10000 \\\n --initial-advertise-peer-urls=https://${NODE_NODE_ENVVAR_NAME_IP}:2380 \\\n --cert-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-serving-NODE_NAME.crt \\\n --key-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-serving-NODE_NAME.key \\\n --trusted-ca-file=/etc/kubernetes/static-pod-certs/configmaps/etcd-all-bundles/server-ca-bundle.crt \\\n --client-cert-auth=true \\\n --peer-cert-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.crt \\\n --peer-key-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.key \\\n --peer-trusted-ca-file=/etc/kubernetes/static-pod-certs/configmaps/etcd-all-bundles/server-ca-bundle.crt \\\n --peer-client-cert-auth=true \\\n --advertise-client-urls=https://${NODE_NODE_ENVVAR_NAME_IP}:2379 \\\n --listen-client-urls=https://0.0.0.0:2379,unixs://${NODE_NODE_ENVVAR_NAME_IP}:0 \\\n --listen-peer-urls=https://0.0.0.0:2380 \\\n --metrics=extensive \\\n --listen-metrics-urls=https://0.0.0.0:9978 || mv /etc/kubernetes/etcd-backup-dir/etcd-member.yaml /etc/kubernetes/manifests\n ports:\n - containerPort: 2379\n name: etcd\n protocol: TCP\n - containerPort: 2380\n name: etcd-peer\n \ protocol: TCP\n - containerPort: 9978\n name: etcd-metrics\n protocol: TCP\n env:\n - name: \"ALL_ETCD_ENDPOINTS\"\n value: \"https://192.168.32.10:2379\"\n \ - name: \"ETCDCTL_API\"\n value: \"3\"\n - name: \"ETCDCTL_CACERT\"\n \ value: \"/etc/kubernetes/static-pod-certs/configmaps/etcd-all-bundles/server-ca-bundle.crt\"\n \ - name: \"ETCDCTL_CERT\"\n value: \"/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.crt\"\n \ - name: \"ETCDCTL_ENDPOINTS\"\n value: \"https://192.168.32.10:2379\"\n \ - name: \"ETCDCTL_KEY\"\n value: \"/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.key\"\n \ - name: \"ETCD_CIPHER_SUITES\"\n value: \"TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256\"\n \ - name: \"ETCD_DATA_DIR\"\n value: \"/var/lib/etcd\"\n - name: \"ETCD_ELECTION_TIMEOUT\"\n \ value: \"2500\"\n - name: \"ETCD_ENABLE_PPROF\"\n value: \"true\"\n \ - name: \"ETCD_EXPERIMENTAL_MAX_LEARNERS\"\n value: \"1\"\n - name: \"ETCD_EXPERIMENTAL_WARNING_APPLY_DURATION\"\n value: \"200ms\"\n - name: \"ETCD_EXPERIMENTAL_WATCH_PROGRESS_NOTIFY_INTERVAL\"\n value: \"5s\"\n \ - name: \"ETCD_HEARTBEAT_INTERVAL\"\n value: \"500\"\n - name: \"ETCD_IMAGE\"\n \ value: \"quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:cc20748723f55f960cfb6328d1591880bbd1b3452155633996d4f41fc7c5f46b\"\n \ - name: \"ETCD_INITIAL_CLUSTER_STATE\"\n value: \"existing\"\n - name: \"ETCD_QUOTA_BACKEND_BYTES\"\n value: \"8589934592\"\n - name: \"ETCD_SOCKET_REUSE_ADDRESS\"\n value: \"true\"\n - name: \"ETCD_TLS_MIN_VERSION\"\n \ value: \"TLS1.2\"\n - name: \"NODE_master_0_ETCD_NAME\"\n value: \"master-0\"\n - name: \"NODE_master_0_ETCD_URL_HOST\"\n value: \"192.168.32.10\"\n \ - name: \"NODE_master_0_IP\"\n value: \"192.168.32.10\"\n - name: \"ETCD_STATIC_POD_VERSION\"\n value: \"REVISION\"\n resources:\n requests:\n \ memory: 600Mi\n cpu: 300m\n readinessProbe:\n httpGet:\n \ port: 9980\n path: readyz\n scheme: HTTPS\n timeoutSeconds: 30\n failureThreshold: 5\n periodSeconds: 5\n successThreshold: 1\n livenessProbe:\n httpGet:\n path: healthz\n port: 9980\n scheme: HTTPS\n timeoutSeconds: 30\n periodSeconds: 5\n successThreshold: 1\n failureThreshold: 5\n startupProbe:\n \ httpGet:\n port: 9980\n path: readyz\n scheme: HTTPS\n \ initialDelaySeconds: 10\n timeoutSeconds: 1\n periodSeconds: 10\n successThreshold: 1\n failureThreshold: 18\n securityContext:\n \ privileged: true\n volumeMounts:\n - mountPath: /etc/kubernetes/manifests\n \ name: static-pod-dir\n - mountPath: /etc/kubernetes/static-pod-resources\n \ name: resource-dir\n - mountPath: /etc/kubernetes/static-pod-certs\n \ name: cert-dir\n - mountPath: /var/lib/etcd/\n name: data-dir\n\n \ - name: etcd-metrics\n image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:cc20748723f55f960cfb6328d1591880bbd1b3452155633996d4f41fc7c5f46b\n \ imagePullPolicy: IfNotPresent\n terminationMessagePolicy: FallbackToLogsOnError\n \ command:\n - /bin/sh\n - -c\n - |\n #!/bin/sh\n set -euo pipefail\n\n export ETCD_NAME=${NODE_NODE_ENVVAR_NAME_ETCD_NAME}\n\n \ exec nice -n -18 etcd grpc-proxy start \\\n --endpoints https://${NODE_NODE_ENVVAR_NAME_ETCD_URL_HOST}:9978 \\\n --metrics-addr https://0.0.0.0:9979 \\\n --listen-addr 127.0.0.1:9977 \\\n --advertise-client-url \"\" \\\n --key /etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.key \\\n --key-file /etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-serving-metrics-NODE_NAME.key \\\n --cert /etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.crt \\\n --cert-file /etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-serving-metrics-NODE_NAME.crt \\\n --cacert /etc/kubernetes/static-pod-certs/configmaps/etcd-all-bundles/server-ca-bundle.crt \\\n --trusted-ca-file /etc/kubernetes/static-pod-certs/configmaps/etcd-all-bundles/metrics-ca-bundle.crt \\\n --listen-cipher-suites TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 \\\n --tls-min-version $(ETCD_TLS_MIN_VERSION)\n ports:\n - containerPort: 9979\n name: proxy-metrics\n protocol: TCP\n env:\n - name: \"ALL_ETCD_ENDPOINTS\"\n value: \"https://192.168.32.10:2379\"\n \n \ - name: \"ETCDCTL_API\"\n value: \"3\"\n \n - name: \"ETCDCTL_CACERT\"\n \ value: \"/etc/kubernetes/static-pod-certs/configmaps/etcd-all-bundles/server-ca-bundle.crt\"\n \ \n - name: \"ETCDCTL_CERT\"\n value: \"/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.crt\"\n \ \n - name: \"ETCDCTL_ENDPOINTS\"\n value: \"https://192.168.32.10:2379\"\n \ \n - name: \"ETCDCTL_KEY\"\n value: \"/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.key\"\n \ \n - name: \"ETCD_CIPHER_SUITES\"\n value: \"TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256\"\n \ \n - name: \"ETCD_DATA_DIR\"\n value: \"/var/lib/etcd\"\n \n \ - name: \"ETCD_ELECTION_TIMEOUT\"\n value: \"2500\"\n \n - name: \"ETCD_ENABLE_PPROF\"\n value: \"true\"\n \n - name: \"ETCD_EXPERIMENTAL_MAX_LEARNERS\"\n \ value: \"1\"\n \n - name: \"ETCD_EXPERIMENTAL_WARNING_APPLY_DURATION\"\n \ value: \"200ms\"\n \n - name: \"ETCD_EXPERIMENTAL_WATCH_PROGRESS_NOTIFY_INTERVAL\"\n \ value: \"5s\"\n \n - name: \"ETCD_HEARTBEAT_INTERVAL\"\n value: \"500\"\n \n - name: \"ETCD_IMAGE\"\n value: \"quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:cc20748723f55f960cfb6328d1591880bbd1b3452155633996d4f41fc7c5f46b\"\n \ \n - name: \"ETCD_INITIAL_CLUSTER_STATE\"\n value: \"existing\"\n \ \n - name: \"ETCD_QUOTA_BACKEND_BYTES\"\n value: \"8589934592\"\n \ \n - name: \"ETCD_SOCKET_REUSE_ADDRESS\"\n value: \"true\"\n \n \ - name: \"ETCD_TLS_MIN_VERSION\"\n value: \"TLS1.2\"\n \n - name: \"NODE_master_0_ETCD_NAME\"\n value: \"master-0\"\n \n - name: \"NODE_master_0_ETCD_URL_HOST\"\n \ value: \"192.168.32.10\"\n \n - name: \"NODE_master_0_IP\"\n value: \"192.168.32.10\"\n - name: \"ETCD_STATIC_POD_VERSION\"\n value: \"REVISION\"\n \ resources:\n requests:\n memory: 200Mi\n cpu: 40m\n securityContext:\n \ privileged: true\n volumeMounts:\n - mountPath: /etc/kubernetes/static-pod-resources\n \ name: resource-dir\n - mountPath: /etc/kubernetes/static-pod-certs\n \ name: cert-dir\n - mountPath: /var/lib/etcd/\n name: data-dir\n \ - name: etcd-readyz\n image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:6088910bdc1583b275fab261e3234c0b63b4cc16d01bcea697b6a7f6db13bdf3\n \ imagePullPolicy: IfNotPresent\n terminationMessagePolicy: FallbackToLogsOnError\n \ command:\n - /bin/sh\n - -c\n - |\n #!/bin/sh\n set -euo pipefail\n \n exec nice -n -18 cluster-etcd-operator readyz \\\n --target=https://localhost:2379 \\\n --listen-port=9980 \\\n --serving-cert-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-serving-NODE_NAME.crt \\\n --serving-key-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-serving-NODE_NAME.key \\\n --client-cert-file=$(ETCDCTL_CERT) \\\n --client-key-file=$(ETCDCTL_KEY) \\\n --client-cacert-file=$(ETCDCTL_CACERT) \\\n --listen-cipher-suites TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 \\\n --listen-tls-min-version=$(ETCD_TLS_MIN_VERSION)\n securityContext:\n \ privileged: true\n ports:\n - containerPort: 9980\n name: readyz\n \ protocol: TCP\n resources:\n requests:\n memory: 50Mi\n \ cpu: 10m\n env:\n - name: \"ALL_ETCD_ENDPOINTS\"\n value: \"https://192.168.32.10:2379\"\n - name: \"ETCDCTL_API\"\n value: \"3\"\n \ - name: \"ETCDCTL_CACERT\"\n value: \"/etc/kubernetes/static-pod-certs/configmaps/etcd-all-bundles/server-ca-bundle.crt\"\n \ - name: \"ETCDCTL_CERT\"\n value: \"/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.crt\"\n \ - name: \"ETCDCTL_ENDPOINTS\"\n value: \"https://192.168.32.10:2379\"\n \ - name: \"ETCDCTL_KEY\"\n value: \"/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.key\"\n \ - name: \"ETCD_CIPHER_SUITES\"\n value: \"TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256\"\n \ - name: \"ETCD_DATA_DIR\"\n value: \"/var/lib/etcd\"\n - name: \"ETCD_ELECTION_TIMEOUT\"\n \ value: \"2500\"\n - name: \"ETCD_ENABLE_PPROF\"\n value: \"true\"\n \ - name: \"ETCD_EXPERIMENTAL_MAX_LEARNERS\"\n value: \"1\"\n - name: \"ETCD_EXPERIMENTAL_WARNING_APPLY_DURATION\"\n value: \"200ms\"\n - name: \"ETCD_EXPERIMENTAL_WATCH_PROGRESS_NOTIFY_INTERVAL\"\n value: \"5s\"\n \ - name: \"ETCD_HEARTBEAT_INTERVAL\"\n value: \"500\"\n - name: \"ETCD_IMAGE\"\n \ value: \"quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:cc20748723f55f960cfb6328d1591880bbd1b3452155633996d4f41fc7c5f46b\"\n \ - name: \"ETCD_INITIAL_CLUSTER_STATE\"\n value: \"existing\"\n - name: \"ETCD_QUOTA_BACKEND_BYTES\"\n value: \"8589934592\"\n - name: \"ETCD_SOCKET_REUSE_ADDRESS\"\n value: \"true\"\n - name: \"ETCD_TLS_MIN_VERSION\"\n \ value: \"TLS1.2\"\n - name: \"NODE_master_0_ETCD_NAME\"\n value: \"master-0\"\n - name: \"NODE_master_0_ETCD_URL_HOST\"\n value: \"192.168.32.10\"\n \ - name: \"NODE_master_0_IP\"\n value: \"192.168.32.10\"\n volumeMounts:\n \ - mountPath: /var/log/etcd/\n name: log-dir\n - mountPath: /etc/kubernetes/static-pod-certs\n name: cert-dir\n - name: etcd-rev\n \ image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:6088910bdc1583b275fab261e3234c0b63b4cc16d01bcea697b6a7f6db13bdf3\n \ imagePullPolicy: IfNotPresent\n terminationMessagePolicy: FallbackToLogsOnError\n \ command:\n - /bin/sh\n - -c\n - |\n #!/bin/sh\n set -euo pipefail\n \n cluster-etcd-operator rev \\\n --endpoints=$(ALL_ETCD_ENDPOINTS) \\\n --client-cert-file=$(ETCDCTL_CERT) \\\n --client-key-file=$(ETCDCTL_KEY) \\\n --client-cacert-file=$(ETCDCTL_CACERT)\n securityContext:\n \ privileged: true\n resources:\n requests:\n memory: 50Mi\n \ cpu: 10m\n env:\n - name: \"ALL_ETCD_ENDPOINTS\"\n value: \"https://192.168.32.10:2379\"\n - name: \"ETCDCTL_API\"\n value: \"3\"\n \ - name: \"ETCDCTL_CACERT\"\n value: \"/etc/kubernetes/static-pod-certs/configmaps/etcd-all-bundles/server-ca-bundle.crt\"\n \ - name: \"ETCDCTL_CERT\"\n value: \"/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.crt\"\n \ - name: \"ETCDCTL_ENDPOINTS\"\n value: \"https://192.168.32.10:2379\"\n \ - name: \"ETCDCTL_KEY\"\n value: \"/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.key\"\n \ - name: \"ETCD_CIPHER_SUITES\"\n value: \"TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256\"\n \ - name: \"ETCD_DATA_DIR\"\n value: \"/var/lib/etcd\"\n - name: \"ETCD_ELECTION_TIMEOUT\"\n \ value: \"2500\"\n - name: \"ETCD_ENABLE_PPROF\"\n value: \"true\"\n \ - name: \"ETCD_EXPERIMENTAL_MAX_LEARNERS\"\n value: \"1\"\n - name: \"ETCD_EXPERIMENTAL_WARNING_APPLY_DURATION\"\n value: \"200ms\"\n - name: \"ETCD_EXPERIMENTAL_WATCH_PROGRESS_NOTIFY_INTERVAL\"\n value: \"5s\"\n \ - name: \"ETCD_HEARTBEAT_INTERVAL\"\n value: \"500\"\n - name: \"ETCD_IMAGE\"\n \ value: \"quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:cc20748723f55f960cfb6328d1591880bbd1b3452155633996d4f41fc7c5f46b\"\n \ - name: \"ETCD_INITIAL_CLUSTER_STATE\"\n value: \"existing\"\n - name: \"ETCD_QUOTA_BACKEND_BYTES\"\n value: \"8589934592\"\n - name: \"ETCD_SOCKET_REUSE_ADDRESS\"\n value: \"true\"\n - name: \"ETCD_TLS_MIN_VERSION\"\n \ value: \"TLS1.2\"\n - name: \"NODE_master_0_ETCD_NAME\"\n value: \"master-0\"\n - name: \"NODE_master_0_ETCD_URL_HOST\"\n value: \"192.168.32.10\"\n \ - name: \"NODE_master_0_IP\"\n value: \"192.168.32.10\"\n volumeMounts:\n \ - mountPath: /var/lib/etcd\n name: data-dir\n - mountPath: /etc/kubernetes/static-pod-certs\n \ name: cert-dir\n hostNetwork: true\n priority: 2000001000\n priorityClassName: system-node-critical\n tolerations:\n - operator: \"Exists\"\n volumes:\n \ - hostPath:\n path: /etc/kubernetes/manifests\n name: static-pod-dir\n \ - hostPath:\n path: /etc/kubernetes/static-pod-resources/etcd-pod-REVISION\n \ name: resource-dir\n - hostPath:\n path: /etc/kubernetes/static-pod-resources/etcd-certs\n \ name: cert-dir\n - hostPath:\n path: /var/lib/etcd\n type: \"\"\n name: data-dir\n - hostPath:\n path: /usr/local/bin\n \ name: usr-local-bin\n - hostPath:\n path: /var/log/etcd\n name: log-dir\n - hostPath:\n path: /etc/kubernetes\n name: config-dir\n \ - hostPath:\n path: /var/lib/etcd-auto-backup\n name: etcd-auto-backup-dir\n" version: 4.18.0-202602170912.p2.gb7e21f5.assembly.stream.el9-b7e21f5 kind: ConfigMap metadata: creationTimestamp: "2026-03-12T14:12:58Z" managedFields: - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:data: .: {} f:forceRedeploymentReason: {} f:pod.yaml: {} f:version: {} manager: cluster-etcd-operator operation: Update time: "2026-03-12T14:12:58Z" name: etcd-pod namespace: openshift-etcd resourceVersion: "6792" uid: b09c99c4-bb25-428f-baed-8a498a0748da - apiVersion: v1 data: forceRedeploymentReason: "" pod.yaml: "apiVersion: v1\nkind: Pod\nmetadata:\n name: etcd\n namespace: openshift-etcd\n \ annotations:\n kubectl.kubernetes.io/default-container: etcd\n target.workload.openshift.io/management: '{\"effect\": \"PreferredDuringScheduling\"}'\n labels:\n app: etcd\n k8s-app: etcd\n etcd: \"true\"\n revision: \"REVISION\"\nspec:\n initContainers:\n \ - name: setup\n image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:cc20748723f55f960cfb6328d1591880bbd1b3452155633996d4f41fc7c5f46b\n \ imagePullPolicy: IfNotPresent\n terminationMessagePolicy: FallbackToLogsOnError\n \ command:\n - /bin/sh\n - -c\n - |\n #!/bin/sh\n \ echo -n \"Fixing etcd log permissions.\"\n mkdir -p /var/log/etcd \ && chmod 0600 /var/log/etcd\n echo -n \"Fixing etcd auto backup permissions.\"\n \ mkdir -p /var/lib/etcd-auto-backup && chmod 0600 /var/lib/etcd-auto-backup\n \ securityContext:\n privileged: true\n resources:\n requests:\n \ memory: 50Mi\n cpu: 5m\n volumeMounts:\n - mountPath: /var/log/etcd\n name: log-dir\n - name: etcd-ensure-env-vars\n image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:cc20748723f55f960cfb6328d1591880bbd1b3452155633996d4f41fc7c5f46b\n \ imagePullPolicy: IfNotPresent\n terminationMessagePolicy: FallbackToLogsOnError\n \ command:\n - /bin/sh\n - -c\n - |\n #!/bin/sh\n \ set -euo pipefail\n\n : \"${NODE_NODE_ENVVAR_NAME_ETCD_URL_HOST?not set}\"\n : \"${NODE_NODE_ENVVAR_NAME_ETCD_NAME?not set}\"\n : \"${NODE_NODE_ENVVAR_NAME_IP?not set}\"\n\n # check for ipv4 addresses as well as ipv6 addresses with extra square brackets\n if [[ \"${NODE_NODE_ENVVAR_NAME_IP}\" != \"${NODE_IP}\" && \"${NODE_NODE_ENVVAR_NAME_IP}\" != \"[${NODE_IP}]\" ]]; then\n # echo the error message to stderr\n echo \"Expected node IP to be ${NODE_IP} got ${NODE_NODE_ENVVAR_NAME_IP}\" >&2\n exit 1\n fi\n\n # check for ipv4 addresses as well as ipv6 addresses with extra square brackets\n if [[ \"${NODE_NODE_ENVVAR_NAME_ETCD_URL_HOST}\" != \"${NODE_IP}\" && \"${NODE_NODE_ENVVAR_NAME_ETCD_URL_HOST}\" != \"[${NODE_IP}]\" ]]; then\n # echo the error message to stderr\n echo \"Expected etcd url host to be ${NODE_IP} got ${NODE_NODE_ENVVAR_NAME_ETCD_URL_HOST}\" >&2\n exit 1\n fi\n\n resources:\n requests:\n \ memory: 60Mi\n cpu: 10m\n securityContext:\n privileged: true\n env:\n - name: \"ALL_ETCD_ENDPOINTS\"\n value: \"https://192.168.32.10:2379\"\n \ - name: \"ETCDCTL_API\"\n value: \"3\"\n - name: \"ETCDCTL_CACERT\"\n \ value: \"/etc/kubernetes/static-pod-certs/configmaps/etcd-all-bundles/server-ca-bundle.crt\"\n \ - name: \"ETCDCTL_CERT\"\n value: \"/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.crt\"\n \ - name: \"ETCDCTL_ENDPOINTS\"\n value: \"https://192.168.32.10:2379\"\n \ - name: \"ETCDCTL_KEY\"\n value: \"/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.key\"\n \ - name: \"ETCD_CIPHER_SUITES\"\n value: \"TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256\"\n \ - name: \"ETCD_DATA_DIR\"\n value: \"/var/lib/etcd\"\n - name: \"ETCD_ELECTION_TIMEOUT\"\n value: \"2500\"\n - name: \"ETCD_ENABLE_PPROF\"\n \ value: \"true\"\n - name: \"ETCD_EXPERIMENTAL_MAX_LEARNERS\"\n \ value: \"1\"\n - name: \"ETCD_EXPERIMENTAL_WARNING_APPLY_DURATION\"\n \ value: \"200ms\"\n - name: \"ETCD_EXPERIMENTAL_WATCH_PROGRESS_NOTIFY_INTERVAL\"\n \ value: \"5s\"\n - name: \"ETCD_HEARTBEAT_INTERVAL\"\n value: \"500\"\n - name: \"ETCD_IMAGE\"\n value: \"quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:cc20748723f55f960cfb6328d1591880bbd1b3452155633996d4f41fc7c5f46b\"\n \ - name: \"ETCD_INITIAL_CLUSTER_STATE\"\n value: \"existing\"\n \ - name: \"ETCD_QUOTA_BACKEND_BYTES\"\n value: \"8589934592\"\n \ - name: \"ETCD_SOCKET_REUSE_ADDRESS\"\n value: \"true\"\n - name: \"ETCD_TLS_MIN_VERSION\"\n value: \"TLS1.2\"\n - name: \"NODE_master_0_ETCD_NAME\"\n \ value: \"master-0\"\n - name: \"NODE_master_0_ETCD_URL_HOST\"\n \ value: \"192.168.32.10\"\n - name: \"NODE_master_0_IP\"\n value: \"192.168.32.10\"\n - name: NODE_IP\n valueFrom:\n fieldRef:\n \ fieldPath: status.podIP\n - name: etcd-resources-copy\n image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:cc20748723f55f960cfb6328d1591880bbd1b3452155633996d4f41fc7c5f46b\n \ imagePullPolicy: IfNotPresent\n terminationMessagePolicy: FallbackToLogsOnError\n \ command:\n - /bin/sh\n - -c\n - |\n #!/bin/sh\n \ set -euo pipefail\n\n rm -f $(grep -l '^### Created by cluster-etcd-operator' /usr/local/bin/*)\n cp -p /etc/kubernetes/static-pod-certs/configmaps/etcd-scripts/*.sh /usr/local/bin\n\n resources:\n requests:\n memory: 60Mi\n \ cpu: 10m\n securityContext:\n privileged: true\n volumeMounts:\n \ - mountPath: /etc/kubernetes/static-pod-resources\n name: resource-dir\n \ - mountPath: /etc/kubernetes/static-pod-certs\n name: cert-dir\n \ - mountPath: /usr/local/bin\n name: usr-local-bin\n containers:\n \ # The etcdctl container should always be first. It is intended to be used\n \ # to open a remote shell via `oc rsh` that is ready to run `etcdctl`.\n - name: etcdctl\n image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:cc20748723f55f960cfb6328d1591880bbd1b3452155633996d4f41fc7c5f46b\n \ imagePullPolicy: IfNotPresent\n terminationMessagePolicy: FallbackToLogsOnError\n \ command:\n - \"/bin/bash\"\n - \"-c\"\n - \"trap TERM INT; sleep infinity & wait\"\n resources:\n requests:\n memory: 60Mi\n \ cpu: 10m\n volumeMounts:\n - mountPath: /etc/kubernetes/manifests\n \ name: static-pod-dir\n - mountPath: /etc/kubernetes/static-pod-resources\n \ name: resource-dir\n - mountPath: /etc/kubernetes/static-pod-certs\n \ name: cert-dir\n - mountPath: /var/lib/etcd/\n name: data-dir\n \ env:\n - name: \"ALL_ETCD_ENDPOINTS\"\n value: \"https://192.168.32.10:2379\"\n \ - name: \"ETCDCTL_API\"\n value: \"3\"\n - name: \"ETCDCTL_CACERT\"\n \ value: \"/etc/kubernetes/static-pod-certs/configmaps/etcd-all-bundles/server-ca-bundle.crt\"\n \ - name: \"ETCDCTL_CERT\"\n value: \"/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.crt\"\n \ - name: \"ETCDCTL_ENDPOINTS\"\n value: \"https://192.168.32.10:2379\"\n \ - name: \"ETCDCTL_KEY\"\n value: \"/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.key\"\n \ - name: \"ETCD_CIPHER_SUITES\"\n value: \"TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256\"\n \ - name: \"ETCD_DATA_DIR\"\n value: \"/var/lib/etcd\"\n - name: \"ETCD_ELECTION_TIMEOUT\"\n \ value: \"2500\"\n - name: \"ETCD_ENABLE_PPROF\"\n value: \"true\"\n \ - name: \"ETCD_EXPERIMENTAL_MAX_LEARNERS\"\n value: \"1\"\n - name: \"ETCD_EXPERIMENTAL_WARNING_APPLY_DURATION\"\n value: \"200ms\"\n - name: \"ETCD_EXPERIMENTAL_WATCH_PROGRESS_NOTIFY_INTERVAL\"\n value: \"5s\"\n \ - name: \"ETCD_HEARTBEAT_INTERVAL\"\n value: \"500\"\n - name: \"ETCD_IMAGE\"\n \ value: \"quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:cc20748723f55f960cfb6328d1591880bbd1b3452155633996d4f41fc7c5f46b\"\n \ - name: \"ETCD_INITIAL_CLUSTER_STATE\"\n value: \"existing\"\n - name: \"ETCD_QUOTA_BACKEND_BYTES\"\n value: \"8589934592\"\n - name: \"ETCD_SOCKET_REUSE_ADDRESS\"\n value: \"true\"\n - name: \"ETCD_TLS_MIN_VERSION\"\n \ value: \"TLS1.2\"\n - name: \"NODE_master_0_ETCD_NAME\"\n value: \"master-0\"\n - name: \"NODE_master_0_ETCD_URL_HOST\"\n value: \"192.168.32.10\"\n \ - name: \"NODE_master_0_IP\"\n value: \"192.168.32.10\"\n - name: \"ETCD_STATIC_POD_VERSION\"\n value: \"REVISION\"\n\n - name: etcd\n image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:cc20748723f55f960cfb6328d1591880bbd1b3452155633996d4f41fc7c5f46b\n \ imagePullPolicy: IfNotPresent\n terminationMessagePolicy: FallbackToLogsOnError\n \ command:\n - /bin/sh\n - -c\n - |\n #!/bin/sh\n set -euo pipefail\n\n etcdctl member list || true\n\n # this has a non-zero return code if the command is non-zero. If you use an export first, it doesn't and you\n # will succeed when you should fail.\n ETCD_INITIAL_CLUSTER=$(discover-etcd-initial-cluster \\\n --cacert=/etc/kubernetes/static-pod-certs/configmaps/etcd-all-bundles/server-ca-bundle.crt \\\n --cert=/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.crt \\\n --key=/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.key \\\n --endpoints=${ALL_ETCD_ENDPOINTS} \\\n --data-dir=/var/lib/etcd \\\n --target-peer-url-host=${NODE_NODE_ENVVAR_NAME_ETCD_URL_HOST} \\\n --target-name=NODE_NAME)\n export ETCD_INITIAL_CLUSTER\n\n \ # we cannot use the \"normal\" port conflict initcontainer because when we upgrade, the existing static pod will never yield,\n # so we do the detection in etcd container itself.\n echo -n \"Waiting for ports 2379, 2380 and 9978 to be released.\"\n time while [ -n \"$(ss -Htan '( sport = 2379 or sport = 2380 or sport = 9978 )')\" ]; do\n echo -n \".\"\n \ sleep 1\n done\n\n export ETCD_NAME=${NODE_NODE_ENVVAR_NAME_ETCD_NAME}\n \ env | grep ETCD | grep -v NODE\n\n set -x\n # See https://etcd.io/docs/v3.4.0/tuning/ for why we use ionice\n exec nice -n -19 ionice -c2 -n0 etcd \\\n --logger=zap \\\n --log-level=info \\\n --experimental-initial-corrupt-check=true \\\n --snapshot-count=10000 \\\n --initial-advertise-peer-urls=https://${NODE_NODE_ENVVAR_NAME_IP}:2380 \\\n --cert-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-serving-NODE_NAME.crt \\\n --key-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-serving-NODE_NAME.key \\\n --trusted-ca-file=/etc/kubernetes/static-pod-certs/configmaps/etcd-all-bundles/server-ca-bundle.crt \\\n --client-cert-auth=true \\\n --peer-cert-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.crt \\\n --peer-key-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.key \\\n --peer-trusted-ca-file=/etc/kubernetes/static-pod-certs/configmaps/etcd-all-bundles/server-ca-bundle.crt \\\n --peer-client-cert-auth=true \\\n --advertise-client-urls=https://${NODE_NODE_ENVVAR_NAME_IP}:2379 \\\n --listen-client-urls=https://0.0.0.0:2379,unixs://${NODE_NODE_ENVVAR_NAME_IP}:0 \\\n --listen-peer-urls=https://0.0.0.0:2380 \\\n --metrics=extensive \\\n --listen-metrics-urls=https://0.0.0.0:9978 || mv /etc/kubernetes/etcd-backup-dir/etcd-member.yaml /etc/kubernetes/manifests\n ports:\n - containerPort: 2379\n name: etcd\n protocol: TCP\n - containerPort: 2380\n name: etcd-peer\n \ protocol: TCP\n - containerPort: 9978\n name: etcd-metrics\n protocol: TCP\n env:\n - name: \"ALL_ETCD_ENDPOINTS\"\n value: \"https://192.168.32.10:2379\"\n \ - name: \"ETCDCTL_API\"\n value: \"3\"\n - name: \"ETCDCTL_CACERT\"\n \ value: \"/etc/kubernetes/static-pod-certs/configmaps/etcd-all-bundles/server-ca-bundle.crt\"\n \ - name: \"ETCDCTL_CERT\"\n value: \"/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.crt\"\n \ - name: \"ETCDCTL_ENDPOINTS\"\n value: \"https://192.168.32.10:2379\"\n \ - name: \"ETCDCTL_KEY\"\n value: \"/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.key\"\n \ - name: \"ETCD_CIPHER_SUITES\"\n value: \"TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256\"\n \ - name: \"ETCD_DATA_DIR\"\n value: \"/var/lib/etcd\"\n - name: \"ETCD_ELECTION_TIMEOUT\"\n \ value: \"2500\"\n - name: \"ETCD_ENABLE_PPROF\"\n value: \"true\"\n \ - name: \"ETCD_EXPERIMENTAL_MAX_LEARNERS\"\n value: \"1\"\n - name: \"ETCD_EXPERIMENTAL_WARNING_APPLY_DURATION\"\n value: \"200ms\"\n - name: \"ETCD_EXPERIMENTAL_WATCH_PROGRESS_NOTIFY_INTERVAL\"\n value: \"5s\"\n \ - name: \"ETCD_HEARTBEAT_INTERVAL\"\n value: \"500\"\n - name: \"ETCD_IMAGE\"\n \ value: \"quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:cc20748723f55f960cfb6328d1591880bbd1b3452155633996d4f41fc7c5f46b\"\n \ - name: \"ETCD_INITIAL_CLUSTER_STATE\"\n value: \"existing\"\n - name: \"ETCD_QUOTA_BACKEND_BYTES\"\n value: \"8589934592\"\n - name: \"ETCD_SOCKET_REUSE_ADDRESS\"\n value: \"true\"\n - name: \"ETCD_TLS_MIN_VERSION\"\n \ value: \"TLS1.2\"\n - name: \"NODE_master_0_ETCD_NAME\"\n value: \"master-0\"\n - name: \"NODE_master_0_ETCD_URL_HOST\"\n value: \"192.168.32.10\"\n \ - name: \"NODE_master_0_IP\"\n value: \"192.168.32.10\"\n - name: \"ETCD_STATIC_POD_VERSION\"\n value: \"REVISION\"\n resources:\n requests:\n \ memory: 600Mi\n cpu: 300m\n readinessProbe:\n httpGet:\n \ port: 9980\n path: readyz\n scheme: HTTPS\n timeoutSeconds: 30\n failureThreshold: 5\n periodSeconds: 5\n successThreshold: 1\n livenessProbe:\n httpGet:\n path: healthz\n port: 9980\n scheme: HTTPS\n timeoutSeconds: 30\n periodSeconds: 5\n successThreshold: 1\n failureThreshold: 5\n startupProbe:\n \ httpGet:\n port: 9980\n path: readyz\n scheme: HTTPS\n \ initialDelaySeconds: 10\n timeoutSeconds: 1\n periodSeconds: 10\n successThreshold: 1\n failureThreshold: 18\n securityContext:\n \ privileged: true\n volumeMounts:\n - mountPath: /etc/kubernetes/manifests\n \ name: static-pod-dir\n - mountPath: /etc/kubernetes/static-pod-resources\n \ name: resource-dir\n - mountPath: /etc/kubernetes/static-pod-certs\n \ name: cert-dir\n - mountPath: /var/lib/etcd/\n name: data-dir\n\n \ - name: etcd-metrics\n image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:cc20748723f55f960cfb6328d1591880bbd1b3452155633996d4f41fc7c5f46b\n \ imagePullPolicy: IfNotPresent\n terminationMessagePolicy: FallbackToLogsOnError\n \ command:\n - /bin/sh\n - -c\n - |\n #!/bin/sh\n set -euo pipefail\n\n export ETCD_NAME=${NODE_NODE_ENVVAR_NAME_ETCD_NAME}\n\n \ exec nice -n -18 etcd grpc-proxy start \\\n --endpoints https://${NODE_NODE_ENVVAR_NAME_ETCD_URL_HOST}:9978 \\\n --metrics-addr https://0.0.0.0:9979 \\\n --listen-addr 127.0.0.1:9977 \\\n --advertise-client-url \"\" \\\n --key /etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.key \\\n --key-file /etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-serving-metrics-NODE_NAME.key \\\n --cert /etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.crt \\\n --cert-file /etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-serving-metrics-NODE_NAME.crt \\\n --cacert /etc/kubernetes/static-pod-certs/configmaps/etcd-all-bundles/server-ca-bundle.crt \\\n --trusted-ca-file /etc/kubernetes/static-pod-certs/configmaps/etcd-all-bundles/metrics-ca-bundle.crt \\\n --listen-cipher-suites TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 \\\n --tls-min-version $(ETCD_TLS_MIN_VERSION)\n ports:\n - containerPort: 9979\n name: proxy-metrics\n protocol: TCP\n env:\n - name: \"ALL_ETCD_ENDPOINTS\"\n value: \"https://192.168.32.10:2379\"\n \n \ - name: \"ETCDCTL_API\"\n value: \"3\"\n \n - name: \"ETCDCTL_CACERT\"\n \ value: \"/etc/kubernetes/static-pod-certs/configmaps/etcd-all-bundles/server-ca-bundle.crt\"\n \ \n - name: \"ETCDCTL_CERT\"\n value: \"/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.crt\"\n \ \n - name: \"ETCDCTL_ENDPOINTS\"\n value: \"https://192.168.32.10:2379\"\n \ \n - name: \"ETCDCTL_KEY\"\n value: \"/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.key\"\n \ \n - name: \"ETCD_CIPHER_SUITES\"\n value: \"TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256\"\n \ \n - name: \"ETCD_DATA_DIR\"\n value: \"/var/lib/etcd\"\n \n \ - name: \"ETCD_ELECTION_TIMEOUT\"\n value: \"2500\"\n \n - name: \"ETCD_ENABLE_PPROF\"\n value: \"true\"\n \n - name: \"ETCD_EXPERIMENTAL_MAX_LEARNERS\"\n \ value: \"1\"\n \n - name: \"ETCD_EXPERIMENTAL_WARNING_APPLY_DURATION\"\n \ value: \"200ms\"\n \n - name: \"ETCD_EXPERIMENTAL_WATCH_PROGRESS_NOTIFY_INTERVAL\"\n \ value: \"5s\"\n \n - name: \"ETCD_HEARTBEAT_INTERVAL\"\n value: \"500\"\n \n - name: \"ETCD_IMAGE\"\n value: \"quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:cc20748723f55f960cfb6328d1591880bbd1b3452155633996d4f41fc7c5f46b\"\n \ \n - name: \"ETCD_INITIAL_CLUSTER_STATE\"\n value: \"existing\"\n \ \n - name: \"ETCD_QUOTA_BACKEND_BYTES\"\n value: \"8589934592\"\n \ \n - name: \"ETCD_SOCKET_REUSE_ADDRESS\"\n value: \"true\"\n \n \ - name: \"ETCD_TLS_MIN_VERSION\"\n value: \"TLS1.2\"\n \n - name: \"NODE_master_0_ETCD_NAME\"\n value: \"master-0\"\n \n - name: \"NODE_master_0_ETCD_URL_HOST\"\n \ value: \"192.168.32.10\"\n \n - name: \"NODE_master_0_IP\"\n value: \"192.168.32.10\"\n - name: \"ETCD_STATIC_POD_VERSION\"\n value: \"REVISION\"\n \ resources:\n requests:\n memory: 200Mi\n cpu: 40m\n securityContext:\n \ privileged: true\n volumeMounts:\n - mountPath: /etc/kubernetes/static-pod-resources\n \ name: resource-dir\n - mountPath: /etc/kubernetes/static-pod-certs\n \ name: cert-dir\n - mountPath: /var/lib/etcd/\n name: data-dir\n \ - name: etcd-readyz\n image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:6088910bdc1583b275fab261e3234c0b63b4cc16d01bcea697b6a7f6db13bdf3\n \ imagePullPolicy: IfNotPresent\n terminationMessagePolicy: FallbackToLogsOnError\n \ command:\n - /bin/sh\n - -c\n - |\n #!/bin/sh\n set -euo pipefail\n \n exec nice -n -18 cluster-etcd-operator readyz \\\n --target=https://localhost:2379 \\\n --listen-port=9980 \\\n --serving-cert-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-serving-NODE_NAME.crt \\\n --serving-key-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-serving-NODE_NAME.key \\\n --client-cert-file=$(ETCDCTL_CERT) \\\n --client-key-file=$(ETCDCTL_KEY) \\\n --client-cacert-file=$(ETCDCTL_CACERT) \\\n --listen-cipher-suites TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 \\\n --listen-tls-min-version=$(ETCD_TLS_MIN_VERSION)\n securityContext:\n \ privileged: true\n ports:\n - containerPort: 9980\n name: readyz\n \ protocol: TCP\n resources:\n requests:\n memory: 50Mi\n \ cpu: 10m\n env:\n - name: \"ALL_ETCD_ENDPOINTS\"\n value: \"https://192.168.32.10:2379\"\n - name: \"ETCDCTL_API\"\n value: \"3\"\n \ - name: \"ETCDCTL_CACERT\"\n value: \"/etc/kubernetes/static-pod-certs/configmaps/etcd-all-bundles/server-ca-bundle.crt\"\n \ - name: \"ETCDCTL_CERT\"\n value: \"/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.crt\"\n \ - name: \"ETCDCTL_ENDPOINTS\"\n value: \"https://192.168.32.10:2379\"\n \ - name: \"ETCDCTL_KEY\"\n value: \"/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.key\"\n \ - name: \"ETCD_CIPHER_SUITES\"\n value: \"TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256\"\n \ - name: \"ETCD_DATA_DIR\"\n value: \"/var/lib/etcd\"\n - name: \"ETCD_ELECTION_TIMEOUT\"\n \ value: \"2500\"\n - name: \"ETCD_ENABLE_PPROF\"\n value: \"true\"\n \ - name: \"ETCD_EXPERIMENTAL_MAX_LEARNERS\"\n value: \"1\"\n - name: \"ETCD_EXPERIMENTAL_WARNING_APPLY_DURATION\"\n value: \"200ms\"\n - name: \"ETCD_EXPERIMENTAL_WATCH_PROGRESS_NOTIFY_INTERVAL\"\n value: \"5s\"\n \ - name: \"ETCD_HEARTBEAT_INTERVAL\"\n value: \"500\"\n - name: \"ETCD_IMAGE\"\n \ value: \"quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:cc20748723f55f960cfb6328d1591880bbd1b3452155633996d4f41fc7c5f46b\"\n \ - name: \"ETCD_INITIAL_CLUSTER_STATE\"\n value: \"existing\"\n - name: \"ETCD_QUOTA_BACKEND_BYTES\"\n value: \"8589934592\"\n - name: \"ETCD_SOCKET_REUSE_ADDRESS\"\n value: \"true\"\n - name: \"ETCD_TLS_MIN_VERSION\"\n \ value: \"TLS1.2\"\n - name: \"NODE_master_0_ETCD_NAME\"\n value: \"master-0\"\n - name: \"NODE_master_0_ETCD_URL_HOST\"\n value: \"192.168.32.10\"\n \ - name: \"NODE_master_0_IP\"\n value: \"192.168.32.10\"\n volumeMounts:\n \ - mountPath: /var/log/etcd/\n name: log-dir\n - mountPath: /etc/kubernetes/static-pod-certs\n name: cert-dir\n - name: etcd-rev\n \ image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:6088910bdc1583b275fab261e3234c0b63b4cc16d01bcea697b6a7f6db13bdf3\n \ imagePullPolicy: IfNotPresent\n terminationMessagePolicy: FallbackToLogsOnError\n \ command:\n - /bin/sh\n - -c\n - |\n #!/bin/sh\n set -euo pipefail\n \n cluster-etcd-operator rev \\\n --endpoints=$(ALL_ETCD_ENDPOINTS) \\\n --client-cert-file=$(ETCDCTL_CERT) \\\n --client-key-file=$(ETCDCTL_KEY) \\\n --client-cacert-file=$(ETCDCTL_CACERT)\n securityContext:\n \ privileged: true\n resources:\n requests:\n memory: 50Mi\n \ cpu: 10m\n env:\n - name: \"ALL_ETCD_ENDPOINTS\"\n value: \"https://192.168.32.10:2379\"\n - name: \"ETCDCTL_API\"\n value: \"3\"\n \ - name: \"ETCDCTL_CACERT\"\n value: \"/etc/kubernetes/static-pod-certs/configmaps/etcd-all-bundles/server-ca-bundle.crt\"\n \ - name: \"ETCDCTL_CERT\"\n value: \"/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.crt\"\n \ - name: \"ETCDCTL_ENDPOINTS\"\n value: \"https://192.168.32.10:2379\"\n \ - name: \"ETCDCTL_KEY\"\n value: \"/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.key\"\n \ - name: \"ETCD_CIPHER_SUITES\"\n value: \"TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256\"\n \ - name: \"ETCD_DATA_DIR\"\n value: \"/var/lib/etcd\"\n - name: \"ETCD_ELECTION_TIMEOUT\"\n \ value: \"2500\"\n - name: \"ETCD_ENABLE_PPROF\"\n value: \"true\"\n \ - name: \"ETCD_EXPERIMENTAL_MAX_LEARNERS\"\n value: \"1\"\n - name: \"ETCD_EXPERIMENTAL_WARNING_APPLY_DURATION\"\n value: \"200ms\"\n - name: \"ETCD_EXPERIMENTAL_WATCH_PROGRESS_NOTIFY_INTERVAL\"\n value: \"5s\"\n \ - name: \"ETCD_HEARTBEAT_INTERVAL\"\n value: \"500\"\n - name: \"ETCD_IMAGE\"\n \ value: \"quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:cc20748723f55f960cfb6328d1591880bbd1b3452155633996d4f41fc7c5f46b\"\n \ - name: \"ETCD_INITIAL_CLUSTER_STATE\"\n value: \"existing\"\n - name: \"ETCD_QUOTA_BACKEND_BYTES\"\n value: \"8589934592\"\n - name: \"ETCD_SOCKET_REUSE_ADDRESS\"\n value: \"true\"\n - name: \"ETCD_TLS_MIN_VERSION\"\n \ value: \"TLS1.2\"\n - name: \"NODE_master_0_ETCD_NAME\"\n value: \"master-0\"\n - name: \"NODE_master_0_ETCD_URL_HOST\"\n value: \"192.168.32.10\"\n \ - name: \"NODE_master_0_IP\"\n value: \"192.168.32.10\"\n volumeMounts:\n \ - mountPath: /var/lib/etcd\n name: data-dir\n - mountPath: /etc/kubernetes/static-pod-certs\n \ name: cert-dir\n hostNetwork: true\n priority: 2000001000\n priorityClassName: system-node-critical\n tolerations:\n - operator: \"Exists\"\n volumes:\n \ - hostPath:\n path: /etc/kubernetes/manifests\n name: static-pod-dir\n \ - hostPath:\n path: /etc/kubernetes/static-pod-resources/etcd-pod-REVISION\n \ name: resource-dir\n - hostPath:\n path: /etc/kubernetes/static-pod-resources/etcd-certs\n \ name: cert-dir\n - hostPath:\n path: /var/lib/etcd\n type: \"\"\n name: data-dir\n - hostPath:\n path: /usr/local/bin\n \ name: usr-local-bin\n - hostPath:\n path: /var/log/etcd\n name: log-dir\n - hostPath:\n path: /etc/kubernetes\n name: config-dir\n \ - hostPath:\n path: /var/lib/etcd-auto-backup\n name: etcd-auto-backup-dir\n" version: 4.18.0-202602170912.p2.gb7e21f5.assembly.stream.el9-b7e21f5 kind: ConfigMap metadata: creationTimestamp: "2026-03-12T14:13:01Z" labels: operator.openshift.io/controller-instance-name: etcd-RevisionController managedFields: - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:data: .: {} f:forceRedeploymentReason: {} f:pod.yaml: {} f:version: {} f:metadata: f:labels: .: {} f:operator.openshift.io/controller-instance-name: {} f:ownerReferences: .: {} k:{"uid":"7d2c7f66-09d2-41a3-9bc1-351331f18fb4"}: {} manager: cluster-etcd-operator operation: Update time: "2026-03-12T14:13:01Z" name: etcd-pod-1 namespace: openshift-etcd ownerReferences: - apiVersion: v1 kind: ConfigMap name: revision-status-1 uid: 7d2c7f66-09d2-41a3-9bc1-351331f18fb4 resourceVersion: "7064" uid: dd68cf58-f712-47e2-b049-9f957f46613e - apiVersion: v1 data: forceRedeploymentReason: "" pod.yaml: "apiVersion: v1\nkind: Pod\nmetadata:\n name: etcd\n namespace: openshift-etcd\n \ annotations:\n kubectl.kubernetes.io/default-container: etcd\n target.workload.openshift.io/management: '{\"effect\": \"PreferredDuringScheduling\"}'\n labels:\n app: etcd\n k8s-app: etcd\n etcd: \"true\"\n revision: \"REVISION\"\nspec:\n initContainers:\n \ - name: setup\n image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:cc20748723f55f960cfb6328d1591880bbd1b3452155633996d4f41fc7c5f46b\n \ imagePullPolicy: IfNotPresent\n terminationMessagePolicy: FallbackToLogsOnError\n \ command:\n - /bin/sh\n - -c\n - |\n #!/bin/sh\n \ echo -n \"Fixing etcd log permissions.\"\n mkdir -p /var/log/etcd \ && chmod 0600 /var/log/etcd\n echo -n \"Fixing etcd auto backup permissions.\"\n \ mkdir -p /var/lib/etcd-auto-backup && chmod 0600 /var/lib/etcd-auto-backup\n \ securityContext:\n privileged: true\n resources:\n requests:\n \ memory: 50Mi\n cpu: 5m\n volumeMounts:\n - mountPath: /var/log/etcd\n name: log-dir\n - name: etcd-ensure-env-vars\n image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:cc20748723f55f960cfb6328d1591880bbd1b3452155633996d4f41fc7c5f46b\n \ imagePullPolicy: IfNotPresent\n terminationMessagePolicy: FallbackToLogsOnError\n \ command:\n - /bin/sh\n - -c\n - |\n #!/bin/sh\n \ set -euo pipefail\n\n : \"${NODE_NODE_ENVVAR_NAME_ETCD_URL_HOST?not set}\"\n : \"${NODE_NODE_ENVVAR_NAME_ETCD_NAME?not set}\"\n : \"${NODE_NODE_ENVVAR_NAME_IP?not set}\"\n\n # check for ipv4 addresses as well as ipv6 addresses with extra square brackets\n if [[ \"${NODE_NODE_ENVVAR_NAME_IP}\" != \"${NODE_IP}\" && \"${NODE_NODE_ENVVAR_NAME_IP}\" != \"[${NODE_IP}]\" ]]; then\n # echo the error message to stderr\n echo \"Expected node IP to be ${NODE_IP} got ${NODE_NODE_ENVVAR_NAME_IP}\" >&2\n exit 1\n fi\n\n # check for ipv4 addresses as well as ipv6 addresses with extra square brackets\n if [[ \"${NODE_NODE_ENVVAR_NAME_ETCD_URL_HOST}\" != \"${NODE_IP}\" && \"${NODE_NODE_ENVVAR_NAME_ETCD_URL_HOST}\" != \"[${NODE_IP}]\" ]]; then\n # echo the error message to stderr\n echo \"Expected etcd url host to be ${NODE_IP} got ${NODE_NODE_ENVVAR_NAME_ETCD_URL_HOST}\" >&2\n exit 1\n fi\n\n resources:\n requests:\n \ memory: 60Mi\n cpu: 10m\n securityContext:\n privileged: true\n env:\n - name: \"ALL_ETCD_ENDPOINTS\"\n value: \"https://192.168.32.10:2379\"\n \ - name: \"ETCDCTL_API\"\n value: \"3\"\n - name: \"ETCDCTL_CACERT\"\n \ value: \"/etc/kubernetes/static-pod-certs/configmaps/etcd-all-bundles/server-ca-bundle.crt\"\n \ - name: \"ETCDCTL_CERT\"\n value: \"/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.crt\"\n \ - name: \"ETCDCTL_ENDPOINTS\"\n value: \"https://192.168.32.10:2379\"\n \ - name: \"ETCDCTL_KEY\"\n value: \"/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.key\"\n \ - name: \"ETCD_CIPHER_SUITES\"\n value: \"TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256\"\n \ - name: \"ETCD_DATA_DIR\"\n value: \"/var/lib/etcd\"\n - name: \"ETCD_ELECTION_TIMEOUT\"\n value: \"2500\"\n - name: \"ETCD_ENABLE_PPROF\"\n \ value: \"true\"\n - name: \"ETCD_EXPERIMENTAL_MAX_LEARNERS\"\n \ value: \"1\"\n - name: \"ETCD_EXPERIMENTAL_WARNING_APPLY_DURATION\"\n \ value: \"200ms\"\n - name: \"ETCD_EXPERIMENTAL_WATCH_PROGRESS_NOTIFY_INTERVAL\"\n \ value: \"5s\"\n - name: \"ETCD_HEARTBEAT_INTERVAL\"\n value: \"500\"\n - name: \"ETCD_IMAGE\"\n value: \"quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:cc20748723f55f960cfb6328d1591880bbd1b3452155633996d4f41fc7c5f46b\"\n \ - name: \"ETCD_INITIAL_CLUSTER_STATE\"\n value: \"existing\"\n \ - name: \"ETCD_QUOTA_BACKEND_BYTES\"\n value: \"8589934592\"\n \ - name: \"ETCD_SOCKET_REUSE_ADDRESS\"\n value: \"true\"\n - name: \"ETCD_TLS_MIN_VERSION\"\n value: \"TLS1.2\"\n - name: \"NODE_master_0_ETCD_NAME\"\n \ value: \"master-0\"\n - name: \"NODE_master_0_ETCD_URL_HOST\"\n \ value: \"192.168.32.10\"\n - name: \"NODE_master_0_IP\"\n value: \"192.168.32.10\"\n - name: NODE_IP\n valueFrom:\n fieldRef:\n \ fieldPath: status.podIP\n - name: etcd-resources-copy\n image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:cc20748723f55f960cfb6328d1591880bbd1b3452155633996d4f41fc7c5f46b\n \ imagePullPolicy: IfNotPresent\n terminationMessagePolicy: FallbackToLogsOnError\n \ command:\n - /bin/sh\n - -c\n - |\n #!/bin/sh\n \ set -euo pipefail\n\n rm -f $(grep -l '^### Created by cluster-etcd-operator' /usr/local/bin/*)\n cp -p /etc/kubernetes/static-pod-certs/configmaps/etcd-scripts/*.sh /usr/local/bin\n\n resources:\n requests:\n memory: 60Mi\n \ cpu: 10m\n securityContext:\n privileged: true\n volumeMounts:\n \ - mountPath: /etc/kubernetes/static-pod-resources\n name: resource-dir\n \ - mountPath: /etc/kubernetes/static-pod-certs\n name: cert-dir\n \ - mountPath: /usr/local/bin\n name: usr-local-bin\n containers:\n \ # The etcdctl container should always be first. It is intended to be used\n \ # to open a remote shell via `oc rsh` that is ready to run `etcdctl`.\n - name: etcdctl\n image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:cc20748723f55f960cfb6328d1591880bbd1b3452155633996d4f41fc7c5f46b\n \ imagePullPolicy: IfNotPresent\n terminationMessagePolicy: FallbackToLogsOnError\n \ command:\n - \"/bin/bash\"\n - \"-c\"\n - \"trap TERM INT; sleep infinity & wait\"\n resources:\n requests:\n memory: 60Mi\n \ cpu: 10m\n volumeMounts:\n - mountPath: /etc/kubernetes/manifests\n \ name: static-pod-dir\n - mountPath: /etc/kubernetes/static-pod-resources\n \ name: resource-dir\n - mountPath: /etc/kubernetes/static-pod-certs\n \ name: cert-dir\n - mountPath: /var/lib/etcd/\n name: data-dir\n \ env:\n - name: \"ALL_ETCD_ENDPOINTS\"\n value: \"https://192.168.32.10:2379\"\n \ - name: \"ETCDCTL_API\"\n value: \"3\"\n - name: \"ETCDCTL_CACERT\"\n \ value: \"/etc/kubernetes/static-pod-certs/configmaps/etcd-all-bundles/server-ca-bundle.crt\"\n \ - name: \"ETCDCTL_CERT\"\n value: \"/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.crt\"\n \ - name: \"ETCDCTL_ENDPOINTS\"\n value: \"https://192.168.32.10:2379\"\n \ - name: \"ETCDCTL_KEY\"\n value: \"/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.key\"\n \ - name: \"ETCD_CIPHER_SUITES\"\n value: \"TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256\"\n \ - name: \"ETCD_DATA_DIR\"\n value: \"/var/lib/etcd\"\n - name: \"ETCD_ELECTION_TIMEOUT\"\n \ value: \"2500\"\n - name: \"ETCD_ENABLE_PPROF\"\n value: \"true\"\n \ - name: \"ETCD_EXPERIMENTAL_MAX_LEARNERS\"\n value: \"1\"\n - name: \"ETCD_EXPERIMENTAL_WARNING_APPLY_DURATION\"\n value: \"200ms\"\n - name: \"ETCD_EXPERIMENTAL_WATCH_PROGRESS_NOTIFY_INTERVAL\"\n value: \"5s\"\n \ - name: \"ETCD_HEARTBEAT_INTERVAL\"\n value: \"500\"\n - name: \"ETCD_IMAGE\"\n \ value: \"quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:cc20748723f55f960cfb6328d1591880bbd1b3452155633996d4f41fc7c5f46b\"\n \ - name: \"ETCD_INITIAL_CLUSTER_STATE\"\n value: \"existing\"\n - name: \"ETCD_QUOTA_BACKEND_BYTES\"\n value: \"8589934592\"\n - name: \"ETCD_SOCKET_REUSE_ADDRESS\"\n value: \"true\"\n - name: \"ETCD_TLS_MIN_VERSION\"\n \ value: \"TLS1.2\"\n - name: \"NODE_master_0_ETCD_NAME\"\n value: \"master-0\"\n - name: \"NODE_master_0_ETCD_URL_HOST\"\n value: \"192.168.32.10\"\n \ - name: \"NODE_master_0_IP\"\n value: \"192.168.32.10\"\n - name: \"ETCD_STATIC_POD_VERSION\"\n value: \"REVISION\"\n\n - name: etcd\n image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:cc20748723f55f960cfb6328d1591880bbd1b3452155633996d4f41fc7c5f46b\n \ imagePullPolicy: IfNotPresent\n terminationMessagePolicy: FallbackToLogsOnError\n \ command:\n - /bin/sh\n - -c\n - |\n #!/bin/sh\n set -euo pipefail\n\n etcdctl member list || true\n\n # this has a non-zero return code if the command is non-zero. If you use an export first, it doesn't and you\n # will succeed when you should fail.\n ETCD_INITIAL_CLUSTER=$(discover-etcd-initial-cluster \\\n --cacert=/etc/kubernetes/static-pod-certs/configmaps/etcd-all-bundles/server-ca-bundle.crt \\\n --cert=/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.crt \\\n --key=/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.key \\\n --endpoints=${ALL_ETCD_ENDPOINTS} \\\n --data-dir=/var/lib/etcd \\\n --target-peer-url-host=${NODE_NODE_ENVVAR_NAME_ETCD_URL_HOST} \\\n --target-name=NODE_NAME)\n export ETCD_INITIAL_CLUSTER\n\n \ # we cannot use the \"normal\" port conflict initcontainer because when we upgrade, the existing static pod will never yield,\n # so we do the detection in etcd container itself.\n echo -n \"Waiting for ports 2379, 2380 and 9978 to be released.\"\n time while [ -n \"$(ss -Htan '( sport = 2379 or sport = 2380 or sport = 9978 )')\" ]; do\n echo -n \".\"\n \ sleep 1\n done\n\n export ETCD_NAME=${NODE_NODE_ENVVAR_NAME_ETCD_NAME}\n \ env | grep ETCD | grep -v NODE\n\n set -x\n # See https://etcd.io/docs/v3.4.0/tuning/ for why we use ionice\n exec nice -n -19 ionice -c2 -n0 etcd \\\n --logger=zap \\\n --log-level=info \\\n --experimental-initial-corrupt-check=true \\\n --snapshot-count=10000 \\\n --initial-advertise-peer-urls=https://${NODE_NODE_ENVVAR_NAME_IP}:2380 \\\n --cert-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-serving-NODE_NAME.crt \\\n --key-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-serving-NODE_NAME.key \\\n --trusted-ca-file=/etc/kubernetes/static-pod-certs/configmaps/etcd-all-bundles/server-ca-bundle.crt \\\n --client-cert-auth=true \\\n --peer-cert-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.crt \\\n --peer-key-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.key \\\n --peer-trusted-ca-file=/etc/kubernetes/static-pod-certs/configmaps/etcd-all-bundles/server-ca-bundle.crt \\\n --peer-client-cert-auth=true \\\n --advertise-client-urls=https://${NODE_NODE_ENVVAR_NAME_IP}:2379 \\\n --listen-client-urls=https://0.0.0.0:2379,unixs://${NODE_NODE_ENVVAR_NAME_IP}:0 \\\n --listen-peer-urls=https://0.0.0.0:2380 \\\n --metrics=extensive \\\n --listen-metrics-urls=https://0.0.0.0:9978 || mv /etc/kubernetes/etcd-backup-dir/etcd-member.yaml /etc/kubernetes/manifests\n ports:\n - containerPort: 2379\n name: etcd\n protocol: TCP\n - containerPort: 2380\n name: etcd-peer\n \ protocol: TCP\n - containerPort: 9978\n name: etcd-metrics\n protocol: TCP\n env:\n - name: \"ALL_ETCD_ENDPOINTS\"\n value: \"https://192.168.32.10:2379\"\n \ - name: \"ETCDCTL_API\"\n value: \"3\"\n - name: \"ETCDCTL_CACERT\"\n \ value: \"/etc/kubernetes/static-pod-certs/configmaps/etcd-all-bundles/server-ca-bundle.crt\"\n \ - name: \"ETCDCTL_CERT\"\n value: \"/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.crt\"\n \ - name: \"ETCDCTL_ENDPOINTS\"\n value: \"https://192.168.32.10:2379\"\n \ - name: \"ETCDCTL_KEY\"\n value: \"/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.key\"\n \ - name: \"ETCD_CIPHER_SUITES\"\n value: \"TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256\"\n \ - name: \"ETCD_DATA_DIR\"\n value: \"/var/lib/etcd\"\n - name: \"ETCD_ELECTION_TIMEOUT\"\n \ value: \"2500\"\n - name: \"ETCD_ENABLE_PPROF\"\n value: \"true\"\n \ - name: \"ETCD_EXPERIMENTAL_MAX_LEARNERS\"\n value: \"1\"\n - name: \"ETCD_EXPERIMENTAL_WARNING_APPLY_DURATION\"\n value: \"200ms\"\n - name: \"ETCD_EXPERIMENTAL_WATCH_PROGRESS_NOTIFY_INTERVAL\"\n value: \"5s\"\n \ - name: \"ETCD_HEARTBEAT_INTERVAL\"\n value: \"500\"\n - name: \"ETCD_IMAGE\"\n \ value: \"quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:cc20748723f55f960cfb6328d1591880bbd1b3452155633996d4f41fc7c5f46b\"\n \ - name: \"ETCD_INITIAL_CLUSTER_STATE\"\n value: \"existing\"\n - name: \"ETCD_QUOTA_BACKEND_BYTES\"\n value: \"8589934592\"\n - name: \"ETCD_SOCKET_REUSE_ADDRESS\"\n value: \"true\"\n - name: \"ETCD_TLS_MIN_VERSION\"\n \ value: \"TLS1.2\"\n - name: \"NODE_master_0_ETCD_NAME\"\n value: \"master-0\"\n - name: \"NODE_master_0_ETCD_URL_HOST\"\n value: \"192.168.32.10\"\n \ - name: \"NODE_master_0_IP\"\n value: \"192.168.32.10\"\n - name: \"ETCD_STATIC_POD_VERSION\"\n value: \"REVISION\"\n resources:\n requests:\n \ memory: 600Mi\n cpu: 300m\n readinessProbe:\n httpGet:\n \ port: 9980\n path: readyz\n scheme: HTTPS\n timeoutSeconds: 30\n failureThreshold: 5\n periodSeconds: 5\n successThreshold: 1\n livenessProbe:\n httpGet:\n path: healthz\n port: 9980\n scheme: HTTPS\n timeoutSeconds: 30\n periodSeconds: 5\n successThreshold: 1\n failureThreshold: 5\n startupProbe:\n \ httpGet:\n port: 9980\n path: readyz\n scheme: HTTPS\n \ initialDelaySeconds: 10\n timeoutSeconds: 1\n periodSeconds: 10\n successThreshold: 1\n failureThreshold: 18\n securityContext:\n \ privileged: true\n volumeMounts:\n - mountPath: /etc/kubernetes/manifests\n \ name: static-pod-dir\n - mountPath: /etc/kubernetes/static-pod-resources\n \ name: resource-dir\n - mountPath: /etc/kubernetes/static-pod-certs\n \ name: cert-dir\n - mountPath: /var/lib/etcd/\n name: data-dir\n\n \ - name: etcd-metrics\n image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:cc20748723f55f960cfb6328d1591880bbd1b3452155633996d4f41fc7c5f46b\n \ imagePullPolicy: IfNotPresent\n terminationMessagePolicy: FallbackToLogsOnError\n \ command:\n - /bin/sh\n - -c\n - |\n #!/bin/sh\n set -euo pipefail\n\n export ETCD_NAME=${NODE_NODE_ENVVAR_NAME_ETCD_NAME}\n\n \ exec nice -n -18 etcd grpc-proxy start \\\n --endpoints https://${NODE_NODE_ENVVAR_NAME_ETCD_URL_HOST}:9978 \\\n --metrics-addr https://0.0.0.0:9979 \\\n --listen-addr 127.0.0.1:9977 \\\n --advertise-client-url \"\" \\\n --key /etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.key \\\n --key-file /etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-serving-metrics-NODE_NAME.key \\\n --cert /etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.crt \\\n --cert-file /etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-serving-metrics-NODE_NAME.crt \\\n --cacert /etc/kubernetes/static-pod-certs/configmaps/etcd-all-bundles/server-ca-bundle.crt \\\n --trusted-ca-file /etc/kubernetes/static-pod-certs/configmaps/etcd-all-bundles/metrics-ca-bundle.crt \\\n --listen-cipher-suites TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 \\\n --tls-min-version $(ETCD_TLS_MIN_VERSION)\n ports:\n - containerPort: 9979\n name: proxy-metrics\n protocol: TCP\n env:\n - name: \"ALL_ETCD_ENDPOINTS\"\n value: \"https://192.168.32.10:2379\"\n \n \ - name: \"ETCDCTL_API\"\n value: \"3\"\n \n - name: \"ETCDCTL_CACERT\"\n \ value: \"/etc/kubernetes/static-pod-certs/configmaps/etcd-all-bundles/server-ca-bundle.crt\"\n \ \n - name: \"ETCDCTL_CERT\"\n value: \"/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.crt\"\n \ \n - name: \"ETCDCTL_ENDPOINTS\"\n value: \"https://192.168.32.10:2379\"\n \ \n - name: \"ETCDCTL_KEY\"\n value: \"/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.key\"\n \ \n - name: \"ETCD_CIPHER_SUITES\"\n value: \"TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256\"\n \ \n - name: \"ETCD_DATA_DIR\"\n value: \"/var/lib/etcd\"\n \n \ - name: \"ETCD_ELECTION_TIMEOUT\"\n value: \"2500\"\n \n - name: \"ETCD_ENABLE_PPROF\"\n value: \"true\"\n \n - name: \"ETCD_EXPERIMENTAL_MAX_LEARNERS\"\n \ value: \"1\"\n \n - name: \"ETCD_EXPERIMENTAL_WARNING_APPLY_DURATION\"\n \ value: \"200ms\"\n \n - name: \"ETCD_EXPERIMENTAL_WATCH_PROGRESS_NOTIFY_INTERVAL\"\n \ value: \"5s\"\n \n - name: \"ETCD_HEARTBEAT_INTERVAL\"\n value: \"500\"\n \n - name: \"ETCD_IMAGE\"\n value: \"quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:cc20748723f55f960cfb6328d1591880bbd1b3452155633996d4f41fc7c5f46b\"\n \ \n - name: \"ETCD_INITIAL_CLUSTER_STATE\"\n value: \"existing\"\n \ \n - name: \"ETCD_QUOTA_BACKEND_BYTES\"\n value: \"8589934592\"\n \ \n - name: \"ETCD_SOCKET_REUSE_ADDRESS\"\n value: \"true\"\n \n \ - name: \"ETCD_TLS_MIN_VERSION\"\n value: \"TLS1.2\"\n \n - name: \"NODE_master_0_ETCD_NAME\"\n value: \"master-0\"\n \n - name: \"NODE_master_0_ETCD_URL_HOST\"\n \ value: \"192.168.32.10\"\n \n - name: \"NODE_master_0_IP\"\n value: \"192.168.32.10\"\n - name: \"ETCD_STATIC_POD_VERSION\"\n value: \"REVISION\"\n \ resources:\n requests:\n memory: 200Mi\n cpu: 40m\n securityContext:\n \ privileged: true\n volumeMounts:\n - mountPath: /etc/kubernetes/static-pod-resources\n \ name: resource-dir\n - mountPath: /etc/kubernetes/static-pod-certs\n \ name: cert-dir\n - mountPath: /var/lib/etcd/\n name: data-dir\n \ - name: etcd-readyz\n image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:6088910bdc1583b275fab261e3234c0b63b4cc16d01bcea697b6a7f6db13bdf3\n \ imagePullPolicy: IfNotPresent\n terminationMessagePolicy: FallbackToLogsOnError\n \ command:\n - /bin/sh\n - -c\n - |\n #!/bin/sh\n set -euo pipefail\n \n exec nice -n -18 cluster-etcd-operator readyz \\\n --target=https://localhost:2379 \\\n --listen-port=9980 \\\n --serving-cert-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-serving-NODE_NAME.crt \\\n --serving-key-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-serving-NODE_NAME.key \\\n --client-cert-file=$(ETCDCTL_CERT) \\\n --client-key-file=$(ETCDCTL_KEY) \\\n --client-cacert-file=$(ETCDCTL_CACERT) \\\n --listen-cipher-suites TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 \\\n --listen-tls-min-version=$(ETCD_TLS_MIN_VERSION)\n securityContext:\n \ privileged: true\n ports:\n - containerPort: 9980\n name: readyz\n \ protocol: TCP\n resources:\n requests:\n memory: 50Mi\n \ cpu: 10m\n env:\n - name: \"ALL_ETCD_ENDPOINTS\"\n value: \"https://192.168.32.10:2379\"\n - name: \"ETCDCTL_API\"\n value: \"3\"\n \ - name: \"ETCDCTL_CACERT\"\n value: \"/etc/kubernetes/static-pod-certs/configmaps/etcd-all-bundles/server-ca-bundle.crt\"\n \ - name: \"ETCDCTL_CERT\"\n value: \"/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.crt\"\n \ - name: \"ETCDCTL_ENDPOINTS\"\n value: \"https://192.168.32.10:2379\"\n \ - name: \"ETCDCTL_KEY\"\n value: \"/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.key\"\n \ - name: \"ETCD_CIPHER_SUITES\"\n value: \"TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256\"\n \ - name: \"ETCD_DATA_DIR\"\n value: \"/var/lib/etcd\"\n - name: \"ETCD_ELECTION_TIMEOUT\"\n \ value: \"2500\"\n - name: \"ETCD_ENABLE_PPROF\"\n value: \"true\"\n \ - name: \"ETCD_EXPERIMENTAL_MAX_LEARNERS\"\n value: \"1\"\n - name: \"ETCD_EXPERIMENTAL_WARNING_APPLY_DURATION\"\n value: \"200ms\"\n - name: \"ETCD_EXPERIMENTAL_WATCH_PROGRESS_NOTIFY_INTERVAL\"\n value: \"5s\"\n \ - name: \"ETCD_HEARTBEAT_INTERVAL\"\n value: \"500\"\n - name: \"ETCD_IMAGE\"\n \ value: \"quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:cc20748723f55f960cfb6328d1591880bbd1b3452155633996d4f41fc7c5f46b\"\n \ - name: \"ETCD_INITIAL_CLUSTER_STATE\"\n value: \"existing\"\n - name: \"ETCD_QUOTA_BACKEND_BYTES\"\n value: \"8589934592\"\n - name: \"ETCD_SOCKET_REUSE_ADDRESS\"\n value: \"true\"\n - name: \"ETCD_TLS_MIN_VERSION\"\n \ value: \"TLS1.2\"\n - name: \"NODE_master_0_ETCD_NAME\"\n value: \"master-0\"\n - name: \"NODE_master_0_ETCD_URL_HOST\"\n value: \"192.168.32.10\"\n \ - name: \"NODE_master_0_IP\"\n value: \"192.168.32.10\"\n volumeMounts:\n \ - mountPath: /var/log/etcd/\n name: log-dir\n - mountPath: /etc/kubernetes/static-pod-certs\n name: cert-dir\n - name: etcd-rev\n \ image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:6088910bdc1583b275fab261e3234c0b63b4cc16d01bcea697b6a7f6db13bdf3\n \ imagePullPolicy: IfNotPresent\n terminationMessagePolicy: FallbackToLogsOnError\n \ command:\n - /bin/sh\n - -c\n - |\n #!/bin/sh\n set -euo pipefail\n \n cluster-etcd-operator rev \\\n --endpoints=$(ALL_ETCD_ENDPOINTS) \\\n --client-cert-file=$(ETCDCTL_CERT) \\\n --client-key-file=$(ETCDCTL_KEY) \\\n --client-cacert-file=$(ETCDCTL_CACERT)\n securityContext:\n \ privileged: true\n resources:\n requests:\n memory: 50Mi\n \ cpu: 10m\n env:\n - name: \"ALL_ETCD_ENDPOINTS\"\n value: \"https://192.168.32.10:2379\"\n - name: \"ETCDCTL_API\"\n value: \"3\"\n \ - name: \"ETCDCTL_CACERT\"\n value: \"/etc/kubernetes/static-pod-certs/configmaps/etcd-all-bundles/server-ca-bundle.crt\"\n \ - name: \"ETCDCTL_CERT\"\n value: \"/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.crt\"\n \ - name: \"ETCDCTL_ENDPOINTS\"\n value: \"https://192.168.32.10:2379\"\n \ - name: \"ETCDCTL_KEY\"\n value: \"/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.key\"\n \ - name: \"ETCD_CIPHER_SUITES\"\n value: \"TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256\"\n \ - name: \"ETCD_DATA_DIR\"\n value: \"/var/lib/etcd\"\n - name: \"ETCD_ELECTION_TIMEOUT\"\n \ value: \"2500\"\n - name: \"ETCD_ENABLE_PPROF\"\n value: \"true\"\n \ - name: \"ETCD_EXPERIMENTAL_MAX_LEARNERS\"\n value: \"1\"\n - name: \"ETCD_EXPERIMENTAL_WARNING_APPLY_DURATION\"\n value: \"200ms\"\n - name: \"ETCD_EXPERIMENTAL_WATCH_PROGRESS_NOTIFY_INTERVAL\"\n value: \"5s\"\n \ - name: \"ETCD_HEARTBEAT_INTERVAL\"\n value: \"500\"\n - name: \"ETCD_IMAGE\"\n \ value: \"quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:cc20748723f55f960cfb6328d1591880bbd1b3452155633996d4f41fc7c5f46b\"\n \ - name: \"ETCD_INITIAL_CLUSTER_STATE\"\n value: \"existing\"\n - name: \"ETCD_QUOTA_BACKEND_BYTES\"\n value: \"8589934592\"\n - name: \"ETCD_SOCKET_REUSE_ADDRESS\"\n value: \"true\"\n - name: \"ETCD_TLS_MIN_VERSION\"\n \ value: \"TLS1.2\"\n - name: \"NODE_master_0_ETCD_NAME\"\n value: \"master-0\"\n - name: \"NODE_master_0_ETCD_URL_HOST\"\n value: \"192.168.32.10\"\n \ - name: \"NODE_master_0_IP\"\n value: \"192.168.32.10\"\n volumeMounts:\n \ - mountPath: /var/lib/etcd\n name: data-dir\n - mountPath: /etc/kubernetes/static-pod-certs\n \ name: cert-dir\n hostNetwork: true\n priority: 2000001000\n priorityClassName: system-node-critical\n tolerations:\n - operator: \"Exists\"\n volumes:\n \ - hostPath:\n path: /etc/kubernetes/manifests\n name: static-pod-dir\n \ - hostPath:\n path: /etc/kubernetes/static-pod-resources/etcd-pod-REVISION\n \ name: resource-dir\n - hostPath:\n path: /etc/kubernetes/static-pod-resources/etcd-certs\n \ name: cert-dir\n - hostPath:\n path: /var/lib/etcd\n type: \"\"\n name: data-dir\n - hostPath:\n path: /usr/local/bin\n \ name: usr-local-bin\n - hostPath:\n path: /var/log/etcd\n name: log-dir\n - hostPath:\n path: /etc/kubernetes\n name: config-dir\n \ - hostPath:\n path: /var/lib/etcd-auto-backup\n name: etcd-auto-backup-dir\n" version: 4.18.0-202602170912.p2.gb7e21f5.assembly.stream.el9-b7e21f5 kind: ConfigMap metadata: creationTimestamp: "2026-03-12T14:16:12Z" labels: operator.openshift.io/controller-instance-name: etcd-RevisionController managedFields: - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:data: .: {} f:forceRedeploymentReason: {} f:pod.yaml: {} f:version: {} f:metadata: f:labels: .: {} f:operator.openshift.io/controller-instance-name: {} f:ownerReferences: .: {} k:{"uid":"ac330b93-7c0b-4438-8875-ec23ce5f1933"}: {} manager: cluster-etcd-operator operation: Update time: "2026-03-12T14:16:12Z" name: etcd-pod-2 namespace: openshift-etcd ownerReferences: - apiVersion: v1 kind: ConfigMap name: revision-status-2 uid: ac330b93-7c0b-4438-8875-ec23ce5f1933 resourceVersion: "10706" uid: d7050ff8-7254-499f-9427-8a4fde8c735b - apiVersion: v1 data: cluster-backup.sh: | #!/usr/bin/env bash ### Created by cluster-etcd-operator. DO NOT edit. set -o errexit set -o pipefail set -o errtrace # example # cluster-backup.sh $path-to-snapshot if [[ $EUID -ne 0 ]]; then echo "This script must be run as root" exit 1 fi function usage { echo 'Path to backup dir required: ./cluster-backup.sh [--force] ' exit 1 } IS_DIRTY="" if [ "$1" == "--force" ]; then IS_DIRTY="__POSSIBLY_DIRTY__" shift fi # If the first argument is missing, or it is an existing file, then print usage and exit if [ -z "$1" ] || [ -f "$1" ]; then usage fi if [ ! -d "$1" ]; then mkdir -p "$1" fi function check_if_operator_is_progressing { local operator="$1" if [ ! -f "${KUBECONFIG}" ]; then echo "Valid kubeconfig is not found in kube-apiserver-certs. Exiting!" exit 1 fi progressing=$(oc get co "${operator}" -o jsonpath='{.status.conditions[?(@.type=="Progressing")].status}') || true if [ "$progressing" == "" ]; then echo "Could not find the status of the $operator. Check if the API server is running. Pass the --force flag to skip checks." exit 1 elif [ "$progressing" != "False" ]; then echo "Currently the $operator operator is progressing. A reliable backup requires that a rollout is not in progress. Aborting!" exit 1 fi } # backup latest static pod resources function backup_latest_kube_static_resources { local backup_tar_file="$1" local backup_resource_list=("kube-apiserver" "kube-controller-manager" "kube-scheduler" "etcd") local latest_resource_dirs=() for resource in "${backup_resource_list[@]}"; do if [ ! -f "/etc/kubernetes/manifests/${resource}-pod.yaml" ]; then echo "error finding manifests for the ${resource} pod. please check if it is running." exit 1 fi local latest_resource latest_resource=$(grep -o -m 1 "/etc/kubernetes/static-pod-resources/${resource}-pod-[0-9]*" "/etc/kubernetes/manifests/${resource}-pod.yaml") || true if [ -z "${latest_resource}" ]; then echo "error finding static-pod-resources for the ${resource} pod. please check if it is running." exit 1 fi if [ "${IS_DIRTY}" == "" ]; then check_if_operator_is_progressing "${resource}" fi echo "found latest ${resource}: ${latest_resource}" latest_resource_dirs+=("${latest_resource#${CONFIG_FILE_DIR}/}") done # tar latest resources with the path relative to CONFIG_FILE_DIR tar -cpzf "$backup_tar_file" -C "${CONFIG_FILE_DIR}" "${latest_resource_dirs[@]}" chmod 600 "$backup_tar_file" } function source_required_dependency { local src_path="$1" if [ ! -f "${src_path}" ]; then echo "required dependencies not found, please ensure this script is run on a node with a functional etcd static pod" exit 1 fi # shellcheck disable=SC1090 source "${src_path}" } BACKUP_DIR="$1" DATESTRING=$(date "+%F_%H%M%S") BACKUP_TAR_FILE=${BACKUP_DIR}/static_kuberesources_${DATESTRING}${IS_DIRTY}.tar.gz SNAPSHOT_FILE="${BACKUP_DIR}/snapshot_${DATESTRING}${IS_DIRTY}.db" trap 'rm -f ${BACKUP_TAR_FILE} ${SNAPSHOT_FILE}' ERR source_required_dependency /etc/kubernetes/static-pod-resources/etcd-certs/configmaps/etcd-scripts/etcd.env source_required_dependency /etc/kubernetes/static-pod-resources/etcd-certs/configmaps/etcd-scripts/etcd-common-tools # replacing the value of variables sourced form etcd.env to use the local node folders if the script is not running into the cluster-backup pod if [ ! -f "${ETCDCTL_CACERT}" ]; then echo "Certificate ${ETCDCTL_CACERT} is missing. Checking in different directory" export ETCDCTL_CACERT=$(echo ${ETCDCTL_CACERT} | sed -e "s|static-pod-certs|static-pod-resources/etcd-certs|") export ETCDCTL_CERT=$(echo ${ETCDCTL_CERT} | sed -e "s|static-pod-certs|static-pod-resources/etcd-certs|") export ETCDCTL_KEY=$(echo ${ETCDCTL_KEY} | sed -e "s|static-pod-certs|static-pod-resources/etcd-certs|") if [ ! -f "${ETCDCTL_CACERT}" ]; then echo "Certificate ${ETCDCTL_CACERT} is also missing in the second directory. Exiting!" exit 1 else echo "Certificate ${ETCDCTL_CACERT} found!" fi fi backup_latest_kube_static_resources "${BACKUP_TAR_FILE}" # Download etcdctl and get the etcd snapshot dl_etcdctl # snapshot save will continue to stay in etcdctl ETCDCTL_ENDPOINTS="https://${NODE_NODE_ENVVAR_NAME_IP}:2379" etcdctl snapshot save "${SNAPSHOT_FILE}" # Check the integrity of the snapshot check_snapshot_status "${SNAPSHOT_FILE}" snapshot_failed=$? # If check_snapshot_status returned 1 it failed, so exit with code 1 if [[ $snapshot_failed -eq 1 ]]; then echo "snapshot failed with exit code ${snapshot_failed}" exit 1 fi echo "snapshot db and kube resources are successfully saved to ${BACKUP_DIR}" cluster-restore.sh: |+ #!/usr/bin/env bash ### Created by cluster-etcd-operator. DO NOT edit. set -o errexit set -o pipefail set -o errtrace # example # ./cluster-restore.sh $path-to-backup # ETCD_ETCDCTL_RESTORE - when set this script will use `etcdctl snapshot restore` instead of a restore pod yaml, # which can be used when restoring a single member (e.g. on single node OCP). # Syncing very big snapshots (>8GiB) from the leader might also be expensive, this aids in # keeping the amount of data pulled to a minimum. This option will neither rev-bump nor mark-compact. if [[ $EUID -ne 0 ]]; then echo "This script must be run as root" exit 1 fi function source_required_dependency { local src_path="$1" if [ ! -f "${src_path}" ]; then echo "required dependencies not found, please ensure this script is run on a node with a functional etcd static pod" exit 1 fi # shellcheck disable=SC1090 source "${src_path}" } source_required_dependency /etc/kubernetes/static-pod-resources/etcd-certs/configmaps/etcd-scripts/etcd.env source_required_dependency /etc/kubernetes/static-pod-resources/etcd-certs/configmaps/etcd-scripts/etcd-common-tools function usage() { echo 'Path to the directory containing backup files is required: ./cluster-restore.sh ' echo 'The backup directory is expected to be contain two files:' echo ' 1. etcd snapshot' echo ' 2. A copy of the Static POD resources at the time of backup' exit 1 } # If the argument is not passed, or if it is not a directory, print usage and exit. if [ "$1" == "" ] || [ ! -d "$1" ]; then usage fi function restore_static_pods() { local backup_file="$1" shift local static_pods=("$@") for pod_file_name in "${static_pods[@]}"; do backup_pod_path=$(tar -tvf "${backup_file}" "*${pod_file_name}" | awk '{ print $6 }') || true if [ -z "${backup_pod_path}" ]; then echo "${pod_file_name} does not exist in ${backup_file}" exit 1 fi echo "starting ${pod_file_name}" tar -xvf "${backup_file}" --strip-components=2 -C "${MANIFEST_DIR}"/ "${backup_pod_path}" done } BACKUP_DIR="$1" # shellcheck disable=SC2012 BACKUP_FILE=$(ls -vd "${BACKUP_DIR}"/static_kuberesources*.tar.gz | tail -1) || true # shellcheck disable=SC2012 SNAPSHOT_FILE=$(ls -vd "${BACKUP_DIR}"/snapshot*.db | tail -1) || true ETCD_STATIC_POD_LIST=("etcd-pod.yaml") ETCD_STATIC_POD_CONTAINERS=("etcd" "etcdctl" "etcd-metrics" "etcd-readyz" "etcd-rev" "etcd-backup-server") if [ ! -f "${SNAPSHOT_FILE}" ]; then echo "etcd snapshot ${SNAPSHOT_FILE} does not exist" exit 1 fi # Download etcdctl and check the snapshot status dl_etcdctl check_snapshot_status "${SNAPSHOT_FILE}" ETCD_CLIENT="${ETCD_ETCDCTL_BIN+etcdctl}" if [ -n "${ETCD_ETCDUTL_BIN}" ]; then ETCD_CLIENT="${ETCD_ETCDUTL_BIN}" fi # always move etcd pod and wait for all containers to exit mv_static_pods "${ETCD_STATIC_POD_LIST[@]}" wait_for_containers_to_stop "${ETCD_STATIC_POD_CONTAINERS[@]}" if [ ! -d "${ETCD_DATA_DIR_BACKUP}" ]; then mkdir -p "${ETCD_DATA_DIR_BACKUP}" fi # backup old data-dir if [ -d "${ETCD_DATA_DIR}/member" ]; then if [ -d "${ETCD_DATA_DIR_BACKUP}/member" ]; then echo "removing previous backup ${ETCD_DATA_DIR_BACKUP}/member" rm -rf "${ETCD_DATA_DIR_BACKUP}"/member fi echo "Moving etcd data-dir ${ETCD_DATA_DIR}/member to ${ETCD_DATA_DIR_BACKUP}" mv "${ETCD_DATA_DIR}"/member "${ETCD_DATA_DIR_BACKUP}"/ fi if [ -z "${ETCD_ETCDCTL_RESTORE}" ]; then # Restore static pod resources tar -C "${CONFIG_FILE_DIR}" -xzf "${BACKUP_FILE}" static-pod-resources # Copy snapshot to backupdir cp -p "${SNAPSHOT_FILE}" "${ETCD_DATA_DIR_BACKUP}"/snapshot.db # Move the revision.json when it exists [ ! -f "${ETCD_REV_JSON}" ] || mv -f "${ETCD_REV_JSON}" "${ETCD_DATA_DIR_BACKUP}"/revision.json # removing any fio perf files left behind that could be deleted without problems rm -f "${ETCD_DATA_DIR}"/etcd_perf* # ensure the folder is really empty, otherwise the restore pod will crash loop if [ -n "$(ls -A "${ETCD_DATA_DIR}")" ]; then echo "folder ${ETCD_DATA_DIR} is not empty, please review and remove all files in it" exit 1 fi echo "starting restore-etcd static pod" cp -p "${RESTORE_ETCD_POD_YAML}" "${MANIFEST_DIR}/etcd-pod.yaml" else echo "removing etcd data dir..." rm -rf "${ETCD_DATA_DIR}" mkdir -p "${ETCD_DATA_DIR}" echo "starting snapshot restore through etcdctl..." # We are never going to rev-bump here to ensure we don't cause a revision split between the # remainder of the running cluster and this restore member. Imagine your non-restore quorum members run at rev 100, # we would attempt to rev bump this with snapshot at rev 120, now this member is 20 revisions ahead and RAFT is confused. if ! ${ETCD_CLIENT} snapshot restore "${SNAPSHOT_FILE}" --data-dir="${ETCD_DATA_DIR}"; then echo "Snapshot restore failed. Aborting!" exit 1 fi # start the original etcd static pod again through the new snapshot echo "restoring old etcd pod to start etcd again" mv "${MANIFEST_STOPPED_DIR}/etcd-pod.yaml" "${MANIFEST_DIR}/etcd-pod.yaml" fi disable-etcd.sh: | #!/usr/bin/env bash ### Created by cluster-etcd-operator. DO NOT edit. set -o errexit set -o pipefail set -o errtrace # disable-etcd.sh # This script will move the etcd static pod into the home/core/assets/manifests-stopped folder and wait for all containers to exit. if [[ $EUID -ne 0 ]]; then echo "This script must be run as root" exit 1 fi function source_required_dependency { local src_path="$1" if [ ! -f "${src_path}" ]; then echo "required dependencies not found, please ensure this script is run on a node with a functional etcd static pod" exit 1 fi # shellcheck disable=SC1090 source "${src_path}" } source_required_dependency /etc/kubernetes/static-pod-resources/etcd-certs/configmaps/etcd-scripts/etcd.env source_required_dependency /etc/kubernetes/static-pod-resources/etcd-certs/configmaps/etcd-scripts/etcd-common-tools ETCD_STATIC_POD_LIST=("etcd-pod.yaml") ETCD_STATIC_POD_CONTAINERS=("etcd" "etcdctl" "etcd-metrics" "etcd-readyz" "etcd-rev" "etcd-backup-server") # always move etcd pod and wait for all containers to exit mv_static_pods "${ETCD_STATIC_POD_LIST[@]}" wait_for_containers_to_stop "${ETCD_STATIC_POD_CONTAINERS[@]}" etcd-common-tools: | # Common environment variables ASSET_DIR="/home/core/assets" CONFIG_FILE_DIR="/etc/kubernetes" MANIFEST_DIR="${CONFIG_FILE_DIR}/manifests" ETCD_DATA_DIR="/var/lib/etcd" ETCD_DATA_DIR_BACKUP="/var/lib/etcd-backup" ETCD_REV_JSON="${ETCD_DATA_DIR}/revision.json" MANIFEST_STOPPED_DIR="${ASSET_DIR}/manifests-stopped" RESTORE_ETCD_POD_YAML="${CONFIG_FILE_DIR}/static-pod-resources/etcd-certs/configmaps/restore-etcd-pod/pod.yaml" QUORUM_RESTORE_ETCD_POD_YAML="${CONFIG_FILE_DIR}/static-pod-resources/etcd-certs/configmaps/restore-etcd-pod/quorum-restore-pod.yaml" ETCDCTL_BIN_DIR="${CONFIG_FILE_DIR}/static-pod-resources/bin" PATH=${PATH}:${ETCDCTL_BIN_DIR} export KUBECONFIG="/etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/node-kubeconfigs/localhost.kubeconfig" export ETCD_ETCDCTL_BIN="etcdctl" # download etcdctl from download release image function dl_etcdctl { # Avoid caching the binary when podman exists, the etcd image is always available locally and we need a way to update etcdctl. # When we're running from an etcd image there's no podman and we can continue without a download. if ([ -n "$(command -v podman)" ]); then local etcdimg=${ETCD_IMAGE} local etcdctr=$(podman create --authfile=/var/lib/kubelet/config.json ${etcdimg}) local etcdmnt=$(podman mount "${etcdctr}") [ ! -d ${ETCDCTL_BIN_DIR} ] && mkdir -p ${ETCDCTL_BIN_DIR} cp ${etcdmnt}/bin/etcdctl ${ETCDCTL_BIN_DIR}/ if [ -f "${etcdmnt}/bin/etcdutl" ]; then cp ${etcdmnt}/bin/etcdutl ${ETCDCTL_BIN_DIR}/ export ETCD_ETCDUTL_BIN=etcdutl fi if ! [ -x "$(command -v jq)" ]; then cp ${etcdmnt}/bin/jq ${ETCDCTL_BIN_DIR}/ fi umount "${etcdmnt}" podman rm "${etcdctr}" etcdctl version return fi if ([ -x "$(command -v etcdctl)" ]); then echo "etcdctl is already installed" if [ -x "$(command -v etcdutl)" ]; then echo "etcdutl is already installed" export ETCD_ETCDUTL_BIN=etcdutl fi return fi echo "Could neither pull etcdctl nor find it locally in cache. Aborting!" exit 1 } function check_snapshot_status() { local snap_file="$1" ETCD_CLIENT="${ETCD_ETCDCTL_BIN}" if [ -n "${ETCD_ETCDUTL_BIN}" ]; then ETCD_CLIENT="${ETCD_ETCDUTL_BIN}" fi if ! ${ETCD_CLIENT} snapshot status "${snap_file}" -w json; then echo "Backup integrity verification failed. Backup appears corrupted. Aborting!" return 1 fi } function wait_for_containers_to_stop() { local containers=("$@") for container_name in "${containers[@]}"; do echo "Waiting for container ${container_name} to stop" while [[ -n $(crictl ps --label io.kubernetes.container.name="${container_name}" -q) ]]; do echo -n "." sleep 1 done echo "complete" done } function mv_static_pods() { local containers=("$@") # Move manifests and stop static pods if [ ! -d "$MANIFEST_STOPPED_DIR" ]; then mkdir -p "$MANIFEST_STOPPED_DIR" fi for POD_FILE_NAME in "${containers[@]}"; do echo "...stopping ${POD_FILE_NAME}" [ ! -f "${MANIFEST_DIR}/${POD_FILE_NAME}" ] && continue mv "${MANIFEST_DIR}/${POD_FILE_NAME}" "${MANIFEST_STOPPED_DIR}" done } etcd.env: | export ALL_ETCD_ENDPOINTS="https://192.168.32.10:2379" export ETCDCTL_API="3" export ETCDCTL_CACERT="/etc/kubernetes/static-pod-certs/configmaps/etcd-all-bundles/server-ca-bundle.crt" export ETCDCTL_CERT="/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.crt" export ETCDCTL_ENDPOINTS="https://192.168.32.10:2379" export ETCDCTL_KEY="/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.key" export ETCD_CIPHER_SUITES="TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256" export ETCD_DATA_DIR="/var/lib/etcd" export ETCD_ELECTION_TIMEOUT="2500" export ETCD_ENABLE_PPROF="true" export ETCD_EXPERIMENTAL_MAX_LEARNERS="1" export ETCD_EXPERIMENTAL_WARNING_APPLY_DURATION="200ms" export ETCD_EXPERIMENTAL_WATCH_PROGRESS_NOTIFY_INTERVAL="5s" export ETCD_HEARTBEAT_INTERVAL="500" export ETCD_IMAGE="quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:cc20748723f55f960cfb6328d1591880bbd1b3452155633996d4f41fc7c5f46b" export ETCD_INITIAL_CLUSTER_STATE="existing" export ETCD_QUOTA_BACKEND_BYTES="8589934592" export ETCD_SOCKET_REUSE_ADDRESS="true" export ETCD_TLS_MIN_VERSION="TLS1.2" export NODE_master_0_ETCD_NAME="master-0" export NODE_master_0_ETCD_URL_HOST="192.168.32.10" export NODE_master_0_IP="192.168.32.10" quorum-restore.sh: | #!/usr/bin/env bash ### Created by cluster-etcd-operator. DO NOT edit. set -o errexit set -o pipefail set -o errtrace # ./quorum-restore.sh # This script attempts to restore quorum by spawning a revision-bumped etcd without membership information. if [[ $EUID -ne 0 ]]; then echo "This script must be run as root" exit 1 fi function source_required_dependency { local src_path="$1" if [ ! -f "${src_path}" ]; then echo "required dependencies not found, please ensure this script is run on a node with a functional etcd static pod" exit 1 fi # shellcheck disable=SC1090 source "${src_path}" } source_required_dependency /etc/kubernetes/static-pod-resources/etcd-certs/configmaps/etcd-scripts/etcd.env source_required_dependency /etc/kubernetes/static-pod-resources/etcd-certs/configmaps/etcd-scripts/etcd-common-tools ETCD_STATIC_POD_LIST=("etcd-pod.yaml") ETCD_STATIC_POD_CONTAINERS=("etcd" "etcdctl" "etcd-metrics" "etcd-readyz" "etcd-rev" "etcd-backup-server") # always move etcd pod and wait for all containers to exit mv_static_pods "${ETCD_STATIC_POD_LIST[@]}" wait_for_containers_to_stop "${ETCD_STATIC_POD_CONTAINERS[@]}" echo "starting restore-etcd static pod" cp "${QUORUM_RESTORE_ETCD_POD_YAML}" "${MANIFEST_DIR}/etcd-pod.yaml" kind: ConfigMap metadata: creationTimestamp: "2026-03-12T14:12:58Z" managedFields: - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:data: .: {} f:cluster-backup.sh: {} f:cluster-restore.sh: {} f:disable-etcd.sh: {} f:etcd-common-tools: {} f:etcd.env: {} f:quorum-restore.sh: {} manager: cluster-etcd-operator operation: Update time: "2026-03-12T14:12:58Z" name: etcd-scripts namespace: openshift-etcd resourceVersion: "6857" uid: 8aa47a18-9a91-4149-90b0-fa8ddabd71e5 - apiVersion: v1 data: ca.crt: | -----BEGIN CERTIFICATE----- MIIDMjCCAhqgAwIBAgIIRMpEhb1rLoAwDQYJKoZIhvcNAQELBQAwNzESMBAGA1UE CxMJb3BlbnNoaWZ0MSEwHwYDVQQDExhrdWJlLWFwaXNlcnZlci1sYi1zaWduZXIw HhcNMjYwMzEyMTM1NTUwWhcNMzYwMzA5MTM1NTUwWjA3MRIwEAYDVQQLEwlvcGVu c2hpZnQxITAfBgNVBAMTGGt1YmUtYXBpc2VydmVyLWxiLXNpZ25lcjCCASIwDQYJ KoZIhvcNAQEBBQADggEPADCCAQoCggEBAN+pBdh6z/KV9Deh0OziFnieBIQVaHUy NwORNss9Hq2+ghM1WDEe11smyV42LoilQ0ueLhVQumT8Q9eGQdDfSisMdx0QGkRo XVr2f6Bjq7h1OhUNi0XdAoaGhlwlZDNXLZHnvT/34Z4TbU9VBXV2aBgsVdJ24Lu5 VEXlq+equYESbf7ywMMXfN3hmqYCNQ10SyvdQXOy5vLPNnaQB8Bk/aywArXaBGft ABFZLt2njnW2nrSyaC+geOQiJ8te2PKd2QAEREDxtagqlZTTNh481WoruXgYSPlR wj2F/0Bcu6CgwgQGjDZ4LwOSEXQKxLilWjYSfSeqMjVYmD2cFJDracECAwEAAaNC MEAwDgYDVR0PAQH/BAQDAgKkMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFAv/ x0isc6eihdud1zLANYuwMG8KMA0GCSqGSIb3DQEBCwUAA4IBAQCnvBCwz3vYwM1m RfRJasPfoJuYxkepdhZV46qTHgcMZefq3aRe3fCvC370a8ywDPReYiveWqpIJCDf 4R+xXn6UMgHWmgJ6p/xM7x5m0IEiS6S2yjAsW5sVeN4UdBmdeWDmKlQqw26YeRMT g+n8O06ko5rFs6c3hi5BfOlUVRZmHSOnqVIUu+j3Tb2eQLVu+ivSgNCEfkGDWX7M xpMp9FSfRIQKjLtrR1b1J8zgShDK4/0Als1uNvg4wU4wQPn5nr4Ky2zP0jBCFt2+ ZFuEW/HhctTUwQv0VDloPMgRl3f7eR+djiKHJkD0RtVh+wVnWwJs2BOYD9ZfSFlJ hVQF315n -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIDQDCCAiigAwIBAgIIRk1BX2nv0SQwDQYJKoZIhvcNAQELBQAwPjESMBAGA1UE CxMJb3BlbnNoaWZ0MSgwJgYDVQQDEx9rdWJlLWFwaXNlcnZlci1sb2NhbGhvc3Qt c2lnbmVyMB4XDTI2MDMxMjEzNTU1MFoXDTM2MDMwOTEzNTU1MFowPjESMBAGA1UE CxMJb3BlbnNoaWZ0MSgwJgYDVQQDEx9rdWJlLWFwaXNlcnZlci1sb2NhbGhvc3Qt c2lnbmVyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA24xYHdx2Su9Y UiFQ+AOtgDskzgYxOrS+8RHBOXENN2neC9+7ldEVABUTy7qYQUnp3soqW+OGQor2 sT/IPayxzPhonwNp2ex0R8G4E7HZMEUWZbg0TzSjpSjrjjk3WkqhrBhFhRdQX4Z6 Z+low0KlSz3BqxMGXwnmPwdBYvnT1n7XGoJBW6K0Vh8MhxoNNefOqtE6/X+TGuyf TAXQ5Tgwv4XbEBu8R0Y9U/QCgGbCWTWMc7VY2qwe/K6aE2ZzD7KzQQDYcBSJCol6 dss9nYmzEPLa8r5tF5Ts184v0d8bGLLYZHOgVKSb6DX4tplYoy3qjyTKogHxbOTb 60vfRVJoXwIDAQABo0IwQDAOBgNVHQ8BAf8EBAMCAqQwDwYDVR0TAQH/BAUwAwEB /zAdBgNVHQ4EFgQUCpBa3d5/PGLhFZmyBjyzoEb/sFkwDQYJKoZIhvcNAQELBQAD ggEBAEIwQKb8FVcgftDU+IJZRSpUiLgrfn+rGBg+PwMERkx9FHamYPV73WH0O/B1 qVZpKoIfJ8yoKmU90Etz6B5m+vQ508h57Oo5nmJIUxrPSNqPivc56AqQvbhI0WuV WLyu5KLa8dgL5zirSb8PpOEJrXEzhwtX8tyx77Sm9i0LXUcMvy86ig9PJS0F7cLN hMbIIEr53BoWyAUe4NcrogAnhnis8i15302sCPx9Y+1as1IDug/FTAsyFJJWvlA9 vBc5+/+wORPUKHdSAEae1qRfVAKjDkshF9+pypi/7/iqUIVXtifPBYLd84BDnSzC 0LCCrgZFGUoosmwnQvTR2a1GB1c= -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIDTDCCAjSgAwIBAgIIZqgyONOxdYIwDQYJKoZIhvcNAQELBQAwRDESMBAGA1UE CxMJb3BlbnNoaWZ0MS4wLAYDVQQDEyVrdWJlLWFwaXNlcnZlci1zZXJ2aWNlLW5l dHdvcmstc2lnbmVyMB4XDTI2MDMxMjEzNTU1MVoXDTM2MDMwOTEzNTU1MVowRDES MBAGA1UECxMJb3BlbnNoaWZ0MS4wLAYDVQQDEyVrdWJlLWFwaXNlcnZlci1zZXJ2 aWNlLW5ldHdvcmstc2lnbmVyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC AQEAxw0j0TDjWwK94GfHrmcyCMqyLEE5tsMzMzTgGwnLJ6sJtI7cylMnX62s95Cd VEsq9b7zHXdmEXnx7WKXORlI4weypCuks1DetjyVZ19eTzs6k9FLhposB910c55j AsNOTVNMXGda+n1mdXTDJG1uOhM244dLoLF20FURw4EtT3fHqyo5zC/CBGMp7Tmq 6Q7CadgWTBEKHEunbQZIxxAPdDF1PJ79lOJbQwh7WyD4bYh1uKlKVctwJWTzIkWq sVTXfo3KPzupEXkvot7h+vqdWT0D+LAdbWMTdWORYtzqFqxxkhCFlBAhBmTH2Xvq XJN0mZ6OZV6bv1z57VKzs1KT+wIDAQABo0IwQDAOBgNVHQ8BAf8EBAMCAqQwDwYD VR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUZqvU6Gjcz1S5/O/XZg0zms63hq4wDQYJ KoZIhvcNAQELBQADggEBABPiM5azvzot04EKrfm/Cccp0iTlUigTHDME9JoNc2PA RThIXIVlyutBdYfAN3Yv6wwCN2kaJFkdJ7q/yx878+WCOp3/21Wqd5QSLT+OaarB pv9IFcpasjzEQcOHoLcWeylc9obZPPX36zV5s9/bX57Q3GypAZ2jkiLf6rwNiLKI Xz6jd3bczBWwHPGDqBgfi8VVnecgjIBMzBALYuIIWZsnZCygDywjGimSfH9vEMQs d5FQhw0RlFpwuJrV5SLIyEa/uBvfHQEnV9/g1issaXphiosyE69gOBPtitVFCmuk Sn0P7QNZIUvhlC0faYUefu4L9KrbSeG/mSAN2EOarZ0= -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIDlzCCAn+gAwIBAgIIPuOji19YodkwDQYJKoZIhvcNAQELBQAwWTFXMFUGA1UE AwxOb3BlbnNoaWZ0LWt1YmUtYXBpc2VydmVyLW9wZXJhdG9yX2xvY2FsaG9zdC1y ZWNvdmVyeS1zZXJ2aW5nLXNpZ25lckAxNzczMzI0NzMzMB4XDTI2MDMxMjE0MTIx MloXDTM2MDMwOTE0MTIxM1owWTFXMFUGA1UEAwxOb3BlbnNoaWZ0LWt1YmUtYXBp c2VydmVyLW9wZXJhdG9yX2xvY2FsaG9zdC1yZWNvdmVyeS1zZXJ2aW5nLXNpZ25l ckAxNzczMzI0NzMzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAs/zk dkz8X9UkpBSStHSDossbLdlimJlRjGcWRASxlvEdRykoAY4l6d8LuJxZyEnsspEa 61Ij2Hfsys9JpFCTozakDPfe5EeLPUgYOgWGNoRijxLEzm4aI3nvUDZNtiboldyQ ZKPYj2M3ONUK4nYA9z/B/6RoP+KyZTKpCkJTfbzTLrI12pFbajZX1DKr2numADon g3awEuLkGhKs05GCnM9FvCjMGoCsFI1z09bHWhuWX9VaJ0NsYP+qAIFBAINNFLbU SBJizyb6iLnMPNBK/lIZvnnLDEELTygWfYW1EUA1vFFzzqy3nn35Vy33EfJJkces XxVDqRI/ApQ0j4T8ZwIDAQABo2MwYTAOBgNVHQ8BAf8EBAMCAqQwDwYDVR0TAQH/ BAUwAwEB/zAdBgNVHQ4EFgQUXo8Zlo6hDdp1JjWrbYRdoA7zkcQwHwYDVR0jBBgw FoAUXo8Zlo6hDdp1JjWrbYRdoA7zkcQwDQYJKoZIhvcNAQELBQADggEBADc4BOo5 iaywRMMbJUEGoQ0+J7hQyBVX+shMERTku4pmqnOQXWFIyA9Ct8XH+OEIUhgn6JmE q8bVNTvX+YB3Yao4FkoiyfphMhcV55h9hkEfR8BOJL5TGjMN0nUpTvoMnm5WXVPt OI6XxMWJiirp+CBz52eFWIwOtJYk/jNxIIrvJMRjscEcfKbEjwAxanPMxi0VbCDF rhY5we2UoS970dfHEVlrdYTtKVQl53Bvnie9MtSE9sPNdjjNG/q46lL/ui1dbkwE ABRjyeGV+JvuNxLRc7mk8fV5rpIKT0Qeq0+Zy1wYjo3GjRcploHwUyONpFc61nsX VuorxKEsTA44ElU= -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIDZzCCAk+gAwIBAgIIAvpeW5pFpW4wDQYJKoZIhvcNAQELBQAwJjEkMCIGA1UE AwwbaW5ncmVzcy1vcGVyYXRvckAxNzczMzI0NzY4MB4XDTI2MDMxMjE0MTI0OFoX DTI4MDMxMTE0MTI0OVowIzEhMB8GA1UEAwwYKi5hcHBzLnNuby5vcGVuc3RhY2su bGFiMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAoyqEK3cdTZcC6VAv M73dcXSwc2DV8nii7D4zEVoKA8moJ8lVCxaRFe1gJXTj2yvO6GespW9BogzbxLFv Tt452rIRHjTCnSmoTRf9wDQ3Bvn9tsj0eSrmQ3C4RXn6z+PokEaGotgZgghFmE0R 2CJ2ppzkb52uww6yVp4M+nt440PH6DXr367SrRx9uLVjCsGyap5iEeLqeRH77TD5 oLiPy3IyE3Mepfluo7n1YblLe/iP7W2I8BaWuTgwgw9NHNeFfd/KbYdcABVPhW0x yBqPMQ+Jt9yaCuT0SE8LztUHzNTSvaf8Z3iPZ8gUQWzcwbn8QvYDjBhyWOeEXtaC chWZmQIDAQABo4GbMIGYMA4GA1UdDwEB/wQEAwIFoDATBgNVHSUEDDAKBggrBgEF BQcDATAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBTqnMqT9rTAZzZSToWfL9y1Rze2 fDAfBgNVHSMEGDAWgBSSkOsyTYkk6/Mwk23XcvKQF2c+bTAjBgNVHREEHDAaghgq LmFwcHMuc25vLm9wZW5zdGFjay5sYWIwDQYJKoZIhvcNAQELBQADggEBAFT4EoX2 aLvcjCKAT3tj+1FlL93KHUlai+4j33zE5qKw/gYI93Otxk1AJ5R1VF6FlG/qJ8Mh gJ26DcTO3CXqzFkxNJsqBJbDaOIOdLs9nkcgMC8nY7rn1dXZHBv3//clBIs1W2+p GXl01PReP++aYS1JlE4/EKyrLQWRWnMhv9txPyeHaCtGepV8FvmRaoTqsRswa6lB QZNibE2/Zm8vryv/T83XEsY1cN/h0IMrBMVnZDYcVFPLyb3lQnCcrekwBvvCJOEk 5ngscjg5bBVvcAW6Cn8Zd7CiryumryshXqZhLtva6RAtFoPCPiZN0toPkj+TnGPB 66CkeSp23m6OT8U= -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIDDDCCAfSgAwIBAgIBATANBgkqhkiG9w0BAQsFADAmMSQwIgYDVQQDDBtpbmdy ZXNzLW9wZXJhdG9yQDE3NzMzMjQ3NjgwHhcNMjYwMzEyMTQxMjQ3WhcNMjgwMzEx MTQxMjQ4WjAmMSQwIgYDVQQDDBtpbmdyZXNzLW9wZXJhdG9yQDE3NzMzMjQ3Njgw ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC5JSZ6RmEayLulSqxTySVL A4k8OXZMK9xSQjntGSDHI9aD8ELHnuHIeg26YSeEJVxSwMuMPnTOhT5Zw0Y0Xm49 5/EVEZxdY/w7KtdiWDM5D6fhwXUiNRRFUbaOXkIIsypl15B/FxNOyPT5imeCkWdI EyYSl3wuqQ2INlUEFTdUoGFOHzg8uO0Ec3z3Kpi0Qr6X6DR1AaddrPg6WvgffzAW 6aGVeZTr2SMGSuDBvyVTLtJXqPEwNhznexGpsRntNo5HLs7lvmi72iDUI/z7XxY3 c+Bb8LCuHIoLYsWblGbKXAwKNVXgBi2t6QiEhAN+7CeLQWfmDLKclQGxVWu8NKdb AgMBAAGjRTBDMA4GA1UdDwEB/wQEAwICpDASBgNVHRMBAf8ECDAGAQH/AgEAMB0G A1UdDgQWBBSSkOsyTYkk6/Mwk23XcvKQF2c+bTANBgkqhkiG9w0BAQsFAAOCAQEA BK0MAZCP901YooTEppJrp9bAGY6Abuv8P9RYXxh4sjcbvDMgGdJpQpcJaZwHtkeO ziNiuK7vROEdBszW1+vAt9kz0bhB6wJ0VwwWbQJLJxXzK44+6eBT4YyFlIUPVYmy cBHfsJTMUffsTiJgirAUdrEO+2jK6HlOsNGvz8KxdIvwB6iGfSbHKJNVHQyVlYWN nOe74SZWyf6c6SduwWR625P2wpUdYSlz047LYMom0YdsK8/BQ9v5RRyoGttaASwj K/QUbmGemMgLH6bk+M74qdtnf47S7M/shuZPwdT6JKI2M63I+fel1ds+dLHt/IdY DfPX2h6jag/EPwr1esUF7w== -----END CERTIFICATE----- kind: ConfigMap metadata: annotations: kubernetes.io/description: Contains a CA bundle that can be used to verify the kube-apiserver when using internal endpoints such as the internal service IP or kubernetes.default.svc. No other usage is guaranteed across distributions of Kubernetes clusters. creationTimestamp: "2026-03-12T14:06:21Z" managedFields: - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:data: .: {} f:ca.crt: {} f:metadata: f:annotations: .: {} f:kubernetes.io/description: {} manager: kube-controller-manager operation: Update time: "2026-03-12T14:28:17Z" name: kube-root-ca.crt namespace: openshift-etcd resourceVersion: "12360" uid: 5d293727-d5fc-48b6-a349-6afb79ec6810 - apiVersion: v1 data: service-ca.crt: | -----BEGIN CERTIFICATE----- MIIDUTCCAjmgAwIBAgIIAdRjEAEVyAAwDQYJKoZIhvcNAQELBQAwNjE0MDIGA1UE Awwrb3BlbnNoaWZ0LXNlcnZpY2Utc2VydmluZy1zaWduZXJAMTc3MzMyNDc0NjAe Fw0yNjAzMTIxNDEyMjVaFw0yODA1MTAxNDEyMjZaMDYxNDAyBgNVBAMMK29wZW5z aGlmdC1zZXJ2aWNlLXNlcnZpbmctc2lnbmVyQDE3NzMzMjQ3NDYwggEiMA0GCSqG SIb3DQEBAQUAA4IBDwAwggEKAoIBAQD+QWmyoESl3+GGYN7L06iOuvzyBFYvCGMG ERrKmGKNJLpdQ6VB4Mw2IFn43cx6MerA+b+m1vAeKHxKO0g10uFE97C55IBi558H fZEmharrpEbnXeS+9BNTM3BT836x5JfmOh4OTdx5gImgCZhXTR+7Wv6vAinBDmqV 4JNolkufXPNt6o8JS7sM+BGyyyBPlIQOM1ZFxzXzJ2YAW77NMcaphArNrEqHGV1D CkfXHf4EFuFfomiBxe1qnMdyK3bkRXi8JnPqzDr15TCMTlvHCokSA+VkK0GkDW0N 3wPmJEM8Y7WBFuRlIwaPwvSmhJjscOibaySQCHAYVlAoG/kR7kDTAgMBAAGjYzBh MA4GA1UdDwEB/wQEAwICpDAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBRUfjQ3 Gzgfo0B1KJnTHM9Ekl17lTAfBgNVHSMEGDAWgBRUfjQ3Gzgfo0B1KJnTHM9Ekl17 lTANBgkqhkiG9w0BAQsFAAOCAQEA2OG/DD8KZHLnBxqKQmDmJhqo2T8w3LlCcJBt DjpkqCthHIU9aJHU2JaZ42tnw2uKLyH8jiOlqCIpWZC4lyD76SomHVwMkfS3v5cX OphAI9WwWV14+EmYGBgf8RA029F4H/fldV1cYQxyW6vJyNEtud3wH+/zG5c3sYiR LJ8vnJu5s3YLKEdklB+yE++3Lv5xyQ3/7xStWgoC5eD4WesJkRZEHNQ9zfxCnU4n BsP6yoASe1NtKIur5DQ4BfLbbrA356h2R4UHGYbt/z+85CSHQkfcIDFrvN7VI7Bh 2tpG4G2PTxoTCAsjQaNLRjzI0cIFRyRX8Oxf27vfUTcmFsYweQ== -----END CERTIFICATE----- kind: ConfigMap metadata: annotations: service.beta.openshift.io/inject-cabundle: "true" creationTimestamp: "2026-03-12T14:06:21Z" managedFields: - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:data: {} f:metadata: f:annotations: .: {} f:service.beta.openshift.io/inject-cabundle: {} manager: kube-controller-manager operation: Update time: "2026-03-12T14:06:21Z" - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:data: f:service-ca.crt: {} manager: service-ca-operator operation: Update time: "2026-03-12T14:12:34Z" name: openshift-service-ca.crt namespace: openshift-etcd resourceVersion: "5135" uid: 2b07e719-70db-4e62-842e-53535086fbe5 - apiVersion: v1 data: forceRedeploymentReason: "" pod.yaml: "apiVersion: v1\nkind: Pod\nmetadata:\n name: etcd\n namespace: openshift-etcd\n \ labels:\n app: etcd\n k8s-app: etcd\n etcd: \"true\"\n revision: \"REVISION\"\nspec:\n containers:\n - name: etcd\n image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:cc20748723f55f960cfb6328d1591880bbd1b3452155633996d4f41fc7c5f46b\n \ imagePullPolicy: IfNotPresent\n terminationMessagePolicy: FallbackToLogsOnError\n \ command:\n - /bin/sh\n - -c\n - |\n #!/bin/sh\n set -euo pipefail\n \n export ETCD_NAME=${NODE_NODE_ENVVAR_NAME_ETCD_NAME}\n \ export ETCD_INITIAL_CLUSTER=\"${ETCD_NAME}=https://${NODE_NODE_ENVVAR_NAME_ETCD_URL_HOST}:2380\"\n \ env | grep ETCD | grep -v NODE\n export ETCD_NODE_PEER_URL=https://${NODE_NODE_ENVVAR_NAME_ETCD_URL_HOST}:2380\n \ export REV_JSON=\"/var/lib/etcd-backup/revision.json\"\n export SNAPSHOT_FILE=\"/var/lib/etcd-backup/snapshot.db\"\n\n # checking if data directory is empty, if not etcdctl restore will fail \n if [ -n \"$(ls -A \"/var/lib/etcd\")\" ]; then\n echo \"please delete the contents of the /var/lib/etcd directory before restoring, running the restore script will do this for you\"\n exit 1\n fi\n \n ETCD_ETCDCTL_BIN=\"etcdctl\"\n \ if [ -x \"$(command -v etcdutl)\" ]; then\n echo \"found etcdutl, using that instead of etcdctl for local operations\"\n ETCD_ETCDCTL_BIN=\"etcdutl\"\n \ fi \n\n # check if we have backup file to be restored\n \ # if the file exist, check if it has not changed size in last 5 seconds\n \ if [ ! -f \"${SNAPSHOT_FILE}\" ]; then\n echo \"please make a copy of the snapshot db file, then move that copy to ${SNAPSHOT_FILE}\"\n \ exit 1\n else\n filesize=$(stat --format=%s \"${SNAPSHOT_FILE}\")\n \ sleep 5\n newfilesize=$(stat --format=%s \"${SNAPSHOT_FILE}\")\n \ if [ \"$filesize\" != \"$newfilesize\" ]; then\n echo \"file size has changed since last 5 seconds, retry sometime after copying is complete\"\n \ exit 1\n fi\n fi\n \n SNAPSHOT_REV=$(etcdutl snapshot status -wjson \"$SNAPSHOT_FILE\" | jq -r \".revision\")\n echo \"snapshot is at revision ${SNAPSHOT_REV}\"\n \n if [ -n \"$(ls -A \"${REV_JSON}\")\" ]; then\n # this will bump by the amount of the last known live revision + 20% slack.\n # Note: the bump amount is an addition to the current revision stored in the snapshot.\n # We're avoiding to do any math with SNAPSHOT_REV, uint64 has plenty of space to double revisions\n # and we're assuming that full disaster restores are a very rare occurrence anyway.\n BUMP_REV=$(jq -r \"(.maxRaftIndex*1.2|floor)\" \"${REV_JSON}\")\n echo \"bumping revisions by ${BUMP_REV}\"\n else\n \ # we can't take SNAPSHOT_REV as an indicator here, because the snapshot might be much older\n # than any currently live served revision. \n \ # 1bn would be an etcd running at 1000 writes/s for about eleven days.\n echo \"no revision.json found, assuming a 1bn revision bump\"\n \ BUMP_REV=1000000000\n fi\n \n UUID=$(uuidgen)\n \ echo \"restoring to a single node cluster\"\n ${ETCD_ETCDCTL_BIN} snapshot restore \"${SNAPSHOT_FILE}\" \\\n --name $ETCD_NAME \\\n --initial-cluster=$ETCD_INITIAL_CLUSTER \\\n --initial-cluster-token \"openshift-etcd-${UUID}\" \\\n --initial-advertise-peer-urls $ETCD_NODE_PEER_URL \\\n --data-dir=\"/var/lib/etcd/restore-${UUID}\" \\\n --mark-compacted \\\n --bump-revision \"${BUMP_REV}\"\n\n \ mv /var/lib/etcd/restore-${UUID}/* /var/lib/etcd/\n # copy the revision.json back in case a second restore needs to be run afterwards\n if [ -n \"$(ls -A \"${REV_JSON}\")\" ]; then\n cp ${REV_JSON} /var/lib/etcd/\n \ fi\n\n rmdir /var/lib/etcd/restore-${UUID}\n rm /var/lib/etcd-backup/snapshot.db\n\n \ set -x\n exec etcd \\\n --logger=zap \\\n --log-level=info \\\n --initial-advertise-peer-urls=https://${NODE_NODE_ENVVAR_NAME_IP}:2380 \\\n --cert-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-serving-NODE_NAME.crt \\\n --key-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-serving-NODE_NAME.key \\\n --trusted-ca-file=/etc/kubernetes/static-pod-certs/configmaps/etcd-all-bundles/server-ca-bundle.crt \\\n --client-cert-auth=true \\\n --peer-cert-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.crt \\\n --peer-key-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.key \\\n --peer-trusted-ca-file=/etc/kubernetes/static-pod-certs/configmaps/etcd-all-bundles/server-ca-bundle.crt \\\n --peer-client-cert-auth=true \\\n --advertise-client-urls=https://${NODE_NODE_ENVVAR_NAME_IP}:2379 \\\n --listen-client-urls=https://0.0.0.0:2379 \\\n --listen-peer-urls=https://0.0.0.0:2380 \\\n --metrics=extensive \\\n --listen-metrics-urls=https://0.0.0.0:9978\n \ env:\n - name: \"ALL_ETCD_ENDPOINTS\"\n value: \"https://192.168.32.10:2379\"\n \ - name: \"ETCDCTL_API\"\n value: \"3\"\n - name: \"ETCDCTL_CACERT\"\n \ value: \"/etc/kubernetes/static-pod-certs/configmaps/etcd-all-bundles/server-ca-bundle.crt\"\n \ - name: \"ETCDCTL_CERT\"\n value: \"/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.crt\"\n \ - name: \"ETCDCTL_ENDPOINTS\"\n value: \"https://192.168.32.10:2379\"\n \ - name: \"ETCDCTL_KEY\"\n value: \"/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.key\"\n \ - name: \"ETCD_CIPHER_SUITES\"\n value: \"TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256\"\n \ - name: \"ETCD_DATA_DIR\"\n value: \"/var/lib/etcd\"\n - name: \"ETCD_ELECTION_TIMEOUT\"\n value: \"2500\"\n - name: \"ETCD_ENABLE_PPROF\"\n \ value: \"true\"\n - name: \"ETCD_EXPERIMENTAL_MAX_LEARNERS\"\n \ value: \"1\"\n - name: \"ETCD_EXPERIMENTAL_WARNING_APPLY_DURATION\"\n \ value: \"200ms\"\n - name: \"ETCD_EXPERIMENTAL_WATCH_PROGRESS_NOTIFY_INTERVAL\"\n \ value: \"5s\"\n - name: \"ETCD_HEARTBEAT_INTERVAL\"\n value: \"500\"\n - name: \"ETCD_IMAGE\"\n value: \"quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:cc20748723f55f960cfb6328d1591880bbd1b3452155633996d4f41fc7c5f46b\"\n \ - name: \"ETCD_INITIAL_CLUSTER_STATE\"\n value: \"existing\"\n \ - name: \"ETCD_QUOTA_BACKEND_BYTES\"\n value: \"8589934592\"\n \ - name: \"ETCD_SOCKET_REUSE_ADDRESS\"\n value: \"true\"\n - name: \"ETCD_TLS_MIN_VERSION\"\n value: \"TLS1.2\"\n - name: \"NODE_master_0_ETCD_NAME\"\n \ value: \"master-0\"\n - name: \"NODE_master_0_ETCD_URL_HOST\"\n \ value: \"192.168.32.10\"\n - name: \"NODE_master_0_IP\"\n value: \"192.168.32.10\"\n - name: \"ETCD_STATIC_POD_REV\"\n value: \"REVISION\"\n \ resources:\n requests:\n memory: 600Mi\n cpu: 300m\n \ readinessProbe:\n tcpSocket:\n port: 2380\n failureThreshold: 3\n initialDelaySeconds: 3\n periodSeconds: 5\n successThreshold: 1\n timeoutSeconds: 5\n securityContext:\n privileged: true\n volumeMounts:\n \ - mountPath: /etc/kubernetes/manifests\n name: static-pod-dir\n \ - mountPath: /etc/kubernetes/static-pod-certs\n name: cert-dir\n \ - mountPath: /var/lib/etcd/\n name: data-dir\n - mountPath: /var/lib/etcd-backup/\n name: backup-dir\n - name: etcd-readyz\n image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:6088910bdc1583b275fab261e3234c0b63b4cc16d01bcea697b6a7f6db13bdf3\n \ imagePullPolicy: IfNotPresent\n terminationMessagePolicy: FallbackToLogsOnError\n \ command:\n - /bin/sh\n - -c\n - |\n #!/bin/sh\n set -euo pipefail\n \n exec nice -n -18 cluster-etcd-operator readyz \\\n --target=https://localhost:2379 \\\n --listen-port=9980 \\\n --serving-cert-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-serving-NODE_NAME.crt \\\n --serving-key-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-serving-NODE_NAME.key \\\n --client-cert-file=$(ETCDCTL_CERT) \\\n --client-key-file=$(ETCDCTL_KEY) \\\n --client-cacert-file=$(ETCDCTL_CACERT) \\\n --listen-cipher-suites=$(ETCD_CIPHER_SUITES)\n \ securityContext:\n privileged: true\n ports:\n - containerPort: 9980\n name: readyz\n protocol: TCP\n resources:\n requests:\n \ memory: 50Mi\n cpu: 10m\n env:\n - name: \"ALL_ETCD_ENDPOINTS\"\n \ value: \"https://192.168.32.10:2379\"\n - name: \"ETCDCTL_API\"\n \ value: \"3\"\n - name: \"ETCDCTL_CACERT\"\n value: \"/etc/kubernetes/static-pod-certs/configmaps/etcd-all-bundles/server-ca-bundle.crt\"\n \ - name: \"ETCDCTL_CERT\"\n value: \"/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.crt\"\n \ - name: \"ETCDCTL_ENDPOINTS\"\n value: \"https://192.168.32.10:2379\"\n \ - name: \"ETCDCTL_KEY\"\n value: \"/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.key\"\n \ - name: \"ETCD_CIPHER_SUITES\"\n value: \"TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256\"\n \ - name: \"ETCD_DATA_DIR\"\n value: \"/var/lib/etcd\"\n - name: \"ETCD_ELECTION_TIMEOUT\"\n value: \"2500\"\n - name: \"ETCD_ENABLE_PPROF\"\n \ value: \"true\"\n - name: \"ETCD_EXPERIMENTAL_MAX_LEARNERS\"\n \ value: \"1\"\n - name: \"ETCD_EXPERIMENTAL_WARNING_APPLY_DURATION\"\n \ value: \"200ms\"\n - name: \"ETCD_EXPERIMENTAL_WATCH_PROGRESS_NOTIFY_INTERVAL\"\n \ value: \"5s\"\n - name: \"ETCD_HEARTBEAT_INTERVAL\"\n value: \"500\"\n - name: \"ETCD_IMAGE\"\n value: \"quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:cc20748723f55f960cfb6328d1591880bbd1b3452155633996d4f41fc7c5f46b\"\n \ - name: \"ETCD_INITIAL_CLUSTER_STATE\"\n value: \"existing\"\n \ - name: \"ETCD_QUOTA_BACKEND_BYTES\"\n value: \"8589934592\"\n \ - name: \"ETCD_SOCKET_REUSE_ADDRESS\"\n value: \"true\"\n - name: \"ETCD_TLS_MIN_VERSION\"\n value: \"TLS1.2\"\n - name: \"NODE_master_0_ETCD_NAME\"\n \ value: \"master-0\"\n - name: \"NODE_master_0_ETCD_URL_HOST\"\n \ value: \"192.168.32.10\"\n - name: \"NODE_master_0_IP\"\n value: \"192.168.32.10\"\n volumeMounts:\n - mountPath: /etc/kubernetes/static-pod-certs\n \ name: cert-dir\n hostNetwork: true\n priorityClassName: system-node-critical\n \ tolerations:\n - operator: \"Exists\"\n volumes:\n - hostPath:\n path: /etc/kubernetes/manifests\n name: static-pod-dir\n - hostPath:\n path: /etc/kubernetes/static-pod-resources/etcd-certs\n name: cert-dir\n - hostPath:\n path: /var/lib/etcd\n type: \"\"\n name: data-dir\n \ - hostPath:\n path: /var/lib/etcd-backup\n type: \"\"\n name: backup-dir\n" quorum-restore-pod.yaml: "apiVersion: v1\nkind: Pod\nmetadata:\n name: etcd\n \ namespace: openshift-etcd\n labels:\n app: etcd\n k8s-app: etcd\n etcd: \"true\"\n revision: \"REVISION\"\nspec:\n containers:\n - name: etcd\n \ image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:cc20748723f55f960cfb6328d1591880bbd1b3452155633996d4f41fc7c5f46b\n \ imagePullPolicy: IfNotPresent\n terminationMessagePolicy: FallbackToLogsOnError\n \ command:\n - /bin/sh\n - -c\n - |\n #!/bin/sh\n set -euo pipefail\n \n export REV_JSON=\"/var/lib/etcd/revision.json\"\n \ \n if [ -n \"$(ls -A \"${REV_JSON}\")\" ]; then\n # this will bump by the amount of 20% of the last known live revision. \n \ BUMP_REV=$(jq -r \"(.maxRaftIndex*0.2|floor)\" \"${REV_JSON}\")\n \ echo \"bumping revisions by ${BUMP_REV}\"\n else\n # 1bn would be an etcd running at 1000 writes/s for about eleven days.\n echo \"no revision.json found, assuming a 1bn revision bump\"\n BUMP_REV=1000000000\n \ fi\n \n set -x\n exec etcd \\\n --logger=zap \\\n --log-level=info \\\n --force-new-cluster \\\n --force-new-cluster-bump-amount=\"${BUMP_REV}\" \\\n --name=\"${NODE_NODE_ENVVAR_NAME_ETCD_NAME}\" \\\n --initial-cluster=\"${NODE_NODE_ENVVAR_NAME_ETCD_NAME}=https://${NODE_NODE_ENVVAR_NAME_ETCD_URL_HOST}:2380\" \\\n --initial-advertise-peer-urls=https://${NODE_NODE_ENVVAR_NAME_IP}:2380 \\\n --cert-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-serving-NODE_NAME.crt \\\n --key-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-serving-NODE_NAME.key \\\n --trusted-ca-file=/etc/kubernetes/static-pod-certs/configmaps/etcd-all-bundles/server-ca-bundle.crt \\\n --client-cert-auth=true \\\n --peer-cert-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.crt \\\n --peer-key-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.key \\\n --peer-trusted-ca-file=/etc/kubernetes/static-pod-certs/configmaps/etcd-all-bundles/server-ca-bundle.crt \\\n --peer-client-cert-auth=true \\\n --advertise-client-urls=https://${NODE_NODE_ENVVAR_NAME_IP}:2379 \\\n --listen-client-urls=https://0.0.0.0:2379 \\\n --listen-peer-urls=https://0.0.0.0:2380 \\\n --metrics=extensive \\\n --listen-metrics-urls=https://0.0.0.0:9978\n \ env:\n - name: \"ALL_ETCD_ENDPOINTS\"\n value: \"https://192.168.32.10:2379\"\n \ - name: \"ETCDCTL_API\"\n value: \"3\"\n - name: \"ETCDCTL_CACERT\"\n \ value: \"/etc/kubernetes/static-pod-certs/configmaps/etcd-all-bundles/server-ca-bundle.crt\"\n \ - name: \"ETCDCTL_CERT\"\n value: \"/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.crt\"\n \ - name: \"ETCDCTL_ENDPOINTS\"\n value: \"https://192.168.32.10:2379\"\n \ - name: \"ETCDCTL_KEY\"\n value: \"/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.key\"\n \ - name: \"ETCD_CIPHER_SUITES\"\n value: \"TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256\"\n \ - name: \"ETCD_DATA_DIR\"\n value: \"/var/lib/etcd\"\n - name: \"ETCD_ELECTION_TIMEOUT\"\n value: \"2500\"\n - name: \"ETCD_ENABLE_PPROF\"\n \ value: \"true\"\n - name: \"ETCD_EXPERIMENTAL_MAX_LEARNERS\"\n \ value: \"1\"\n - name: \"ETCD_EXPERIMENTAL_WARNING_APPLY_DURATION\"\n \ value: \"200ms\"\n - name: \"ETCD_EXPERIMENTAL_WATCH_PROGRESS_NOTIFY_INTERVAL\"\n \ value: \"5s\"\n - name: \"ETCD_HEARTBEAT_INTERVAL\"\n value: \"500\"\n - name: \"ETCD_IMAGE\"\n value: \"quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:cc20748723f55f960cfb6328d1591880bbd1b3452155633996d4f41fc7c5f46b\"\n \ - name: \"ETCD_INITIAL_CLUSTER_STATE\"\n value: \"existing\"\n \ - name: \"ETCD_QUOTA_BACKEND_BYTES\"\n value: \"8589934592\"\n \ - name: \"ETCD_SOCKET_REUSE_ADDRESS\"\n value: \"true\"\n - name: \"ETCD_TLS_MIN_VERSION\"\n value: \"TLS1.2\"\n - name: \"NODE_master_0_ETCD_NAME\"\n \ value: \"master-0\"\n - name: \"NODE_master_0_ETCD_URL_HOST\"\n \ value: \"192.168.32.10\"\n - name: \"NODE_master_0_IP\"\n value: \"192.168.32.10\"\n - name: \"ETCD_STATIC_POD_REV\"\n value: \"REVISION\"\n \ resources:\n requests:\n memory: 600Mi\n cpu: 300m\n \ readinessProbe:\n tcpSocket:\n port: 2380\n failureThreshold: 3\n initialDelaySeconds: 3\n periodSeconds: 5\n successThreshold: 1\n timeoutSeconds: 5\n securityContext:\n privileged: true\n volumeMounts:\n \ - mountPath: /etc/kubernetes/manifests\n name: static-pod-dir\n \ - mountPath: /etc/kubernetes/static-pod-certs\n name: cert-dir\n \ - mountPath: /var/lib/etcd/\n name: data-dir\n - mountPath: /var/lib/etcd-backup/\n name: backup-dir\n - name: etcd-readyz\n image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:6088910bdc1583b275fab261e3234c0b63b4cc16d01bcea697b6a7f6db13bdf3\n \ imagePullPolicy: IfNotPresent\n terminationMessagePolicy: FallbackToLogsOnError\n \ command:\n - /bin/sh\n - -c\n - |\n #!/bin/sh\n set -euo pipefail\n \n exec nice -n -18 cluster-etcd-operator readyz \\\n --target=https://localhost:2379 \\\n --listen-port=9980 \\\n --serving-cert-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-serving-NODE_NAME.crt \\\n --serving-key-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-serving-NODE_NAME.key \\\n --client-cert-file=$(ETCDCTL_CERT) \\\n --client-key-file=$(ETCDCTL_KEY) \\\n --client-cacert-file=$(ETCDCTL_CACERT) \\\n --listen-cipher-suites=$(ETCD_CIPHER_SUITES)\n \ securityContext:\n privileged: true\n ports:\n - containerPort: 9980\n name: readyz\n protocol: TCP\n resources:\n requests:\n \ memory: 50Mi\n cpu: 10m\n env:\n - name: \"ALL_ETCD_ENDPOINTS\"\n \ value: \"https://192.168.32.10:2379\"\n - name: \"ETCDCTL_API\"\n \ value: \"3\"\n - name: \"ETCDCTL_CACERT\"\n value: \"/etc/kubernetes/static-pod-certs/configmaps/etcd-all-bundles/server-ca-bundle.crt\"\n \ - name: \"ETCDCTL_CERT\"\n value: \"/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.crt\"\n \ - name: \"ETCDCTL_ENDPOINTS\"\n value: \"https://192.168.32.10:2379\"\n \ - name: \"ETCDCTL_KEY\"\n value: \"/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.key\"\n \ - name: \"ETCD_CIPHER_SUITES\"\n value: \"TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256\"\n \ - name: \"ETCD_DATA_DIR\"\n value: \"/var/lib/etcd\"\n - name: \"ETCD_ELECTION_TIMEOUT\"\n value: \"2500\"\n - name: \"ETCD_ENABLE_PPROF\"\n \ value: \"true\"\n - name: \"ETCD_EXPERIMENTAL_MAX_LEARNERS\"\n \ value: \"1\"\n - name: \"ETCD_EXPERIMENTAL_WARNING_APPLY_DURATION\"\n \ value: \"200ms\"\n - name: \"ETCD_EXPERIMENTAL_WATCH_PROGRESS_NOTIFY_INTERVAL\"\n \ value: \"5s\"\n - name: \"ETCD_HEARTBEAT_INTERVAL\"\n value: \"500\"\n - name: \"ETCD_IMAGE\"\n value: \"quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:cc20748723f55f960cfb6328d1591880bbd1b3452155633996d4f41fc7c5f46b\"\n \ - name: \"ETCD_INITIAL_CLUSTER_STATE\"\n value: \"existing\"\n \ - name: \"ETCD_QUOTA_BACKEND_BYTES\"\n value: \"8589934592\"\n \ - name: \"ETCD_SOCKET_REUSE_ADDRESS\"\n value: \"true\"\n - name: \"ETCD_TLS_MIN_VERSION\"\n value: \"TLS1.2\"\n - name: \"NODE_master_0_ETCD_NAME\"\n \ value: \"master-0\"\n - name: \"NODE_master_0_ETCD_URL_HOST\"\n \ value: \"192.168.32.10\"\n - name: \"NODE_master_0_IP\"\n value: \"192.168.32.10\"\n volumeMounts:\n - mountPath: /etc/kubernetes/static-pod-certs\n \ name: cert-dir\n hostNetwork: true\n priorityClassName: system-node-critical\n \ tolerations:\n - operator: \"Exists\"\n volumes:\n - hostPath:\n path: /etc/kubernetes/manifests\n name: static-pod-dir\n - hostPath:\n path: /etc/kubernetes/static-pod-resources/etcd-certs\n name: cert-dir\n - hostPath:\n path: /var/lib/etcd\n type: \"\"\n name: data-dir\n \ - hostPath:\n path: /var/lib/etcd-backup\n type: \"\"\n name: backup-dir\n" version: 4.18.0-202602170912.p2.gb7e21f5.assembly.stream.el9-b7e21f5 kind: ConfigMap metadata: creationTimestamp: "2026-03-12T14:13:01Z" managedFields: - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:data: .: {} f:forceRedeploymentReason: {} f:pod.yaml: {} f:quorum-restore-pod.yaml: {} f:version: {} manager: cluster-etcd-operator operation: Update time: "2026-03-12T14:13:01Z" name: restore-etcd-pod namespace: openshift-etcd resourceVersion: "7042" uid: f1921ad7-3846-4a19-b47e-c97c830b0822 - apiVersion: v1 data: reason: configmap "etcd-pod-0" not found revision: "1" kind: ConfigMap metadata: annotations: operator.openshift.io/revision-ready: "true" creationTimestamp: "2026-03-12T14:12:59Z" labels: operator.openshift.io/controller-instance-name: etcd-RevisionController managedFields: - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:data: .: {} f:reason: {} f:revision: {} f:metadata: f:annotations: .: {} f:operator.openshift.io/revision-ready: {} f:labels: .: {} f:operator.openshift.io/controller-instance-name: {} manager: cluster-etcd-operator operation: Update time: "2026-03-12T14:13:05Z" name: revision-status-1 namespace: openshift-etcd resourceVersion: "7496" uid: 7d2c7f66-09d2-41a3-9bc1-351331f18fb4 - apiVersion: v1 data: reason: required configmap/etcd-endpoints has changed revision: "2" kind: ConfigMap metadata: annotations: operator.openshift.io/revision-ready: "true" creationTimestamp: "2026-03-12T14:13:46Z" labels: operator.openshift.io/controller-instance-name: etcd-RevisionController managedFields: - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:data: .: {} f:reason: {} f:revision: {} f:metadata: f:annotations: .: {} f:operator.openshift.io/revision-ready: {} f:labels: .: {} f:operator.openshift.io/controller-instance-name: {} manager: cluster-etcd-operator operation: Update time: "2026-03-12T14:16:18Z" name: revision-status-2 namespace: openshift-etcd resourceVersion: "10865" uid: ac330b93-7c0b-4438-8875-ec23ce5f1933 kind: ConfigMapList metadata: resourceVersion: "40702"