--- apiVersion: v1 items: - apiVersion: v1 data: install-config: | additionalTrustBundlePolicy: Proxyonly apiVersion: v1 baseDomain: openstack.lab bootstrapInPlace: installationDisk: /dev/disk/by-path/pci-0000:00:05.0 compute: - architecture: amd64 hyperthreading: Enabled name: worker platform: {} replicas: 0 controlPlane: architecture: amd64 hyperthreading: Enabled name: master platform: {} replicas: 1 metadata: creationTimestamp: null name: sno networking: clusterNetwork: - cidr: 10.128.0.0/16 hostPrefix: 23 machineNetwork: - cidr: 192.168.32.0/24 networkType: OVNKubernetes serviceNetwork: - 172.30.0.0/16 platform: none: {} publish: External pullSecret: "" sshKey: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDHokZSxsS9TCiBTdZls5Vr6X8XeFdYQGG0BMgLJjDdRcZ46yPRSOUFZciGmOghZOS9DQe7gN24aVS1cMJo/TLUV/r1m+IpS0ciH/EZxsqKiO10hKnc8+E5uN33ORnKcmtrSfszbuPdvb2ZlS7KXZEPWJdAoGwamQXTVcsXP/Ps5OpQAA4hmZmvuJwK/z/3cLK6lmDWQWfcXTYQEUMlf1ASTUXAgaIIb4cbzpvKw3C7nrd0u3U1lnqVui0bSLt5X4qB8xSlzmX1QcvB+/ZVeCvhjKp23Jz6T272fZqcuEtfAB6YZYZJP+L/BiWWxMo610Eull5tF5/XMSF7ZncZUGGh kind: ConfigMap metadata: annotations: kubernetes.io/description: The install-config content used to create the cluster. The cluster configuration may have evolved since installation, so check cluster configuration resources directly if you are interested in the current cluster state. creationTimestamp: "2026-03-19T11:53:52Z" managedFields: - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:data: .: {} f:install-config: {} f:metadata: f:annotations: .: {} f:kubernetes.io/description: {} manager: cluster-etcd-operator operation: Update time: "2026-03-19T11:53:52Z" name: cluster-config-v1 namespace: openshift-etcd resourceVersion: "4510" uid: 5aae9370-61db-4c17-9461-00afdd60050a - apiVersion: v1 data: metrics-ca-bundle.crt: | -----BEGIN CERTIFICATE----- MIIDUzCCAjugAwIBAgIIUzVT1YspssswDQYJKoZIhvcNAQELBQAwNzE1MDMGA1UE Awwsb3BlbnNoaWZ0LWV0Y2RfZXRjZC1tZXRyaWMtc2lnbmVyQDE3NzM5MjA3MTkw HhcNMjYwMzE5MTE0NTE4WhcNMzEwMzE4MTE0NTE5WjA3MTUwMwYDVQQDDCxvcGVu c2hpZnQtZXRjZF9ldGNkLW1ldHJpYy1zaWduZXJAMTc3MzkyMDcxOTCCASIwDQYJ KoZIhvcNAQEBBQADggEPADCCAQoCggEBANZqeV2nyfLpNXaBwdv1ROIPZG0F7DZI +j3d86CFDg5gErmJfY1C1FTp0y2XT8n8DpsTFFqspcTJ8S2onhpT+rjYJLtzHC2p dq0Aslvd3v8az9UJmvBywpR6ZAuFKnKThJ2zg+5akCKcoq47qjwaLio8Is2iOpAl oeWl2kSVUBKHtDjzLjNd/FVEcPzm+y/b6DJgYAU7tv9m0411p4qeZ78ZID4JAwrn f66pFfSa4+PKK/K/WnrEZKLZWdXEqSHwKryO5xTevva3HZszS/KHA6BGoWvQtqho XGleBcENazYi1V8xD0X2rHUQQpVgVxHstxxKWCOPdR/lnRJMQBALT00CAwEAAaNj MGEwDgYDVR0PAQH/BAQDAgKkMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFKhp cOxzLGIjNgLb5hxAiNGR8vgDMB8GA1UdIwQYMBaAFKhpcOxzLGIjNgLb5hxAiNGR 8vgDMA0GCSqGSIb3DQEBCwUAA4IBAQAs6dSIpTY3Kx07EVITu8xW/yNOxB9Jwwlk bG7qVNZ6mjUcOnRSYeNzGQE/aWKN+CYQyvrUdjs6n2nyneGMHBlLa/iMe4Ne17Fe 1nheJcWQy0n+RYBpHw66hnf+lpBmk0NaBOedxQnOVK8zG4RrXALW+kIY/e/BCbff qysavfhBvYLMKOymP5EEIm53JlXprDqkikvmWPXtyXXDOGdOUOxZ6SqSEkdysRu9 GQYCz4zRsIpjEXbQeb1V99UFNmvTSaBU5k0n6Jmywya6/jDXN9CULj8pGWfTwTEl 0Hs1GofsRTVUTLaQcA79DVJX6Z9TwTGo/dfuti4bdP3vbu/gMaiP -----END CERTIFICATE----- server-ca-bundle.crt: | -----BEGIN CERTIFICATE----- MIIDRTCCAi2gAwIBAgIIBqCGbsF4M/kwDQYJKoZIhvcNAQELBQAwMDEuMCwGA1UE Awwlb3BlbnNoaWZ0LWV0Y2RfZXRjZC1zaWduZXJAMTc3MzkyMDcxODAeFw0yNjAz MTkxMTQ1MThaFw0zMTAzMTgxMTQ1MTlaMDAxLjAsBgNVBAMMJW9wZW5zaGlmdC1l dGNkX2V0Y2Qtc2lnbmVyQDE3NzM5MjA3MTgwggEiMA0GCSqGSIb3DQEBAQUAA4IB DwAwggEKAoIBAQDIZm3yAO5GUPXr41PMQAGZkYjOv/QvUvkAzypUK0Qwk8SnCcFx UlppyE164BLteLWlxAlUB8lejs63ksC6WKImliocxuniOUn9UBf4C8gXQRgE7JCu Fli+fHiN8mmxOnGgi31FVjHI7VboGFG7GkPBq4ncC2uEjCQRh6XKJAqSzYcQU4aO TiEIRkyMNoMBUR/oxPXwf5gdXFfhRBreh6h5uuifSURYhVczUrqJN3cegco50yQ1 dCJanfPQB0MdnpjgVs7/he4lVDPjIpDuwzv2SmuUQRwUqYl2ToU9kIzaOwf4t9kU ZR4XOca6J3uPFTETsrBb8IE9EDhtPZ+0+97lAgMBAAGjYzBhMA4GA1UdDwEB/wQE AwICpDAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTjG3uDUI/znAz6TJhbAU6N cC7whzAfBgNVHSMEGDAWgBTjG3uDUI/znAz6TJhbAU6NcC7whzANBgkqhkiG9w0B AQsFAAOCAQEAvsdo/iPsBHxpx+sOKofz2h+KnmAb8J45gZBa3yw6jVoWxxTvP7TI hJIRKovwHHt9AxXPvc1gZW889zx+va1b9g87nrSLZkKx5KtQnS8k3KkxD199FFNo lKleF++mxvouc12aFxzDrVg0wu0GRqkMjh9HVYkezGxU2dShy+RUoqLi3K7Cxju7 ooI3YiL0Zt2+n3BmIcTAKBYqx6LLJ06ehpGo4jcM7o2l6KfniVJQFe2eQxlPE55j rfyEzmkEMN8h6vsWFzdTbFyyXxfvus7p6Sz/kv+13xlqyhyXww4Vk8GWODKAEst4 y1hJjapIy2zZg99OJR7HCeb33/oW7Ej0cQ== -----END CERTIFICATE----- kind: ConfigMap metadata: annotations: openshift.io/ceo-bundle-rollout-revision: "0" openshift.io/owning-component: Etcd creationTimestamp: "2026-03-19T11:47:24Z" managedFields: - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:data: .: {} f:metrics-ca-bundle.crt: {} f:server-ca-bundle.crt: {} f:metadata: f:annotations: .: {} f:openshift.io/ceo-bundle-rollout-revision: {} f:openshift.io/owning-component: {} manager: cluster-bootstrap operation: Update time: "2026-03-19T11:47:24Z" name: etcd-all-bundles namespace: openshift-etcd resourceVersion: "580" uid: 93ea8ccc-6c6b-4e95-a967-60cc49a7cff9 - apiVersion: v1 data: metrics-ca-bundle.crt: | -----BEGIN CERTIFICATE----- MIIDUzCCAjugAwIBAgIIUzVT1YspssswDQYJKoZIhvcNAQELBQAwNzE1MDMGA1UE Awwsb3BlbnNoaWZ0LWV0Y2RfZXRjZC1tZXRyaWMtc2lnbmVyQDE3NzM5MjA3MTkw HhcNMjYwMzE5MTE0NTE4WhcNMzEwMzE4MTE0NTE5WjA3MTUwMwYDVQQDDCxvcGVu c2hpZnQtZXRjZF9ldGNkLW1ldHJpYy1zaWduZXJAMTc3MzkyMDcxOTCCASIwDQYJ KoZIhvcNAQEBBQADggEPADCCAQoCggEBANZqeV2nyfLpNXaBwdv1ROIPZG0F7DZI +j3d86CFDg5gErmJfY1C1FTp0y2XT8n8DpsTFFqspcTJ8S2onhpT+rjYJLtzHC2p dq0Aslvd3v8az9UJmvBywpR6ZAuFKnKThJ2zg+5akCKcoq47qjwaLio8Is2iOpAl oeWl2kSVUBKHtDjzLjNd/FVEcPzm+y/b6DJgYAU7tv9m0411p4qeZ78ZID4JAwrn f66pFfSa4+PKK/K/WnrEZKLZWdXEqSHwKryO5xTevva3HZszS/KHA6BGoWvQtqho XGleBcENazYi1V8xD0X2rHUQQpVgVxHstxxKWCOPdR/lnRJMQBALT00CAwEAAaNj MGEwDgYDVR0PAQH/BAQDAgKkMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFKhp cOxzLGIjNgLb5hxAiNGR8vgDMB8GA1UdIwQYMBaAFKhpcOxzLGIjNgLb5hxAiNGR 8vgDMA0GCSqGSIb3DQEBCwUAA4IBAQAs6dSIpTY3Kx07EVITu8xW/yNOxB9Jwwlk bG7qVNZ6mjUcOnRSYeNzGQE/aWKN+CYQyvrUdjs6n2nyneGMHBlLa/iMe4Ne17Fe 1nheJcWQy0n+RYBpHw66hnf+lpBmk0NaBOedxQnOVK8zG4RrXALW+kIY/e/BCbff qysavfhBvYLMKOymP5EEIm53JlXprDqkikvmWPXtyXXDOGdOUOxZ6SqSEkdysRu9 GQYCz4zRsIpjEXbQeb1V99UFNmvTSaBU5k0n6Jmywya6/jDXN9CULj8pGWfTwTEl 0Hs1GofsRTVUTLaQcA79DVJX6Z9TwTGo/dfuti4bdP3vbu/gMaiP -----END CERTIFICATE----- server-ca-bundle.crt: | -----BEGIN CERTIFICATE----- MIIDRTCCAi2gAwIBAgIIBqCGbsF4M/kwDQYJKoZIhvcNAQELBQAwMDEuMCwGA1UE Awwlb3BlbnNoaWZ0LWV0Y2RfZXRjZC1zaWduZXJAMTc3MzkyMDcxODAeFw0yNjAz MTkxMTQ1MThaFw0zMTAzMTgxMTQ1MTlaMDAxLjAsBgNVBAMMJW9wZW5zaGlmdC1l dGNkX2V0Y2Qtc2lnbmVyQDE3NzM5MjA3MTgwggEiMA0GCSqGSIb3DQEBAQUAA4IB DwAwggEKAoIBAQDIZm3yAO5GUPXr41PMQAGZkYjOv/QvUvkAzypUK0Qwk8SnCcFx UlppyE164BLteLWlxAlUB8lejs63ksC6WKImliocxuniOUn9UBf4C8gXQRgE7JCu Fli+fHiN8mmxOnGgi31FVjHI7VboGFG7GkPBq4ncC2uEjCQRh6XKJAqSzYcQU4aO TiEIRkyMNoMBUR/oxPXwf5gdXFfhRBreh6h5uuifSURYhVczUrqJN3cegco50yQ1 dCJanfPQB0MdnpjgVs7/he4lVDPjIpDuwzv2SmuUQRwUqYl2ToU9kIzaOwf4t9kU ZR4XOca6J3uPFTETsrBb8IE9EDhtPZ+0+97lAgMBAAGjYzBhMA4GA1UdDwEB/wQE AwICpDAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTjG3uDUI/znAz6TJhbAU6N cC7whzAfBgNVHSMEGDAWgBTjG3uDUI/znAz6TJhbAU6NcC7whzANBgkqhkiG9w0B AQsFAAOCAQEAvsdo/iPsBHxpx+sOKofz2h+KnmAb8J45gZBa3yw6jVoWxxTvP7TI hJIRKovwHHt9AxXPvc1gZW889zx+va1b9g87nrSLZkKx5KtQnS8k3KkxD199FFNo lKleF++mxvouc12aFxzDrVg0wu0GRqkMjh9HVYkezGxU2dShy+RUoqLi3K7Cxju7 ooI3YiL0Zt2+n3BmIcTAKBYqx6LLJ06ehpGo4jcM7o2l6KfniVJQFe2eQxlPE55j rfyEzmkEMN8h6vsWFzdTbFyyXxfvus7p6Sz/kv+13xlqyhyXww4Vk8GWODKAEst4 y1hJjapIy2zZg99OJR7HCeb33/oW7Ej0cQ== -----END CERTIFICATE----- kind: ConfigMap metadata: annotations: openshift.io/ceo-bundle-rollout-revision: "0" openshift.io/owning-component: Etcd creationTimestamp: "2026-03-19T11:54:04Z" labels: operator.openshift.io/controller-instance-name: etcd-RevisionController managedFields: - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:data: .: {} f:metrics-ca-bundle.crt: {} f:server-ca-bundle.crt: {} f:metadata: f:annotations: .: {} f:openshift.io/ceo-bundle-rollout-revision: {} f:openshift.io/owning-component: {} f:labels: .: {} f:operator.openshift.io/controller-instance-name: {} f:ownerReferences: .: {} k:{"uid":"b87b8a49-eaba-4aef-91c4-288d56041db5"}: {} manager: cluster-etcd-operator operation: Update time: "2026-03-19T11:54:04Z" name: etcd-all-bundles-1 namespace: openshift-etcd ownerReferences: - apiVersion: v1 kind: ConfigMap name: revision-status-1 uid: b87b8a49-eaba-4aef-91c4-288d56041db5 resourceVersion: "5514" uid: f475cd62-a705-47aa-a4ef-2b3b6f7fb4b2 - apiVersion: v1 data: metrics-ca-bundle.crt: | -----BEGIN CERTIFICATE----- MIIDUzCCAjugAwIBAgIIUzVT1YspssswDQYJKoZIhvcNAQELBQAwNzE1MDMGA1UE Awwsb3BlbnNoaWZ0LWV0Y2RfZXRjZC1tZXRyaWMtc2lnbmVyQDE3NzM5MjA3MTkw HhcNMjYwMzE5MTE0NTE4WhcNMzEwMzE4MTE0NTE5WjA3MTUwMwYDVQQDDCxvcGVu c2hpZnQtZXRjZF9ldGNkLW1ldHJpYy1zaWduZXJAMTc3MzkyMDcxOTCCASIwDQYJ KoZIhvcNAQEBBQADggEPADCCAQoCggEBANZqeV2nyfLpNXaBwdv1ROIPZG0F7DZI +j3d86CFDg5gErmJfY1C1FTp0y2XT8n8DpsTFFqspcTJ8S2onhpT+rjYJLtzHC2p dq0Aslvd3v8az9UJmvBywpR6ZAuFKnKThJ2zg+5akCKcoq47qjwaLio8Is2iOpAl oeWl2kSVUBKHtDjzLjNd/FVEcPzm+y/b6DJgYAU7tv9m0411p4qeZ78ZID4JAwrn f66pFfSa4+PKK/K/WnrEZKLZWdXEqSHwKryO5xTevva3HZszS/KHA6BGoWvQtqho XGleBcENazYi1V8xD0X2rHUQQpVgVxHstxxKWCOPdR/lnRJMQBALT00CAwEAAaNj MGEwDgYDVR0PAQH/BAQDAgKkMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFKhp cOxzLGIjNgLb5hxAiNGR8vgDMB8GA1UdIwQYMBaAFKhpcOxzLGIjNgLb5hxAiNGR 8vgDMA0GCSqGSIb3DQEBCwUAA4IBAQAs6dSIpTY3Kx07EVITu8xW/yNOxB9Jwwlk bG7qVNZ6mjUcOnRSYeNzGQE/aWKN+CYQyvrUdjs6n2nyneGMHBlLa/iMe4Ne17Fe 1nheJcWQy0n+RYBpHw66hnf+lpBmk0NaBOedxQnOVK8zG4RrXALW+kIY/e/BCbff qysavfhBvYLMKOymP5EEIm53JlXprDqkikvmWPXtyXXDOGdOUOxZ6SqSEkdysRu9 GQYCz4zRsIpjEXbQeb1V99UFNmvTSaBU5k0n6Jmywya6/jDXN9CULj8pGWfTwTEl 0Hs1GofsRTVUTLaQcA79DVJX6Z9TwTGo/dfuti4bdP3vbu/gMaiP -----END CERTIFICATE----- server-ca-bundle.crt: | -----BEGIN CERTIFICATE----- MIIDRTCCAi2gAwIBAgIIBqCGbsF4M/kwDQYJKoZIhvcNAQELBQAwMDEuMCwGA1UE Awwlb3BlbnNoaWZ0LWV0Y2RfZXRjZC1zaWduZXJAMTc3MzkyMDcxODAeFw0yNjAz MTkxMTQ1MThaFw0zMTAzMTgxMTQ1MTlaMDAxLjAsBgNVBAMMJW9wZW5zaGlmdC1l dGNkX2V0Y2Qtc2lnbmVyQDE3NzM5MjA3MTgwggEiMA0GCSqGSIb3DQEBAQUAA4IB DwAwggEKAoIBAQDIZm3yAO5GUPXr41PMQAGZkYjOv/QvUvkAzypUK0Qwk8SnCcFx UlppyE164BLteLWlxAlUB8lejs63ksC6WKImliocxuniOUn9UBf4C8gXQRgE7JCu Fli+fHiN8mmxOnGgi31FVjHI7VboGFG7GkPBq4ncC2uEjCQRh6XKJAqSzYcQU4aO TiEIRkyMNoMBUR/oxPXwf5gdXFfhRBreh6h5uuifSURYhVczUrqJN3cegco50yQ1 dCJanfPQB0MdnpjgVs7/he4lVDPjIpDuwzv2SmuUQRwUqYl2ToU9kIzaOwf4t9kU ZR4XOca6J3uPFTETsrBb8IE9EDhtPZ+0+97lAgMBAAGjYzBhMA4GA1UdDwEB/wQE AwICpDAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTjG3uDUI/znAz6TJhbAU6N cC7whzAfBgNVHSMEGDAWgBTjG3uDUI/znAz6TJhbAU6NcC7whzANBgkqhkiG9w0B AQsFAAOCAQEAvsdo/iPsBHxpx+sOKofz2h+KnmAb8J45gZBa3yw6jVoWxxTvP7TI hJIRKovwHHt9AxXPvc1gZW889zx+va1b9g87nrSLZkKx5KtQnS8k3KkxD199FFNo lKleF++mxvouc12aFxzDrVg0wu0GRqkMjh9HVYkezGxU2dShy+RUoqLi3K7Cxju7 ooI3YiL0Zt2+n3BmIcTAKBYqx6LLJ06ehpGo4jcM7o2l6KfniVJQFe2eQxlPE55j rfyEzmkEMN8h6vsWFzdTbFyyXxfvus7p6Sz/kv+13xlqyhyXww4Vk8GWODKAEst4 y1hJjapIy2zZg99OJR7HCeb33/oW7Ej0cQ== -----END CERTIFICATE----- kind: ConfigMap metadata: annotations: openshift.io/ceo-bundle-rollout-revision: "0" openshift.io/owning-component: Etcd creationTimestamp: "2026-03-19T12:01:54Z" labels: operator.openshift.io/controller-instance-name: etcd-RevisionController managedFields: - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:data: .: {} f:metrics-ca-bundle.crt: {} f:server-ca-bundle.crt: {} f:metadata: f:annotations: .: {} f:openshift.io/ceo-bundle-rollout-revision: {} f:openshift.io/owning-component: {} f:labels: .: {} f:operator.openshift.io/controller-instance-name: {} f:ownerReferences: .: {} k:{"uid":"572bb0ba-657d-4eb6-8f6c-9c2ff0bd96fc"}: {} manager: cluster-etcd-operator operation: Update time: "2026-03-19T12:01:54Z" name: etcd-all-bundles-2 namespace: openshift-etcd ownerReferences: - apiVersion: v1 kind: ConfigMap name: revision-status-2 uid: 572bb0ba-657d-4eb6-8f6c-9c2ff0bd96fc resourceVersion: "11725" uid: 0f5d74ad-a4d0-4ce1-bc67-c016c181c1c0 - apiVersion: v1 data: ca-bundle.crt: | -----BEGIN CERTIFICATE----- MIIDRTCCAi2gAwIBAgIIBqCGbsF4M/kwDQYJKoZIhvcNAQELBQAwMDEuMCwGA1UE Awwlb3BlbnNoaWZ0LWV0Y2RfZXRjZC1zaWduZXJAMTc3MzkyMDcxODAeFw0yNjAz MTkxMTQ1MThaFw0zMTAzMTgxMTQ1MTlaMDAxLjAsBgNVBAMMJW9wZW5zaGlmdC1l dGNkX2V0Y2Qtc2lnbmVyQDE3NzM5MjA3MTgwggEiMA0GCSqGSIb3DQEBAQUAA4IB DwAwggEKAoIBAQDIZm3yAO5GUPXr41PMQAGZkYjOv/QvUvkAzypUK0Qwk8SnCcFx UlppyE164BLteLWlxAlUB8lejs63ksC6WKImliocxuniOUn9UBf4C8gXQRgE7JCu Fli+fHiN8mmxOnGgi31FVjHI7VboGFG7GkPBq4ncC2uEjCQRh6XKJAqSzYcQU4aO TiEIRkyMNoMBUR/oxPXwf5gdXFfhRBreh6h5uuifSURYhVczUrqJN3cegco50yQ1 dCJanfPQB0MdnpjgVs7/he4lVDPjIpDuwzv2SmuUQRwUqYl2ToU9kIzaOwf4t9kU ZR4XOca6J3uPFTETsrBb8IE9EDhtPZ+0+97lAgMBAAGjYzBhMA4GA1UdDwEB/wQE AwICpDAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTjG3uDUI/znAz6TJhbAU6N cC7whzAfBgNVHSMEGDAWgBTjG3uDUI/znAz6TJhbAU6NcC7whzANBgkqhkiG9w0B AQsFAAOCAQEAvsdo/iPsBHxpx+sOKofz2h+KnmAb8J45gZBa3yw6jVoWxxTvP7TI hJIRKovwHHt9AxXPvc1gZW889zx+va1b9g87nrSLZkKx5KtQnS8k3KkxD199FFNo lKleF++mxvouc12aFxzDrVg0wu0GRqkMjh9HVYkezGxU2dShy+RUoqLi3K7Cxju7 ooI3YiL0Zt2+n3BmIcTAKBYqx6LLJ06ehpGo4jcM7o2l6KfniVJQFe2eQxlPE55j rfyEzmkEMN8h6vsWFzdTbFyyXxfvus7p6Sz/kv+13xlqyhyXww4Vk8GWODKAEst4 y1hJjapIy2zZg99OJR7HCeb33/oW7Ej0cQ== -----END CERTIFICATE----- kind: ConfigMap metadata: annotations: openshift.io/description: Generated by cluster-etcd-operator for etcd and is used to authenticate clients and peers of etcd. openshift.io/owning-component: etcd creationTimestamp: "2026-03-19T11:47:25Z" labels: auth.openshift.io/managed-certificate-type: ca-bundle managedFields: - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:data: .: {} f:ca-bundle.crt: {} f:metadata: f:annotations: .: {} f:openshift.io/description: {} f:openshift.io/owning-component: {} f:labels: .: {} f:auth.openshift.io/managed-certificate-type: {} manager: cluster-bootstrap operation: Update time: "2026-03-19T11:47:25Z" name: etcd-ca-bundle namespace: openshift-etcd resourceVersion: "582" uid: 0c8eea63-e30a-4ae6-a67e-eabbeb0ad63d - apiVersion: v1 data: 91eb892c5ee87610: 192.168.32.10 kind: ConfigMap metadata: creationTimestamp: "2026-03-19T11:47:35Z" managedFields: - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:data: {} manager: cluster-bootstrap operation: Update time: "2026-03-19T11:47:35Z" - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:data: f:91eb892c5ee87610: {} manager: cluster-etcd-operator operation: Update time: "2026-03-19T12:01:47Z" name: etcd-endpoints namespace: openshift-etcd resourceVersion: "11675" uid: c6710ad0-11b2-416a-9dce-40386b8beb90 - apiVersion: v1 data: MTkyLjE2OC4zMi4xMA: 192.168.32.10 kind: ConfigMap metadata: creationTimestamp: "2026-03-19T11:54:04Z" labels: operator.openshift.io/controller-instance-name: etcd-RevisionController managedFields: - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:data: .: {} f:MTkyLjE2OC4zMi4xMA: {} f:metadata: f:labels: .: {} f:operator.openshift.io/controller-instance-name: {} f:ownerReferences: .: {} k:{"uid":"b87b8a49-eaba-4aef-91c4-288d56041db5"}: {} manager: cluster-etcd-operator operation: Update time: "2026-03-19T11:54:04Z" name: etcd-endpoints-1 namespace: openshift-etcd ownerReferences: - apiVersion: v1 kind: ConfigMap name: revision-status-1 uid: b87b8a49-eaba-4aef-91c4-288d56041db5 resourceVersion: "5453" uid: 6f1ee071-edc3-4444-8f80-225da32c2928 - apiVersion: v1 data: 91eb892c5ee87610: 192.168.32.10 kind: ConfigMap metadata: creationTimestamp: "2026-03-19T12:01:53Z" labels: operator.openshift.io/controller-instance-name: etcd-RevisionController managedFields: - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:data: .: {} f:91eb892c5ee87610: {} f:metadata: f:labels: .: {} f:operator.openshift.io/controller-instance-name: {} f:ownerReferences: .: {} k:{"uid":"572bb0ba-657d-4eb6-8f6c-9c2ff0bd96fc"}: {} manager: cluster-etcd-operator operation: Update time: "2026-03-19T12:01:53Z" name: etcd-endpoints-2 namespace: openshift-etcd ownerReferences: - apiVersion: v1 kind: ConfigMap name: revision-status-2 uid: 572bb0ba-657d-4eb6-8f6c-9c2ff0bd96fc resourceVersion: "11710" uid: c5b28df0-f4dd-4438-9b4a-0453e37314aa - apiVersion: v1 data: ca-bundle.crt: | -----BEGIN CERTIFICATE----- MIIDUzCCAjugAwIBAgIIUzVT1YspssswDQYJKoZIhvcNAQELBQAwNzE1MDMGA1UE Awwsb3BlbnNoaWZ0LWV0Y2RfZXRjZC1tZXRyaWMtc2lnbmVyQDE3NzM5MjA3MTkw HhcNMjYwMzE5MTE0NTE4WhcNMzEwMzE4MTE0NTE5WjA3MTUwMwYDVQQDDCxvcGVu c2hpZnQtZXRjZF9ldGNkLW1ldHJpYy1zaWduZXJAMTc3MzkyMDcxOTCCASIwDQYJ KoZIhvcNAQEBBQADggEPADCCAQoCggEBANZqeV2nyfLpNXaBwdv1ROIPZG0F7DZI +j3d86CFDg5gErmJfY1C1FTp0y2XT8n8DpsTFFqspcTJ8S2onhpT+rjYJLtzHC2p dq0Aslvd3v8az9UJmvBywpR6ZAuFKnKThJ2zg+5akCKcoq47qjwaLio8Is2iOpAl oeWl2kSVUBKHtDjzLjNd/FVEcPzm+y/b6DJgYAU7tv9m0411p4qeZ78ZID4JAwrn f66pFfSa4+PKK/K/WnrEZKLZWdXEqSHwKryO5xTevva3HZszS/KHA6BGoWvQtqho XGleBcENazYi1V8xD0X2rHUQQpVgVxHstxxKWCOPdR/lnRJMQBALT00CAwEAAaNj MGEwDgYDVR0PAQH/BAQDAgKkMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFKhp cOxzLGIjNgLb5hxAiNGR8vgDMB8GA1UdIwQYMBaAFKhpcOxzLGIjNgLb5hxAiNGR 8vgDMA0GCSqGSIb3DQEBCwUAA4IBAQAs6dSIpTY3Kx07EVITu8xW/yNOxB9Jwwlk bG7qVNZ6mjUcOnRSYeNzGQE/aWKN+CYQyvrUdjs6n2nyneGMHBlLa/iMe4Ne17Fe 1nheJcWQy0n+RYBpHw66hnf+lpBmk0NaBOedxQnOVK8zG4RrXALW+kIY/e/BCbff qysavfhBvYLMKOymP5EEIm53JlXprDqkikvmWPXtyXXDOGdOUOxZ6SqSEkdysRu9 GQYCz4zRsIpjEXbQeb1V99UFNmvTSaBU5k0n6Jmywya6/jDXN9CULj8pGWfTwTEl 0Hs1GofsRTVUTLaQcA79DVJX6Z9TwTGo/dfuti4bdP3vbu/gMaiP -----END CERTIFICATE----- kind: ConfigMap metadata: annotations: openshift.io/description: Generated by cluster-etcd-operator for etcd and is used to authenticate Prometheus ServiceMonitors reaching etcd. openshift.io/owning-component: etcd creationTimestamp: "2026-03-19T11:47:27Z" labels: auth.openshift.io/managed-certificate-type: ca-bundle managedFields: - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:data: .: {} f:ca-bundle.crt: {} f:metadata: f:annotations: .: {} f:openshift.io/description: {} f:openshift.io/owning-component: {} f:labels: .: {} f:auth.openshift.io/managed-certificate-type: {} manager: cluster-bootstrap operation: Update time: "2026-03-19T11:47:27Z" name: etcd-metrics-ca-bundle namespace: openshift-etcd resourceVersion: "591" uid: 0d2091ce-ac44-47c0-ae2f-cf14ba976a90 - apiVersion: v1 data: forceRedeploymentReason: "" pod.yaml: "apiVersion: v1\nkind: Pod\nmetadata:\n name: etcd\n namespace: openshift-etcd\n \ annotations:\n kubectl.kubernetes.io/default-container: etcd\n target.workload.openshift.io/management: '{\"effect\": \"PreferredDuringScheduling\"}'\n labels:\n app: etcd\n k8s-app: etcd\n etcd: \"true\"\n revision: \"REVISION\"\nspec:\n initContainers:\n \ - name: setup\n image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:e29dc9f042f2d0471171a0611070886cb2f7c57338ab7f112613417bcd33b278\n \ imagePullPolicy: IfNotPresent\n terminationMessagePolicy: FallbackToLogsOnError\n \ command:\n - /bin/sh\n - -c\n - |\n #!/bin/sh\n \ echo -n \"Fixing etcd log permissions.\"\n mkdir -p /var/log/etcd \ && chmod 0600 /var/log/etcd\n echo -n \"Fixing etcd auto backup permissions.\"\n \ mkdir -p /var/lib/etcd-auto-backup && chmod 0600 /var/lib/etcd-auto-backup\n \ securityContext:\n privileged: true\n resources:\n requests:\n \ memory: 50Mi\n cpu: 5m\n volumeMounts:\n - mountPath: /var/log/etcd\n name: log-dir\n - name: etcd-ensure-env-vars\n image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:e29dc9f042f2d0471171a0611070886cb2f7c57338ab7f112613417bcd33b278\n \ imagePullPolicy: IfNotPresent\n terminationMessagePolicy: FallbackToLogsOnError\n \ command:\n - /bin/sh\n - -c\n - |\n #!/bin/sh\n \ set -euo pipefail\n\n : \"${NODE_NODE_ENVVAR_NAME_ETCD_URL_HOST?not set}\"\n : \"${NODE_NODE_ENVVAR_NAME_ETCD_NAME?not set}\"\n : \"${NODE_NODE_ENVVAR_NAME_IP?not set}\"\n\n # check for ipv4 addresses as well as ipv6 addresses with extra square brackets\n if [[ \"${NODE_NODE_ENVVAR_NAME_IP}\" != \"${NODE_IP}\" && \"${NODE_NODE_ENVVAR_NAME_IP}\" != \"[${NODE_IP}]\" ]]; then\n # echo the error message to stderr\n echo \"Expected node IP to be ${NODE_IP} got ${NODE_NODE_ENVVAR_NAME_IP}\" >&2\n exit 1\n fi\n\n # check for ipv4 addresses as well as ipv6 addresses with extra square brackets\n if [[ \"${NODE_NODE_ENVVAR_NAME_ETCD_URL_HOST}\" != \"${NODE_IP}\" && \"${NODE_NODE_ENVVAR_NAME_ETCD_URL_HOST}\" != \"[${NODE_IP}]\" ]]; then\n # echo the error message to stderr\n echo \"Expected etcd url host to be ${NODE_IP} got ${NODE_NODE_ENVVAR_NAME_ETCD_URL_HOST}\" >&2\n exit 1\n fi\n\n resources:\n requests:\n \ memory: 60Mi\n cpu: 10m\n securityContext:\n privileged: true\n env:\n - name: \"ALL_ETCD_ENDPOINTS\"\n value: \"https://192.168.32.10:2379\"\n \ - name: \"ETCDCTL_API\"\n value: \"3\"\n - name: \"ETCDCTL_CACERT\"\n \ value: \"/etc/kubernetes/static-pod-certs/configmaps/etcd-all-bundles/server-ca-bundle.crt\"\n \ - name: \"ETCDCTL_CERT\"\n value: \"/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.crt\"\n \ - name: \"ETCDCTL_ENDPOINTS\"\n value: \"https://192.168.32.10:2379\"\n \ - name: \"ETCDCTL_KEY\"\n value: \"/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.key\"\n \ - name: \"ETCD_CIPHER_SUITES\"\n value: \"TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256\"\n \ - name: \"ETCD_DATA_DIR\"\n value: \"/var/lib/etcd\"\n - name: \"ETCD_ELECTION_TIMEOUT\"\n value: \"2500\"\n - name: \"ETCD_ENABLE_PPROF\"\n \ value: \"true\"\n - name: \"ETCD_EXPERIMENTAL_MAX_LEARNERS\"\n \ value: \"1\"\n - name: \"ETCD_EXPERIMENTAL_WARNING_APPLY_DURATION\"\n \ value: \"200ms\"\n - name: \"ETCD_EXPERIMENTAL_WATCH_PROGRESS_NOTIFY_INTERVAL\"\n \ value: \"5s\"\n - name: \"ETCD_HEARTBEAT_INTERVAL\"\n value: \"500\"\n - name: \"ETCD_IMAGE\"\n value: \"quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:e29dc9f042f2d0471171a0611070886cb2f7c57338ab7f112613417bcd33b278\"\n \ - name: \"ETCD_INITIAL_CLUSTER_STATE\"\n value: \"existing\"\n \ - name: \"ETCD_QUOTA_BACKEND_BYTES\"\n value: \"8589934592\"\n \ - name: \"ETCD_SOCKET_REUSE_ADDRESS\"\n value: \"true\"\n - name: \"ETCD_TLS_MIN_VERSION\"\n value: \"TLS1.2\"\n - name: \"NODE_master_0_ETCD_NAME\"\n \ value: \"master-0\"\n - name: \"NODE_master_0_ETCD_URL_HOST\"\n \ value: \"192.168.32.10\"\n - name: \"NODE_master_0_IP\"\n value: \"192.168.32.10\"\n - name: NODE_IP\n valueFrom:\n fieldRef:\n \ fieldPath: status.podIP\n - name: etcd-resources-copy\n image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:e29dc9f042f2d0471171a0611070886cb2f7c57338ab7f112613417bcd33b278\n \ imagePullPolicy: IfNotPresent\n terminationMessagePolicy: FallbackToLogsOnError\n \ command:\n - /bin/sh\n - -c\n - |\n #!/bin/sh\n \ set -euo pipefail\n\n rm -f $(grep -l '^### Created by cluster-etcd-operator' /usr/local/bin/*)\n cp -p /etc/kubernetes/static-pod-certs/configmaps/etcd-scripts/*.sh /usr/local/bin\n\n resources:\n requests:\n memory: 60Mi\n \ cpu: 10m\n securityContext:\n privileged: true\n volumeMounts:\n \ - mountPath: /etc/kubernetes/static-pod-resources\n name: resource-dir\n \ - mountPath: /etc/kubernetes/static-pod-certs\n name: cert-dir\n \ - mountPath: /usr/local/bin\n name: usr-local-bin\n containers:\n \ # The etcdctl container should always be first. It is intended to be used\n \ # to open a remote shell via `oc rsh` that is ready to run `etcdctl`.\n - name: etcdctl\n image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:e29dc9f042f2d0471171a0611070886cb2f7c57338ab7f112613417bcd33b278\n \ imagePullPolicy: IfNotPresent\n terminationMessagePolicy: FallbackToLogsOnError\n \ command:\n - \"/bin/bash\"\n - \"-c\"\n - \"trap TERM INT; sleep infinity & wait\"\n resources:\n requests:\n memory: 60Mi\n \ cpu: 10m\n volumeMounts:\n - mountPath: /etc/kubernetes/manifests\n \ name: static-pod-dir\n - mountPath: /etc/kubernetes/static-pod-resources\n \ name: resource-dir\n - mountPath: /etc/kubernetes/static-pod-certs\n \ name: cert-dir\n - mountPath: /var/lib/etcd/\n name: data-dir\n \ env:\n - name: \"ALL_ETCD_ENDPOINTS\"\n value: \"https://192.168.32.10:2379\"\n \ - name: \"ETCDCTL_API\"\n value: \"3\"\n - name: \"ETCDCTL_CACERT\"\n \ value: \"/etc/kubernetes/static-pod-certs/configmaps/etcd-all-bundles/server-ca-bundle.crt\"\n \ - name: \"ETCDCTL_CERT\"\n value: \"/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.crt\"\n \ - name: \"ETCDCTL_ENDPOINTS\"\n value: \"https://192.168.32.10:2379\"\n \ - name: \"ETCDCTL_KEY\"\n value: \"/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.key\"\n \ - name: \"ETCD_CIPHER_SUITES\"\n value: \"TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256\"\n \ - name: \"ETCD_DATA_DIR\"\n value: \"/var/lib/etcd\"\n - name: \"ETCD_ELECTION_TIMEOUT\"\n \ value: \"2500\"\n - name: \"ETCD_ENABLE_PPROF\"\n value: \"true\"\n \ - name: \"ETCD_EXPERIMENTAL_MAX_LEARNERS\"\n value: \"1\"\n - name: \"ETCD_EXPERIMENTAL_WARNING_APPLY_DURATION\"\n value: \"200ms\"\n - name: \"ETCD_EXPERIMENTAL_WATCH_PROGRESS_NOTIFY_INTERVAL\"\n value: \"5s\"\n \ - name: \"ETCD_HEARTBEAT_INTERVAL\"\n value: \"500\"\n - name: \"ETCD_IMAGE\"\n \ value: \"quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:e29dc9f042f2d0471171a0611070886cb2f7c57338ab7f112613417bcd33b278\"\n \ - name: \"ETCD_INITIAL_CLUSTER_STATE\"\n value: \"existing\"\n - name: \"ETCD_QUOTA_BACKEND_BYTES\"\n value: \"8589934592\"\n - name: \"ETCD_SOCKET_REUSE_ADDRESS\"\n value: \"true\"\n - name: \"ETCD_TLS_MIN_VERSION\"\n \ value: \"TLS1.2\"\n - name: \"NODE_master_0_ETCD_NAME\"\n value: \"master-0\"\n - name: \"NODE_master_0_ETCD_URL_HOST\"\n value: \"192.168.32.10\"\n \ - name: \"NODE_master_0_IP\"\n value: \"192.168.32.10\"\n - name: \"ETCD_STATIC_POD_VERSION\"\n value: \"REVISION\"\n\n - name: etcd\n image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:e29dc9f042f2d0471171a0611070886cb2f7c57338ab7f112613417bcd33b278\n \ imagePullPolicy: IfNotPresent\n terminationMessagePolicy: FallbackToLogsOnError\n \ command:\n - /bin/sh\n - -c\n - |\n #!/bin/sh\n set -euo pipefail\n\n etcdctl member list || true\n\n # this has a non-zero return code if the command is non-zero. If you use an export first, it doesn't and you\n # will succeed when you should fail.\n ETCD_INITIAL_CLUSTER=$(discover-etcd-initial-cluster \\\n --cacert=/etc/kubernetes/static-pod-certs/configmaps/etcd-all-bundles/server-ca-bundle.crt \\\n --cert=/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.crt \\\n --key=/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.key \\\n --endpoints=${ALL_ETCD_ENDPOINTS} \\\n --data-dir=/var/lib/etcd \\\n --target-peer-url-host=${NODE_NODE_ENVVAR_NAME_ETCD_URL_HOST} \\\n --target-name=NODE_NAME)\n export ETCD_INITIAL_CLUSTER\n\n \ # we cannot use the \"normal\" port conflict initcontainer because when we upgrade, the existing static pod will never yield,\n # so we do the detection in etcd container itself.\n echo -n \"Waiting for ports 2379, 2380 and 9978 to be released.\"\n time while [ -n \"$(ss -Htan '( sport = 2379 or sport = 2380 or sport = 9978 )')\" ]; do\n echo -n \".\"\n \ sleep 1\n done\n\n export ETCD_NAME=${NODE_NODE_ENVVAR_NAME_ETCD_NAME}\n \ env | grep ETCD | grep -v NODE\n\n set -x\n # See https://etcd.io/docs/v3.4.0/tuning/ for why we use ionice\n exec nice -n -19 ionice -c2 -n0 etcd \\\n --logger=zap \\\n --log-level=info \\\n --experimental-initial-corrupt-check=true \\\n --snapshot-count=10000 \\\n --initial-advertise-peer-urls=https://${NODE_NODE_ENVVAR_NAME_IP}:2380 \\\n --cert-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-serving-NODE_NAME.crt \\\n --key-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-serving-NODE_NAME.key \\\n --trusted-ca-file=/etc/kubernetes/static-pod-certs/configmaps/etcd-all-bundles/server-ca-bundle.crt \\\n --client-cert-auth=true \\\n --peer-cert-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.crt \\\n --peer-key-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.key \\\n --peer-trusted-ca-file=/etc/kubernetes/static-pod-certs/configmaps/etcd-all-bundles/server-ca-bundle.crt \\\n --peer-client-cert-auth=true \\\n --advertise-client-urls=https://${NODE_NODE_ENVVAR_NAME_IP}:2379 \\\n --listen-client-urls=https://0.0.0.0:2379,unixs://${NODE_NODE_ENVVAR_NAME_IP}:0 \\\n --listen-peer-urls=https://0.0.0.0:2380 \\\n --metrics=extensive \\\n --listen-metrics-urls=https://0.0.0.0:9978 || mv /etc/kubernetes/etcd-backup-dir/etcd-member.yaml /etc/kubernetes/manifests\n ports:\n - containerPort: 2379\n name: etcd\n protocol: TCP\n - containerPort: 2380\n name: etcd-peer\n \ protocol: TCP\n - containerPort: 9978\n name: etcd-metrics\n protocol: TCP\n env:\n - name: \"ALL_ETCD_ENDPOINTS\"\n value: \"https://192.168.32.10:2379\"\n \ - name: \"ETCDCTL_API\"\n value: \"3\"\n - name: \"ETCDCTL_CACERT\"\n \ value: \"/etc/kubernetes/static-pod-certs/configmaps/etcd-all-bundles/server-ca-bundle.crt\"\n \ - name: \"ETCDCTL_CERT\"\n value: \"/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.crt\"\n \ - name: \"ETCDCTL_ENDPOINTS\"\n value: \"https://192.168.32.10:2379\"\n \ - name: \"ETCDCTL_KEY\"\n value: \"/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.key\"\n \ - name: \"ETCD_CIPHER_SUITES\"\n value: \"TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256\"\n \ - name: \"ETCD_DATA_DIR\"\n value: \"/var/lib/etcd\"\n - name: \"ETCD_ELECTION_TIMEOUT\"\n \ value: \"2500\"\n - name: \"ETCD_ENABLE_PPROF\"\n value: \"true\"\n \ - name: \"ETCD_EXPERIMENTAL_MAX_LEARNERS\"\n value: \"1\"\n - name: \"ETCD_EXPERIMENTAL_WARNING_APPLY_DURATION\"\n value: \"200ms\"\n - name: \"ETCD_EXPERIMENTAL_WATCH_PROGRESS_NOTIFY_INTERVAL\"\n value: \"5s\"\n \ - name: \"ETCD_HEARTBEAT_INTERVAL\"\n value: \"500\"\n - name: \"ETCD_IMAGE\"\n \ value: \"quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:e29dc9f042f2d0471171a0611070886cb2f7c57338ab7f112613417bcd33b278\"\n \ - name: \"ETCD_INITIAL_CLUSTER_STATE\"\n value: \"existing\"\n - name: \"ETCD_QUOTA_BACKEND_BYTES\"\n value: \"8589934592\"\n - name: \"ETCD_SOCKET_REUSE_ADDRESS\"\n value: \"true\"\n - name: \"ETCD_TLS_MIN_VERSION\"\n \ value: \"TLS1.2\"\n - name: \"NODE_master_0_ETCD_NAME\"\n value: \"master-0\"\n - name: \"NODE_master_0_ETCD_URL_HOST\"\n value: \"192.168.32.10\"\n \ - name: \"NODE_master_0_IP\"\n value: \"192.168.32.10\"\n - name: \"ETCD_STATIC_POD_VERSION\"\n value: \"REVISION\"\n resources:\n requests:\n \ memory: 600Mi\n cpu: 300m\n readinessProbe:\n httpGet:\n \ port: 9980\n path: readyz\n scheme: HTTPS\n timeoutSeconds: 30\n failureThreshold: 5\n periodSeconds: 5\n successThreshold: 1\n livenessProbe:\n httpGet:\n path: healthz\n port: 9980\n scheme: HTTPS\n timeoutSeconds: 30\n periodSeconds: 5\n successThreshold: 1\n failureThreshold: 5\n startupProbe:\n \ httpGet:\n port: 9980\n path: readyz\n scheme: HTTPS\n \ initialDelaySeconds: 10\n timeoutSeconds: 1\n periodSeconds: 10\n successThreshold: 1\n failureThreshold: 18\n securityContext:\n \ privileged: true\n volumeMounts:\n - mountPath: /etc/kubernetes/manifests\n \ name: static-pod-dir\n - mountPath: /etc/kubernetes/static-pod-resources\n \ name: resource-dir\n - mountPath: /etc/kubernetes/static-pod-certs\n \ name: cert-dir\n - mountPath: /var/lib/etcd/\n name: data-dir\n\n \ - name: etcd-metrics\n image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:e29dc9f042f2d0471171a0611070886cb2f7c57338ab7f112613417bcd33b278\n \ imagePullPolicy: IfNotPresent\n terminationMessagePolicy: FallbackToLogsOnError\n \ command:\n - /bin/sh\n - -c\n - |\n #!/bin/sh\n set -euo pipefail\n\n export ETCD_NAME=${NODE_NODE_ENVVAR_NAME_ETCD_NAME}\n\n \ exec nice -n -18 etcd grpc-proxy start \\\n --endpoints https://${NODE_NODE_ENVVAR_NAME_ETCD_URL_HOST}:9978 \\\n --metrics-addr https://0.0.0.0:9979 \\\n --listen-addr 127.0.0.1:9977 \\\n --advertise-client-url \"\" \\\n --key /etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.key \\\n --key-file /etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-serving-metrics-NODE_NAME.key \\\n --cert /etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.crt \\\n --cert-file /etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-serving-metrics-NODE_NAME.crt \\\n --cacert /etc/kubernetes/static-pod-certs/configmaps/etcd-all-bundles/server-ca-bundle.crt \\\n --trusted-ca-file /etc/kubernetes/static-pod-certs/configmaps/etcd-all-bundles/metrics-ca-bundle.crt \\\n --listen-cipher-suites TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 \\\n --tls-min-version $(ETCD_TLS_MIN_VERSION)\n ports:\n - containerPort: 9979\n name: proxy-metrics\n protocol: TCP\n env:\n - name: \"ALL_ETCD_ENDPOINTS\"\n value: \"https://192.168.32.10:2379\"\n \n \ - name: \"ETCDCTL_API\"\n value: \"3\"\n \n - name: \"ETCDCTL_CACERT\"\n \ value: \"/etc/kubernetes/static-pod-certs/configmaps/etcd-all-bundles/server-ca-bundle.crt\"\n \ \n - name: \"ETCDCTL_CERT\"\n value: \"/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.crt\"\n \ \n - name: \"ETCDCTL_ENDPOINTS\"\n value: \"https://192.168.32.10:2379\"\n \ \n - name: \"ETCDCTL_KEY\"\n value: \"/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.key\"\n \ \n - name: \"ETCD_CIPHER_SUITES\"\n value: \"TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256\"\n \ \n - name: \"ETCD_DATA_DIR\"\n value: \"/var/lib/etcd\"\n \n \ - name: \"ETCD_ELECTION_TIMEOUT\"\n value: \"2500\"\n \n - name: \"ETCD_ENABLE_PPROF\"\n value: \"true\"\n \n - name: \"ETCD_EXPERIMENTAL_MAX_LEARNERS\"\n \ value: \"1\"\n \n - name: \"ETCD_EXPERIMENTAL_WARNING_APPLY_DURATION\"\n \ value: \"200ms\"\n \n - name: \"ETCD_EXPERIMENTAL_WATCH_PROGRESS_NOTIFY_INTERVAL\"\n \ value: \"5s\"\n \n - name: \"ETCD_HEARTBEAT_INTERVAL\"\n value: \"500\"\n \n - name: \"ETCD_IMAGE\"\n value: \"quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:e29dc9f042f2d0471171a0611070886cb2f7c57338ab7f112613417bcd33b278\"\n \ \n - name: \"ETCD_INITIAL_CLUSTER_STATE\"\n value: \"existing\"\n \ \n - name: \"ETCD_QUOTA_BACKEND_BYTES\"\n value: \"8589934592\"\n \ \n - name: \"ETCD_SOCKET_REUSE_ADDRESS\"\n value: \"true\"\n \n \ - name: \"ETCD_TLS_MIN_VERSION\"\n value: \"TLS1.2\"\n \n - name: \"NODE_master_0_ETCD_NAME\"\n value: \"master-0\"\n \n - name: \"NODE_master_0_ETCD_URL_HOST\"\n \ value: \"192.168.32.10\"\n \n - name: \"NODE_master_0_IP\"\n value: \"192.168.32.10\"\n - name: \"ETCD_STATIC_POD_VERSION\"\n value: \"REVISION\"\n \ resources:\n requests:\n memory: 200Mi\n cpu: 40m\n securityContext:\n \ privileged: true\n volumeMounts:\n - mountPath: /etc/kubernetes/static-pod-resources\n \ name: resource-dir\n - mountPath: /etc/kubernetes/static-pod-certs\n \ name: cert-dir\n - mountPath: /var/lib/etcd/\n name: data-dir\n \ - name: etcd-readyz\n image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:d5a971d5889f167cfe61a64c366424b87c17a6dc141ffcc43406cdcbb50cae2a\n \ imagePullPolicy: IfNotPresent\n terminationMessagePolicy: FallbackToLogsOnError\n \ command:\n - /bin/sh\n - -c\n - |\n #!/bin/sh\n set -euo pipefail\n \n exec nice -n -18 cluster-etcd-operator readyz \\\n --target=https://localhost:2379 \\\n --listen-port=9980 \\\n --serving-cert-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-serving-NODE_NAME.crt \\\n --serving-key-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-serving-NODE_NAME.key \\\n --client-cert-file=$(ETCDCTL_CERT) \\\n --client-key-file=$(ETCDCTL_KEY) \\\n --client-cacert-file=$(ETCDCTL_CACERT) \\\n --listen-cipher-suites TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 \\\n --listen-tls-min-version=$(ETCD_TLS_MIN_VERSION)\n securityContext:\n \ privileged: true\n ports:\n - containerPort: 9980\n name: readyz\n \ protocol: TCP\n resources:\n requests:\n memory: 50Mi\n \ cpu: 10m\n env:\n - name: \"ALL_ETCD_ENDPOINTS\"\n value: \"https://192.168.32.10:2379\"\n - name: \"ETCDCTL_API\"\n value: \"3\"\n \ - name: \"ETCDCTL_CACERT\"\n value: \"/etc/kubernetes/static-pod-certs/configmaps/etcd-all-bundles/server-ca-bundle.crt\"\n \ - name: \"ETCDCTL_CERT\"\n value: \"/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.crt\"\n \ - name: \"ETCDCTL_ENDPOINTS\"\n value: \"https://192.168.32.10:2379\"\n \ - name: \"ETCDCTL_KEY\"\n value: \"/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.key\"\n \ - name: \"ETCD_CIPHER_SUITES\"\n value: \"TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256\"\n \ - name: \"ETCD_DATA_DIR\"\n value: \"/var/lib/etcd\"\n - name: \"ETCD_ELECTION_TIMEOUT\"\n \ value: \"2500\"\n - name: \"ETCD_ENABLE_PPROF\"\n value: \"true\"\n \ - name: \"ETCD_EXPERIMENTAL_MAX_LEARNERS\"\n value: \"1\"\n - name: \"ETCD_EXPERIMENTAL_WARNING_APPLY_DURATION\"\n value: \"200ms\"\n - name: \"ETCD_EXPERIMENTAL_WATCH_PROGRESS_NOTIFY_INTERVAL\"\n value: \"5s\"\n \ - name: \"ETCD_HEARTBEAT_INTERVAL\"\n value: \"500\"\n - name: \"ETCD_IMAGE\"\n \ value: \"quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:e29dc9f042f2d0471171a0611070886cb2f7c57338ab7f112613417bcd33b278\"\n \ - name: \"ETCD_INITIAL_CLUSTER_STATE\"\n value: \"existing\"\n - name: \"ETCD_QUOTA_BACKEND_BYTES\"\n value: \"8589934592\"\n - name: \"ETCD_SOCKET_REUSE_ADDRESS\"\n value: \"true\"\n - name: \"ETCD_TLS_MIN_VERSION\"\n \ value: \"TLS1.2\"\n - name: \"NODE_master_0_ETCD_NAME\"\n value: \"master-0\"\n - name: \"NODE_master_0_ETCD_URL_HOST\"\n value: \"192.168.32.10\"\n \ - name: \"NODE_master_0_IP\"\n value: \"192.168.32.10\"\n volumeMounts:\n \ - mountPath: /var/log/etcd/\n name: log-dir\n - mountPath: /etc/kubernetes/static-pod-certs\n name: cert-dir\n - name: etcd-rev\n \ image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:d5a971d5889f167cfe61a64c366424b87c17a6dc141ffcc43406cdcbb50cae2a\n \ imagePullPolicy: IfNotPresent\n terminationMessagePolicy: FallbackToLogsOnError\n \ command:\n - /bin/sh\n - -c\n - |\n #!/bin/sh\n set -euo pipefail\n \n cluster-etcd-operator rev \\\n --endpoints=$(ALL_ETCD_ENDPOINTS) \\\n --client-cert-file=$(ETCDCTL_CERT) \\\n --client-key-file=$(ETCDCTL_KEY) \\\n --client-cacert-file=$(ETCDCTL_CACERT)\n securityContext:\n \ privileged: true\n resources:\n requests:\n memory: 50Mi\n \ cpu: 10m\n env:\n - name: \"ALL_ETCD_ENDPOINTS\"\n value: \"https://192.168.32.10:2379\"\n - name: \"ETCDCTL_API\"\n value: \"3\"\n \ - name: \"ETCDCTL_CACERT\"\n value: \"/etc/kubernetes/static-pod-certs/configmaps/etcd-all-bundles/server-ca-bundle.crt\"\n \ - name: \"ETCDCTL_CERT\"\n value: \"/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.crt\"\n \ - name: \"ETCDCTL_ENDPOINTS\"\n value: \"https://192.168.32.10:2379\"\n \ - name: \"ETCDCTL_KEY\"\n value: \"/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.key\"\n \ - name: \"ETCD_CIPHER_SUITES\"\n value: \"TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256\"\n \ - name: \"ETCD_DATA_DIR\"\n value: \"/var/lib/etcd\"\n - name: \"ETCD_ELECTION_TIMEOUT\"\n \ value: \"2500\"\n - name: \"ETCD_ENABLE_PPROF\"\n value: \"true\"\n \ - name: \"ETCD_EXPERIMENTAL_MAX_LEARNERS\"\n value: \"1\"\n - name: \"ETCD_EXPERIMENTAL_WARNING_APPLY_DURATION\"\n value: \"200ms\"\n - name: \"ETCD_EXPERIMENTAL_WATCH_PROGRESS_NOTIFY_INTERVAL\"\n value: \"5s\"\n \ - name: \"ETCD_HEARTBEAT_INTERVAL\"\n value: \"500\"\n - name: \"ETCD_IMAGE\"\n \ value: \"quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:e29dc9f042f2d0471171a0611070886cb2f7c57338ab7f112613417bcd33b278\"\n \ - name: \"ETCD_INITIAL_CLUSTER_STATE\"\n value: \"existing\"\n - name: \"ETCD_QUOTA_BACKEND_BYTES\"\n value: \"8589934592\"\n - name: \"ETCD_SOCKET_REUSE_ADDRESS\"\n value: \"true\"\n - name: \"ETCD_TLS_MIN_VERSION\"\n \ value: \"TLS1.2\"\n - name: \"NODE_master_0_ETCD_NAME\"\n value: \"master-0\"\n - name: \"NODE_master_0_ETCD_URL_HOST\"\n value: \"192.168.32.10\"\n \ - name: \"NODE_master_0_IP\"\n value: \"192.168.32.10\"\n volumeMounts:\n \ - mountPath: /var/lib/etcd\n name: data-dir\n - mountPath: /etc/kubernetes/static-pod-certs\n \ name: cert-dir\n hostNetwork: true\n priority: 2000001000\n priorityClassName: system-node-critical\n tolerations:\n - operator: \"Exists\"\n volumes:\n \ - hostPath:\n path: /etc/kubernetes/manifests\n name: static-pod-dir\n \ - hostPath:\n path: /etc/kubernetes/static-pod-resources/etcd-pod-REVISION\n \ name: resource-dir\n - hostPath:\n path: /etc/kubernetes/static-pod-resources/etcd-certs\n \ name: cert-dir\n - hostPath:\n path: /var/lib/etcd\n type: \"\"\n name: data-dir\n - hostPath:\n path: /usr/local/bin\n \ name: usr-local-bin\n - hostPath:\n path: /var/log/etcd\n name: log-dir\n - hostPath:\n path: /etc/kubernetes\n name: config-dir\n \ - hostPath:\n path: /var/lib/etcd-auto-backup\n name: etcd-auto-backup-dir\n" version: 4.18.0-202602261953.p2.gb7e21f5.assembly.stream.el9-b7e21f5 kind: ConfigMap metadata: creationTimestamp: "2026-03-19T11:54:01Z" managedFields: - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:data: .: {} f:forceRedeploymentReason: {} f:pod.yaml: {} f:version: {} manager: cluster-etcd-operator operation: Update time: "2026-03-19T11:54:01Z" name: etcd-pod namespace: openshift-etcd resourceVersion: "5173" uid: e066e5df-4c7b-44d8-94ef-e83eb0a3e3f9 - apiVersion: v1 data: forceRedeploymentReason: "" pod.yaml: "apiVersion: v1\nkind: Pod\nmetadata:\n name: etcd\n namespace: openshift-etcd\n \ annotations:\n kubectl.kubernetes.io/default-container: etcd\n target.workload.openshift.io/management: '{\"effect\": \"PreferredDuringScheduling\"}'\n labels:\n app: etcd\n k8s-app: etcd\n etcd: \"true\"\n revision: \"REVISION\"\nspec:\n initContainers:\n \ - name: setup\n image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:e29dc9f042f2d0471171a0611070886cb2f7c57338ab7f112613417bcd33b278\n \ imagePullPolicy: IfNotPresent\n terminationMessagePolicy: FallbackToLogsOnError\n \ command:\n - /bin/sh\n - -c\n - |\n #!/bin/sh\n \ echo -n \"Fixing etcd log permissions.\"\n mkdir -p /var/log/etcd \ && chmod 0600 /var/log/etcd\n echo -n \"Fixing etcd auto backup permissions.\"\n \ mkdir -p /var/lib/etcd-auto-backup && chmod 0600 /var/lib/etcd-auto-backup\n \ securityContext:\n privileged: true\n resources:\n requests:\n \ memory: 50Mi\n cpu: 5m\n volumeMounts:\n - mountPath: /var/log/etcd\n name: log-dir\n - name: etcd-ensure-env-vars\n image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:e29dc9f042f2d0471171a0611070886cb2f7c57338ab7f112613417bcd33b278\n \ imagePullPolicy: IfNotPresent\n terminationMessagePolicy: FallbackToLogsOnError\n \ command:\n - /bin/sh\n - -c\n - |\n #!/bin/sh\n \ set -euo pipefail\n\n : \"${NODE_NODE_ENVVAR_NAME_ETCD_URL_HOST?not set}\"\n : \"${NODE_NODE_ENVVAR_NAME_ETCD_NAME?not set}\"\n : \"${NODE_NODE_ENVVAR_NAME_IP?not set}\"\n\n # check for ipv4 addresses as well as ipv6 addresses with extra square brackets\n if [[ \"${NODE_NODE_ENVVAR_NAME_IP}\" != \"${NODE_IP}\" && \"${NODE_NODE_ENVVAR_NAME_IP}\" != \"[${NODE_IP}]\" ]]; then\n # echo the error message to stderr\n echo \"Expected node IP to be ${NODE_IP} got ${NODE_NODE_ENVVAR_NAME_IP}\" >&2\n exit 1\n fi\n\n # check for ipv4 addresses as well as ipv6 addresses with extra square brackets\n if [[ \"${NODE_NODE_ENVVAR_NAME_ETCD_URL_HOST}\" != \"${NODE_IP}\" && \"${NODE_NODE_ENVVAR_NAME_ETCD_URL_HOST}\" != \"[${NODE_IP}]\" ]]; then\n # echo the error message to stderr\n echo \"Expected etcd url host to be ${NODE_IP} got ${NODE_NODE_ENVVAR_NAME_ETCD_URL_HOST}\" >&2\n exit 1\n fi\n\n resources:\n requests:\n \ memory: 60Mi\n cpu: 10m\n securityContext:\n privileged: true\n env:\n - name: \"ALL_ETCD_ENDPOINTS\"\n value: \"https://192.168.32.10:2379\"\n \ - name: \"ETCDCTL_API\"\n value: \"3\"\n - name: \"ETCDCTL_CACERT\"\n \ value: \"/etc/kubernetes/static-pod-certs/configmaps/etcd-all-bundles/server-ca-bundle.crt\"\n \ - name: \"ETCDCTL_CERT\"\n value: \"/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.crt\"\n \ - name: \"ETCDCTL_ENDPOINTS\"\n value: \"https://192.168.32.10:2379\"\n \ - name: \"ETCDCTL_KEY\"\n value: \"/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.key\"\n \ - name: \"ETCD_CIPHER_SUITES\"\n value: \"TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256\"\n \ - name: \"ETCD_DATA_DIR\"\n value: \"/var/lib/etcd\"\n - name: \"ETCD_ELECTION_TIMEOUT\"\n value: \"2500\"\n - name: \"ETCD_ENABLE_PPROF\"\n \ value: \"true\"\n - name: \"ETCD_EXPERIMENTAL_MAX_LEARNERS\"\n \ value: \"1\"\n - name: \"ETCD_EXPERIMENTAL_WARNING_APPLY_DURATION\"\n \ value: \"200ms\"\n - name: \"ETCD_EXPERIMENTAL_WATCH_PROGRESS_NOTIFY_INTERVAL\"\n \ value: \"5s\"\n - name: \"ETCD_HEARTBEAT_INTERVAL\"\n value: \"500\"\n - name: \"ETCD_IMAGE\"\n value: \"quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:e29dc9f042f2d0471171a0611070886cb2f7c57338ab7f112613417bcd33b278\"\n \ - name: \"ETCD_INITIAL_CLUSTER_STATE\"\n value: \"existing\"\n \ - name: \"ETCD_QUOTA_BACKEND_BYTES\"\n value: \"8589934592\"\n \ - name: \"ETCD_SOCKET_REUSE_ADDRESS\"\n value: \"true\"\n - name: \"ETCD_TLS_MIN_VERSION\"\n value: \"TLS1.2\"\n - name: \"NODE_master_0_ETCD_NAME\"\n \ value: \"master-0\"\n - name: \"NODE_master_0_ETCD_URL_HOST\"\n \ value: \"192.168.32.10\"\n - name: \"NODE_master_0_IP\"\n value: \"192.168.32.10\"\n - name: NODE_IP\n valueFrom:\n fieldRef:\n \ fieldPath: status.podIP\n - name: etcd-resources-copy\n image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:e29dc9f042f2d0471171a0611070886cb2f7c57338ab7f112613417bcd33b278\n \ imagePullPolicy: IfNotPresent\n terminationMessagePolicy: FallbackToLogsOnError\n \ command:\n - /bin/sh\n - -c\n - |\n #!/bin/sh\n \ set -euo pipefail\n\n rm -f $(grep -l '^### Created by cluster-etcd-operator' /usr/local/bin/*)\n cp -p /etc/kubernetes/static-pod-certs/configmaps/etcd-scripts/*.sh /usr/local/bin\n\n resources:\n requests:\n memory: 60Mi\n \ cpu: 10m\n securityContext:\n privileged: true\n volumeMounts:\n \ - mountPath: /etc/kubernetes/static-pod-resources\n name: resource-dir\n \ - mountPath: /etc/kubernetes/static-pod-certs\n name: cert-dir\n \ - mountPath: /usr/local/bin\n name: usr-local-bin\n containers:\n \ # The etcdctl container should always be first. It is intended to be used\n \ # to open a remote shell via `oc rsh` that is ready to run `etcdctl`.\n - name: etcdctl\n image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:e29dc9f042f2d0471171a0611070886cb2f7c57338ab7f112613417bcd33b278\n \ imagePullPolicy: IfNotPresent\n terminationMessagePolicy: FallbackToLogsOnError\n \ command:\n - \"/bin/bash\"\n - \"-c\"\n - \"trap TERM INT; sleep infinity & wait\"\n resources:\n requests:\n memory: 60Mi\n \ cpu: 10m\n volumeMounts:\n - mountPath: /etc/kubernetes/manifests\n \ name: static-pod-dir\n - mountPath: /etc/kubernetes/static-pod-resources\n \ name: resource-dir\n - mountPath: /etc/kubernetes/static-pod-certs\n \ name: cert-dir\n - mountPath: /var/lib/etcd/\n name: data-dir\n \ env:\n - name: \"ALL_ETCD_ENDPOINTS\"\n value: \"https://192.168.32.10:2379\"\n \ - name: \"ETCDCTL_API\"\n value: \"3\"\n - name: \"ETCDCTL_CACERT\"\n \ value: \"/etc/kubernetes/static-pod-certs/configmaps/etcd-all-bundles/server-ca-bundle.crt\"\n \ - name: \"ETCDCTL_CERT\"\n value: \"/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.crt\"\n \ - name: \"ETCDCTL_ENDPOINTS\"\n value: \"https://192.168.32.10:2379\"\n \ - name: \"ETCDCTL_KEY\"\n value: \"/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.key\"\n \ - name: \"ETCD_CIPHER_SUITES\"\n value: \"TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256\"\n \ - name: \"ETCD_DATA_DIR\"\n value: \"/var/lib/etcd\"\n - name: \"ETCD_ELECTION_TIMEOUT\"\n \ value: \"2500\"\n - name: \"ETCD_ENABLE_PPROF\"\n value: \"true\"\n \ - name: \"ETCD_EXPERIMENTAL_MAX_LEARNERS\"\n value: \"1\"\n - name: \"ETCD_EXPERIMENTAL_WARNING_APPLY_DURATION\"\n value: \"200ms\"\n - name: \"ETCD_EXPERIMENTAL_WATCH_PROGRESS_NOTIFY_INTERVAL\"\n value: \"5s\"\n \ - name: \"ETCD_HEARTBEAT_INTERVAL\"\n value: \"500\"\n - name: \"ETCD_IMAGE\"\n \ value: \"quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:e29dc9f042f2d0471171a0611070886cb2f7c57338ab7f112613417bcd33b278\"\n \ - name: \"ETCD_INITIAL_CLUSTER_STATE\"\n value: \"existing\"\n - name: \"ETCD_QUOTA_BACKEND_BYTES\"\n value: \"8589934592\"\n - name: \"ETCD_SOCKET_REUSE_ADDRESS\"\n value: \"true\"\n - name: \"ETCD_TLS_MIN_VERSION\"\n \ value: \"TLS1.2\"\n - name: \"NODE_master_0_ETCD_NAME\"\n value: \"master-0\"\n - name: \"NODE_master_0_ETCD_URL_HOST\"\n value: \"192.168.32.10\"\n \ - name: \"NODE_master_0_IP\"\n value: \"192.168.32.10\"\n - name: \"ETCD_STATIC_POD_VERSION\"\n value: \"REVISION\"\n\n - name: etcd\n image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:e29dc9f042f2d0471171a0611070886cb2f7c57338ab7f112613417bcd33b278\n \ imagePullPolicy: IfNotPresent\n terminationMessagePolicy: FallbackToLogsOnError\n \ command:\n - /bin/sh\n - -c\n - |\n #!/bin/sh\n set -euo pipefail\n\n etcdctl member list || true\n\n # this has a non-zero return code if the command is non-zero. If you use an export first, it doesn't and you\n # will succeed when you should fail.\n ETCD_INITIAL_CLUSTER=$(discover-etcd-initial-cluster \\\n --cacert=/etc/kubernetes/static-pod-certs/configmaps/etcd-all-bundles/server-ca-bundle.crt \\\n --cert=/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.crt \\\n --key=/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.key \\\n --endpoints=${ALL_ETCD_ENDPOINTS} \\\n --data-dir=/var/lib/etcd \\\n --target-peer-url-host=${NODE_NODE_ENVVAR_NAME_ETCD_URL_HOST} \\\n --target-name=NODE_NAME)\n export ETCD_INITIAL_CLUSTER\n\n \ # we cannot use the \"normal\" port conflict initcontainer because when we upgrade, the existing static pod will never yield,\n # so we do the detection in etcd container itself.\n echo -n \"Waiting for ports 2379, 2380 and 9978 to be released.\"\n time while [ -n \"$(ss -Htan '( sport = 2379 or sport = 2380 or sport = 9978 )')\" ]; do\n echo -n \".\"\n \ sleep 1\n done\n\n export ETCD_NAME=${NODE_NODE_ENVVAR_NAME_ETCD_NAME}\n \ env | grep ETCD | grep -v NODE\n\n set -x\n # See https://etcd.io/docs/v3.4.0/tuning/ for why we use ionice\n exec nice -n -19 ionice -c2 -n0 etcd \\\n --logger=zap \\\n --log-level=info \\\n --experimental-initial-corrupt-check=true \\\n --snapshot-count=10000 \\\n --initial-advertise-peer-urls=https://${NODE_NODE_ENVVAR_NAME_IP}:2380 \\\n --cert-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-serving-NODE_NAME.crt \\\n --key-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-serving-NODE_NAME.key \\\n --trusted-ca-file=/etc/kubernetes/static-pod-certs/configmaps/etcd-all-bundles/server-ca-bundle.crt \\\n --client-cert-auth=true \\\n --peer-cert-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.crt \\\n --peer-key-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.key \\\n --peer-trusted-ca-file=/etc/kubernetes/static-pod-certs/configmaps/etcd-all-bundles/server-ca-bundle.crt \\\n --peer-client-cert-auth=true \\\n --advertise-client-urls=https://${NODE_NODE_ENVVAR_NAME_IP}:2379 \\\n --listen-client-urls=https://0.0.0.0:2379,unixs://${NODE_NODE_ENVVAR_NAME_IP}:0 \\\n --listen-peer-urls=https://0.0.0.0:2380 \\\n --metrics=extensive \\\n --listen-metrics-urls=https://0.0.0.0:9978 || mv /etc/kubernetes/etcd-backup-dir/etcd-member.yaml /etc/kubernetes/manifests\n ports:\n - containerPort: 2379\n name: etcd\n protocol: TCP\n - containerPort: 2380\n name: etcd-peer\n \ protocol: TCP\n - containerPort: 9978\n name: etcd-metrics\n protocol: TCP\n env:\n - name: \"ALL_ETCD_ENDPOINTS\"\n value: \"https://192.168.32.10:2379\"\n \ - name: \"ETCDCTL_API\"\n value: \"3\"\n - name: \"ETCDCTL_CACERT\"\n \ value: \"/etc/kubernetes/static-pod-certs/configmaps/etcd-all-bundles/server-ca-bundle.crt\"\n \ - name: \"ETCDCTL_CERT\"\n value: \"/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.crt\"\n \ - name: \"ETCDCTL_ENDPOINTS\"\n value: \"https://192.168.32.10:2379\"\n \ - name: \"ETCDCTL_KEY\"\n value: \"/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.key\"\n \ - name: \"ETCD_CIPHER_SUITES\"\n value: \"TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256\"\n \ - name: \"ETCD_DATA_DIR\"\n value: \"/var/lib/etcd\"\n - name: \"ETCD_ELECTION_TIMEOUT\"\n \ value: \"2500\"\n - name: \"ETCD_ENABLE_PPROF\"\n value: \"true\"\n \ - name: \"ETCD_EXPERIMENTAL_MAX_LEARNERS\"\n value: \"1\"\n - name: \"ETCD_EXPERIMENTAL_WARNING_APPLY_DURATION\"\n value: \"200ms\"\n - name: \"ETCD_EXPERIMENTAL_WATCH_PROGRESS_NOTIFY_INTERVAL\"\n value: \"5s\"\n \ - name: \"ETCD_HEARTBEAT_INTERVAL\"\n value: \"500\"\n - name: \"ETCD_IMAGE\"\n \ value: \"quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:e29dc9f042f2d0471171a0611070886cb2f7c57338ab7f112613417bcd33b278\"\n \ - name: \"ETCD_INITIAL_CLUSTER_STATE\"\n value: \"existing\"\n - name: \"ETCD_QUOTA_BACKEND_BYTES\"\n value: \"8589934592\"\n - name: \"ETCD_SOCKET_REUSE_ADDRESS\"\n value: \"true\"\n - name: \"ETCD_TLS_MIN_VERSION\"\n \ value: \"TLS1.2\"\n - name: \"NODE_master_0_ETCD_NAME\"\n value: \"master-0\"\n - name: \"NODE_master_0_ETCD_URL_HOST\"\n value: \"192.168.32.10\"\n \ - name: \"NODE_master_0_IP\"\n value: \"192.168.32.10\"\n - name: \"ETCD_STATIC_POD_VERSION\"\n value: \"REVISION\"\n resources:\n requests:\n \ memory: 600Mi\n cpu: 300m\n readinessProbe:\n httpGet:\n \ port: 9980\n path: readyz\n scheme: HTTPS\n timeoutSeconds: 30\n failureThreshold: 5\n periodSeconds: 5\n successThreshold: 1\n livenessProbe:\n httpGet:\n path: healthz\n port: 9980\n scheme: HTTPS\n timeoutSeconds: 30\n periodSeconds: 5\n successThreshold: 1\n failureThreshold: 5\n startupProbe:\n \ httpGet:\n port: 9980\n path: readyz\n scheme: HTTPS\n \ initialDelaySeconds: 10\n timeoutSeconds: 1\n periodSeconds: 10\n successThreshold: 1\n failureThreshold: 18\n securityContext:\n \ privileged: true\n volumeMounts:\n - mountPath: /etc/kubernetes/manifests\n \ name: static-pod-dir\n - mountPath: /etc/kubernetes/static-pod-resources\n \ name: resource-dir\n - mountPath: /etc/kubernetes/static-pod-certs\n \ name: cert-dir\n - mountPath: /var/lib/etcd/\n name: data-dir\n\n \ - name: etcd-metrics\n image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:e29dc9f042f2d0471171a0611070886cb2f7c57338ab7f112613417bcd33b278\n \ imagePullPolicy: IfNotPresent\n terminationMessagePolicy: FallbackToLogsOnError\n \ command:\n - /bin/sh\n - -c\n - |\n #!/bin/sh\n set -euo pipefail\n\n export ETCD_NAME=${NODE_NODE_ENVVAR_NAME_ETCD_NAME}\n\n \ exec nice -n -18 etcd grpc-proxy start \\\n --endpoints https://${NODE_NODE_ENVVAR_NAME_ETCD_URL_HOST}:9978 \\\n --metrics-addr https://0.0.0.0:9979 \\\n --listen-addr 127.0.0.1:9977 \\\n --advertise-client-url \"\" \\\n --key /etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.key \\\n --key-file /etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-serving-metrics-NODE_NAME.key \\\n --cert /etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.crt \\\n --cert-file /etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-serving-metrics-NODE_NAME.crt \\\n --cacert /etc/kubernetes/static-pod-certs/configmaps/etcd-all-bundles/server-ca-bundle.crt \\\n --trusted-ca-file /etc/kubernetes/static-pod-certs/configmaps/etcd-all-bundles/metrics-ca-bundle.crt \\\n --listen-cipher-suites TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 \\\n --tls-min-version $(ETCD_TLS_MIN_VERSION)\n ports:\n - containerPort: 9979\n name: proxy-metrics\n protocol: TCP\n env:\n - name: \"ALL_ETCD_ENDPOINTS\"\n value: \"https://192.168.32.10:2379\"\n \n \ - name: \"ETCDCTL_API\"\n value: \"3\"\n \n - name: \"ETCDCTL_CACERT\"\n \ value: \"/etc/kubernetes/static-pod-certs/configmaps/etcd-all-bundles/server-ca-bundle.crt\"\n \ \n - name: \"ETCDCTL_CERT\"\n value: \"/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.crt\"\n \ \n - name: \"ETCDCTL_ENDPOINTS\"\n value: \"https://192.168.32.10:2379\"\n \ \n - name: \"ETCDCTL_KEY\"\n value: \"/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.key\"\n \ \n - name: \"ETCD_CIPHER_SUITES\"\n value: \"TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256\"\n \ \n - name: \"ETCD_DATA_DIR\"\n value: \"/var/lib/etcd\"\n \n \ - name: \"ETCD_ELECTION_TIMEOUT\"\n value: \"2500\"\n \n - name: \"ETCD_ENABLE_PPROF\"\n value: \"true\"\n \n - name: \"ETCD_EXPERIMENTAL_MAX_LEARNERS\"\n \ value: \"1\"\n \n - name: \"ETCD_EXPERIMENTAL_WARNING_APPLY_DURATION\"\n \ value: \"200ms\"\n \n - name: \"ETCD_EXPERIMENTAL_WATCH_PROGRESS_NOTIFY_INTERVAL\"\n \ value: \"5s\"\n \n - name: \"ETCD_HEARTBEAT_INTERVAL\"\n value: \"500\"\n \n - name: \"ETCD_IMAGE\"\n value: \"quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:e29dc9f042f2d0471171a0611070886cb2f7c57338ab7f112613417bcd33b278\"\n \ \n - name: \"ETCD_INITIAL_CLUSTER_STATE\"\n value: \"existing\"\n \ \n - name: \"ETCD_QUOTA_BACKEND_BYTES\"\n value: \"8589934592\"\n \ \n - name: \"ETCD_SOCKET_REUSE_ADDRESS\"\n value: \"true\"\n \n \ - name: \"ETCD_TLS_MIN_VERSION\"\n value: \"TLS1.2\"\n \n - name: \"NODE_master_0_ETCD_NAME\"\n value: \"master-0\"\n \n - name: \"NODE_master_0_ETCD_URL_HOST\"\n \ value: \"192.168.32.10\"\n \n - name: \"NODE_master_0_IP\"\n value: \"192.168.32.10\"\n - name: \"ETCD_STATIC_POD_VERSION\"\n value: \"REVISION\"\n \ resources:\n requests:\n memory: 200Mi\n cpu: 40m\n securityContext:\n \ privileged: true\n volumeMounts:\n - mountPath: /etc/kubernetes/static-pod-resources\n \ name: resource-dir\n - mountPath: /etc/kubernetes/static-pod-certs\n \ name: cert-dir\n - mountPath: /var/lib/etcd/\n name: data-dir\n \ - name: etcd-readyz\n image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:d5a971d5889f167cfe61a64c366424b87c17a6dc141ffcc43406cdcbb50cae2a\n \ imagePullPolicy: IfNotPresent\n terminationMessagePolicy: FallbackToLogsOnError\n \ command:\n - /bin/sh\n - -c\n - |\n #!/bin/sh\n set -euo pipefail\n \n exec nice -n -18 cluster-etcd-operator readyz \\\n --target=https://localhost:2379 \\\n --listen-port=9980 \\\n --serving-cert-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-serving-NODE_NAME.crt \\\n --serving-key-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-serving-NODE_NAME.key \\\n --client-cert-file=$(ETCDCTL_CERT) \\\n --client-key-file=$(ETCDCTL_KEY) \\\n --client-cacert-file=$(ETCDCTL_CACERT) \\\n --listen-cipher-suites TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 \\\n --listen-tls-min-version=$(ETCD_TLS_MIN_VERSION)\n securityContext:\n \ privileged: true\n ports:\n - containerPort: 9980\n name: readyz\n \ protocol: TCP\n resources:\n requests:\n memory: 50Mi\n \ cpu: 10m\n env:\n - name: \"ALL_ETCD_ENDPOINTS\"\n value: \"https://192.168.32.10:2379\"\n - name: \"ETCDCTL_API\"\n value: \"3\"\n \ - name: \"ETCDCTL_CACERT\"\n value: \"/etc/kubernetes/static-pod-certs/configmaps/etcd-all-bundles/server-ca-bundle.crt\"\n \ - name: \"ETCDCTL_CERT\"\n value: \"/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.crt\"\n \ - name: \"ETCDCTL_ENDPOINTS\"\n value: \"https://192.168.32.10:2379\"\n \ - name: \"ETCDCTL_KEY\"\n value: \"/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.key\"\n \ - name: \"ETCD_CIPHER_SUITES\"\n value: \"TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256\"\n \ - name: \"ETCD_DATA_DIR\"\n value: \"/var/lib/etcd\"\n - name: \"ETCD_ELECTION_TIMEOUT\"\n \ value: \"2500\"\n - name: \"ETCD_ENABLE_PPROF\"\n value: \"true\"\n \ - name: \"ETCD_EXPERIMENTAL_MAX_LEARNERS\"\n value: \"1\"\n - name: \"ETCD_EXPERIMENTAL_WARNING_APPLY_DURATION\"\n value: \"200ms\"\n - name: \"ETCD_EXPERIMENTAL_WATCH_PROGRESS_NOTIFY_INTERVAL\"\n value: \"5s\"\n \ - name: \"ETCD_HEARTBEAT_INTERVAL\"\n value: \"500\"\n - name: \"ETCD_IMAGE\"\n \ value: \"quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:e29dc9f042f2d0471171a0611070886cb2f7c57338ab7f112613417bcd33b278\"\n \ - name: \"ETCD_INITIAL_CLUSTER_STATE\"\n value: \"existing\"\n - name: \"ETCD_QUOTA_BACKEND_BYTES\"\n value: \"8589934592\"\n - name: \"ETCD_SOCKET_REUSE_ADDRESS\"\n value: \"true\"\n - name: \"ETCD_TLS_MIN_VERSION\"\n \ value: \"TLS1.2\"\n - name: \"NODE_master_0_ETCD_NAME\"\n value: \"master-0\"\n - name: \"NODE_master_0_ETCD_URL_HOST\"\n value: \"192.168.32.10\"\n \ - name: \"NODE_master_0_IP\"\n value: \"192.168.32.10\"\n volumeMounts:\n \ - mountPath: /var/log/etcd/\n name: log-dir\n - mountPath: /etc/kubernetes/static-pod-certs\n name: cert-dir\n - name: etcd-rev\n \ image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:d5a971d5889f167cfe61a64c366424b87c17a6dc141ffcc43406cdcbb50cae2a\n \ imagePullPolicy: IfNotPresent\n terminationMessagePolicy: FallbackToLogsOnError\n \ command:\n - /bin/sh\n - -c\n - |\n #!/bin/sh\n set -euo pipefail\n \n cluster-etcd-operator rev \\\n --endpoints=$(ALL_ETCD_ENDPOINTS) \\\n --client-cert-file=$(ETCDCTL_CERT) \\\n --client-key-file=$(ETCDCTL_KEY) \\\n --client-cacert-file=$(ETCDCTL_CACERT)\n securityContext:\n \ privileged: true\n resources:\n requests:\n memory: 50Mi\n \ cpu: 10m\n env:\n - name: \"ALL_ETCD_ENDPOINTS\"\n value: \"https://192.168.32.10:2379\"\n - name: \"ETCDCTL_API\"\n value: \"3\"\n \ - name: \"ETCDCTL_CACERT\"\n value: \"/etc/kubernetes/static-pod-certs/configmaps/etcd-all-bundles/server-ca-bundle.crt\"\n \ - name: \"ETCDCTL_CERT\"\n value: \"/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.crt\"\n \ - name: \"ETCDCTL_ENDPOINTS\"\n value: \"https://192.168.32.10:2379\"\n \ - name: \"ETCDCTL_KEY\"\n value: \"/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.key\"\n \ - name: \"ETCD_CIPHER_SUITES\"\n value: \"TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256\"\n \ - name: \"ETCD_DATA_DIR\"\n value: \"/var/lib/etcd\"\n - name: \"ETCD_ELECTION_TIMEOUT\"\n \ value: \"2500\"\n - name: \"ETCD_ENABLE_PPROF\"\n value: \"true\"\n \ - name: \"ETCD_EXPERIMENTAL_MAX_LEARNERS\"\n value: \"1\"\n - name: \"ETCD_EXPERIMENTAL_WARNING_APPLY_DURATION\"\n value: \"200ms\"\n - name: \"ETCD_EXPERIMENTAL_WATCH_PROGRESS_NOTIFY_INTERVAL\"\n value: \"5s\"\n \ - name: \"ETCD_HEARTBEAT_INTERVAL\"\n value: \"500\"\n - name: \"ETCD_IMAGE\"\n \ value: \"quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:e29dc9f042f2d0471171a0611070886cb2f7c57338ab7f112613417bcd33b278\"\n \ - name: \"ETCD_INITIAL_CLUSTER_STATE\"\n value: \"existing\"\n - name: \"ETCD_QUOTA_BACKEND_BYTES\"\n value: \"8589934592\"\n - name: \"ETCD_SOCKET_REUSE_ADDRESS\"\n value: \"true\"\n - name: \"ETCD_TLS_MIN_VERSION\"\n \ value: \"TLS1.2\"\n - name: \"NODE_master_0_ETCD_NAME\"\n value: \"master-0\"\n - name: \"NODE_master_0_ETCD_URL_HOST\"\n value: \"192.168.32.10\"\n \ - name: \"NODE_master_0_IP\"\n value: \"192.168.32.10\"\n volumeMounts:\n \ - mountPath: /var/lib/etcd\n name: data-dir\n - mountPath: /etc/kubernetes/static-pod-certs\n \ name: cert-dir\n hostNetwork: true\n priority: 2000001000\n priorityClassName: system-node-critical\n tolerations:\n - operator: \"Exists\"\n volumes:\n \ - hostPath:\n path: /etc/kubernetes/manifests\n name: static-pod-dir\n \ - hostPath:\n path: /etc/kubernetes/static-pod-resources/etcd-pod-REVISION\n \ name: resource-dir\n - hostPath:\n path: /etc/kubernetes/static-pod-resources/etcd-certs\n \ name: cert-dir\n - hostPath:\n path: /var/lib/etcd\n type: \"\"\n name: data-dir\n - hostPath:\n path: /usr/local/bin\n \ name: usr-local-bin\n - hostPath:\n path: /var/log/etcd\n name: log-dir\n - hostPath:\n path: /etc/kubernetes\n name: config-dir\n \ - hostPath:\n path: /var/lib/etcd-auto-backup\n name: etcd-auto-backup-dir\n" version: 4.18.0-202602261953.p2.gb7e21f5.assembly.stream.el9-b7e21f5 kind: ConfigMap metadata: creationTimestamp: "2026-03-19T11:54:03Z" labels: operator.openshift.io/controller-instance-name: etcd-RevisionController managedFields: - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:data: .: {} f:forceRedeploymentReason: {} f:pod.yaml: {} f:version: {} f:metadata: f:labels: .: {} f:operator.openshift.io/controller-instance-name: {} f:ownerReferences: .: {} k:{"uid":"b87b8a49-eaba-4aef-91c4-288d56041db5"}: {} manager: cluster-etcd-operator operation: Update time: "2026-03-19T11:54:03Z" name: etcd-pod-1 namespace: openshift-etcd ownerReferences: - apiVersion: v1 kind: ConfigMap name: revision-status-1 uid: b87b8a49-eaba-4aef-91c4-288d56041db5 resourceVersion: "5334" uid: 3c5ecbd4-47d8-4158-ab92-4106ef5ee355 - apiVersion: v1 data: forceRedeploymentReason: "" pod.yaml: "apiVersion: v1\nkind: Pod\nmetadata:\n name: etcd\n namespace: openshift-etcd\n \ annotations:\n kubectl.kubernetes.io/default-container: etcd\n target.workload.openshift.io/management: '{\"effect\": \"PreferredDuringScheduling\"}'\n labels:\n app: etcd\n k8s-app: etcd\n etcd: \"true\"\n revision: \"REVISION\"\nspec:\n initContainers:\n \ - name: setup\n image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:e29dc9f042f2d0471171a0611070886cb2f7c57338ab7f112613417bcd33b278\n \ imagePullPolicy: IfNotPresent\n terminationMessagePolicy: FallbackToLogsOnError\n \ command:\n - /bin/sh\n - -c\n - |\n #!/bin/sh\n \ echo -n \"Fixing etcd log permissions.\"\n mkdir -p /var/log/etcd \ && chmod 0600 /var/log/etcd\n echo -n \"Fixing etcd auto backup permissions.\"\n \ mkdir -p /var/lib/etcd-auto-backup && chmod 0600 /var/lib/etcd-auto-backup\n \ securityContext:\n privileged: true\n resources:\n requests:\n \ memory: 50Mi\n cpu: 5m\n volumeMounts:\n - mountPath: /var/log/etcd\n name: log-dir\n - name: etcd-ensure-env-vars\n image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:e29dc9f042f2d0471171a0611070886cb2f7c57338ab7f112613417bcd33b278\n \ imagePullPolicy: IfNotPresent\n terminationMessagePolicy: FallbackToLogsOnError\n \ command:\n - /bin/sh\n - -c\n - |\n #!/bin/sh\n \ set -euo pipefail\n\n : \"${NODE_NODE_ENVVAR_NAME_ETCD_URL_HOST?not set}\"\n : \"${NODE_NODE_ENVVAR_NAME_ETCD_NAME?not set}\"\n : \"${NODE_NODE_ENVVAR_NAME_IP?not set}\"\n\n # check for ipv4 addresses as well as ipv6 addresses with extra square brackets\n if [[ \"${NODE_NODE_ENVVAR_NAME_IP}\" != \"${NODE_IP}\" && \"${NODE_NODE_ENVVAR_NAME_IP}\" != \"[${NODE_IP}]\" ]]; then\n # echo the error message to stderr\n echo \"Expected node IP to be ${NODE_IP} got ${NODE_NODE_ENVVAR_NAME_IP}\" >&2\n exit 1\n fi\n\n # check for ipv4 addresses as well as ipv6 addresses with extra square brackets\n if [[ \"${NODE_NODE_ENVVAR_NAME_ETCD_URL_HOST}\" != \"${NODE_IP}\" && \"${NODE_NODE_ENVVAR_NAME_ETCD_URL_HOST}\" != \"[${NODE_IP}]\" ]]; then\n # echo the error message to stderr\n echo \"Expected etcd url host to be ${NODE_IP} got ${NODE_NODE_ENVVAR_NAME_ETCD_URL_HOST}\" >&2\n exit 1\n fi\n\n resources:\n requests:\n \ memory: 60Mi\n cpu: 10m\n securityContext:\n privileged: true\n env:\n - name: \"ALL_ETCD_ENDPOINTS\"\n value: \"https://192.168.32.10:2379\"\n \ - name: \"ETCDCTL_API\"\n value: \"3\"\n - name: \"ETCDCTL_CACERT\"\n \ value: \"/etc/kubernetes/static-pod-certs/configmaps/etcd-all-bundles/server-ca-bundle.crt\"\n \ - name: \"ETCDCTL_CERT\"\n value: \"/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.crt\"\n \ - name: \"ETCDCTL_ENDPOINTS\"\n value: \"https://192.168.32.10:2379\"\n \ - name: \"ETCDCTL_KEY\"\n value: \"/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.key\"\n \ - name: \"ETCD_CIPHER_SUITES\"\n value: \"TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256\"\n \ - name: \"ETCD_DATA_DIR\"\n value: \"/var/lib/etcd\"\n - name: \"ETCD_ELECTION_TIMEOUT\"\n value: \"2500\"\n - name: \"ETCD_ENABLE_PPROF\"\n \ value: \"true\"\n - name: \"ETCD_EXPERIMENTAL_MAX_LEARNERS\"\n \ value: \"1\"\n - name: \"ETCD_EXPERIMENTAL_WARNING_APPLY_DURATION\"\n \ value: \"200ms\"\n - name: \"ETCD_EXPERIMENTAL_WATCH_PROGRESS_NOTIFY_INTERVAL\"\n \ value: \"5s\"\n - name: \"ETCD_HEARTBEAT_INTERVAL\"\n value: \"500\"\n - name: \"ETCD_IMAGE\"\n value: \"quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:e29dc9f042f2d0471171a0611070886cb2f7c57338ab7f112613417bcd33b278\"\n \ - name: \"ETCD_INITIAL_CLUSTER_STATE\"\n value: \"existing\"\n \ - name: \"ETCD_QUOTA_BACKEND_BYTES\"\n value: \"8589934592\"\n \ - name: \"ETCD_SOCKET_REUSE_ADDRESS\"\n value: \"true\"\n - name: \"ETCD_TLS_MIN_VERSION\"\n value: \"TLS1.2\"\n - name: \"NODE_master_0_ETCD_NAME\"\n \ value: \"master-0\"\n - name: \"NODE_master_0_ETCD_URL_HOST\"\n \ value: \"192.168.32.10\"\n - name: \"NODE_master_0_IP\"\n value: \"192.168.32.10\"\n - name: NODE_IP\n valueFrom:\n fieldRef:\n \ fieldPath: status.podIP\n - name: etcd-resources-copy\n image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:e29dc9f042f2d0471171a0611070886cb2f7c57338ab7f112613417bcd33b278\n \ imagePullPolicy: IfNotPresent\n terminationMessagePolicy: FallbackToLogsOnError\n \ command:\n - /bin/sh\n - -c\n - |\n #!/bin/sh\n \ set -euo pipefail\n\n rm -f $(grep -l '^### Created by cluster-etcd-operator' /usr/local/bin/*)\n cp -p /etc/kubernetes/static-pod-certs/configmaps/etcd-scripts/*.sh /usr/local/bin\n\n resources:\n requests:\n memory: 60Mi\n \ cpu: 10m\n securityContext:\n privileged: true\n volumeMounts:\n \ - mountPath: /etc/kubernetes/static-pod-resources\n name: resource-dir\n \ - mountPath: /etc/kubernetes/static-pod-certs\n name: cert-dir\n \ - mountPath: /usr/local/bin\n name: usr-local-bin\n containers:\n \ # The etcdctl container should always be first. It is intended to be used\n \ # to open a remote shell via `oc rsh` that is ready to run `etcdctl`.\n - name: etcdctl\n image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:e29dc9f042f2d0471171a0611070886cb2f7c57338ab7f112613417bcd33b278\n \ imagePullPolicy: IfNotPresent\n terminationMessagePolicy: FallbackToLogsOnError\n \ command:\n - \"/bin/bash\"\n - \"-c\"\n - \"trap TERM INT; sleep infinity & wait\"\n resources:\n requests:\n memory: 60Mi\n \ cpu: 10m\n volumeMounts:\n - mountPath: /etc/kubernetes/manifests\n \ name: static-pod-dir\n - mountPath: /etc/kubernetes/static-pod-resources\n \ name: resource-dir\n - mountPath: /etc/kubernetes/static-pod-certs\n \ name: cert-dir\n - mountPath: /var/lib/etcd/\n name: data-dir\n \ env:\n - name: \"ALL_ETCD_ENDPOINTS\"\n value: \"https://192.168.32.10:2379\"\n \ - name: \"ETCDCTL_API\"\n value: \"3\"\n - name: \"ETCDCTL_CACERT\"\n \ value: \"/etc/kubernetes/static-pod-certs/configmaps/etcd-all-bundles/server-ca-bundle.crt\"\n \ - name: \"ETCDCTL_CERT\"\n value: \"/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.crt\"\n \ - name: \"ETCDCTL_ENDPOINTS\"\n value: \"https://192.168.32.10:2379\"\n \ - name: \"ETCDCTL_KEY\"\n value: \"/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.key\"\n \ - name: \"ETCD_CIPHER_SUITES\"\n value: \"TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256\"\n \ - name: \"ETCD_DATA_DIR\"\n value: \"/var/lib/etcd\"\n - name: \"ETCD_ELECTION_TIMEOUT\"\n \ value: \"2500\"\n - name: \"ETCD_ENABLE_PPROF\"\n value: \"true\"\n \ - name: \"ETCD_EXPERIMENTAL_MAX_LEARNERS\"\n value: \"1\"\n - name: \"ETCD_EXPERIMENTAL_WARNING_APPLY_DURATION\"\n value: \"200ms\"\n - name: \"ETCD_EXPERIMENTAL_WATCH_PROGRESS_NOTIFY_INTERVAL\"\n value: \"5s\"\n \ - name: \"ETCD_HEARTBEAT_INTERVAL\"\n value: \"500\"\n - name: \"ETCD_IMAGE\"\n \ value: \"quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:e29dc9f042f2d0471171a0611070886cb2f7c57338ab7f112613417bcd33b278\"\n \ - name: \"ETCD_INITIAL_CLUSTER_STATE\"\n value: \"existing\"\n - name: \"ETCD_QUOTA_BACKEND_BYTES\"\n value: \"8589934592\"\n - name: \"ETCD_SOCKET_REUSE_ADDRESS\"\n value: \"true\"\n - name: \"ETCD_TLS_MIN_VERSION\"\n \ value: \"TLS1.2\"\n - name: \"NODE_master_0_ETCD_NAME\"\n value: \"master-0\"\n - name: \"NODE_master_0_ETCD_URL_HOST\"\n value: \"192.168.32.10\"\n \ - name: \"NODE_master_0_IP\"\n value: \"192.168.32.10\"\n - name: \"ETCD_STATIC_POD_VERSION\"\n value: \"REVISION\"\n\n - name: etcd\n image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:e29dc9f042f2d0471171a0611070886cb2f7c57338ab7f112613417bcd33b278\n \ imagePullPolicy: IfNotPresent\n terminationMessagePolicy: FallbackToLogsOnError\n \ command:\n - /bin/sh\n - -c\n - |\n #!/bin/sh\n set -euo pipefail\n\n etcdctl member list || true\n\n # this has a non-zero return code if the command is non-zero. If you use an export first, it doesn't and you\n # will succeed when you should fail.\n ETCD_INITIAL_CLUSTER=$(discover-etcd-initial-cluster \\\n --cacert=/etc/kubernetes/static-pod-certs/configmaps/etcd-all-bundles/server-ca-bundle.crt \\\n --cert=/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.crt \\\n --key=/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.key \\\n --endpoints=${ALL_ETCD_ENDPOINTS} \\\n --data-dir=/var/lib/etcd \\\n --target-peer-url-host=${NODE_NODE_ENVVAR_NAME_ETCD_URL_HOST} \\\n --target-name=NODE_NAME)\n export ETCD_INITIAL_CLUSTER\n\n \ # we cannot use the \"normal\" port conflict initcontainer because when we upgrade, the existing static pod will never yield,\n # so we do the detection in etcd container itself.\n echo -n \"Waiting for ports 2379, 2380 and 9978 to be released.\"\n time while [ -n \"$(ss -Htan '( sport = 2379 or sport = 2380 or sport = 9978 )')\" ]; do\n echo -n \".\"\n \ sleep 1\n done\n\n export ETCD_NAME=${NODE_NODE_ENVVAR_NAME_ETCD_NAME}\n \ env | grep ETCD | grep -v NODE\n\n set -x\n # See https://etcd.io/docs/v3.4.0/tuning/ for why we use ionice\n exec nice -n -19 ionice -c2 -n0 etcd \\\n --logger=zap \\\n --log-level=info \\\n --experimental-initial-corrupt-check=true \\\n --snapshot-count=10000 \\\n --initial-advertise-peer-urls=https://${NODE_NODE_ENVVAR_NAME_IP}:2380 \\\n --cert-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-serving-NODE_NAME.crt \\\n --key-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-serving-NODE_NAME.key \\\n --trusted-ca-file=/etc/kubernetes/static-pod-certs/configmaps/etcd-all-bundles/server-ca-bundle.crt \\\n --client-cert-auth=true \\\n --peer-cert-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.crt \\\n --peer-key-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.key \\\n --peer-trusted-ca-file=/etc/kubernetes/static-pod-certs/configmaps/etcd-all-bundles/server-ca-bundle.crt \\\n --peer-client-cert-auth=true \\\n --advertise-client-urls=https://${NODE_NODE_ENVVAR_NAME_IP}:2379 \\\n --listen-client-urls=https://0.0.0.0:2379,unixs://${NODE_NODE_ENVVAR_NAME_IP}:0 \\\n --listen-peer-urls=https://0.0.0.0:2380 \\\n --metrics=extensive \\\n --listen-metrics-urls=https://0.0.0.0:9978 || mv /etc/kubernetes/etcd-backup-dir/etcd-member.yaml /etc/kubernetes/manifests\n ports:\n - containerPort: 2379\n name: etcd\n protocol: TCP\n - containerPort: 2380\n name: etcd-peer\n \ protocol: TCP\n - containerPort: 9978\n name: etcd-metrics\n protocol: TCP\n env:\n - name: \"ALL_ETCD_ENDPOINTS\"\n value: \"https://192.168.32.10:2379\"\n \ - name: \"ETCDCTL_API\"\n value: \"3\"\n - name: \"ETCDCTL_CACERT\"\n \ value: \"/etc/kubernetes/static-pod-certs/configmaps/etcd-all-bundles/server-ca-bundle.crt\"\n \ - name: \"ETCDCTL_CERT\"\n value: \"/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.crt\"\n \ - name: \"ETCDCTL_ENDPOINTS\"\n value: \"https://192.168.32.10:2379\"\n \ - name: \"ETCDCTL_KEY\"\n value: \"/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.key\"\n \ - name: \"ETCD_CIPHER_SUITES\"\n value: \"TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256\"\n \ - name: \"ETCD_DATA_DIR\"\n value: \"/var/lib/etcd\"\n - name: \"ETCD_ELECTION_TIMEOUT\"\n \ value: \"2500\"\n - name: \"ETCD_ENABLE_PPROF\"\n value: \"true\"\n \ - name: \"ETCD_EXPERIMENTAL_MAX_LEARNERS\"\n value: \"1\"\n - name: \"ETCD_EXPERIMENTAL_WARNING_APPLY_DURATION\"\n value: \"200ms\"\n - name: \"ETCD_EXPERIMENTAL_WATCH_PROGRESS_NOTIFY_INTERVAL\"\n value: \"5s\"\n \ - name: \"ETCD_HEARTBEAT_INTERVAL\"\n value: \"500\"\n - name: \"ETCD_IMAGE\"\n \ value: \"quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:e29dc9f042f2d0471171a0611070886cb2f7c57338ab7f112613417bcd33b278\"\n \ - name: \"ETCD_INITIAL_CLUSTER_STATE\"\n value: \"existing\"\n - name: \"ETCD_QUOTA_BACKEND_BYTES\"\n value: \"8589934592\"\n - name: \"ETCD_SOCKET_REUSE_ADDRESS\"\n value: \"true\"\n - name: \"ETCD_TLS_MIN_VERSION\"\n \ value: \"TLS1.2\"\n - name: \"NODE_master_0_ETCD_NAME\"\n value: \"master-0\"\n - name: \"NODE_master_0_ETCD_URL_HOST\"\n value: \"192.168.32.10\"\n \ - name: \"NODE_master_0_IP\"\n value: \"192.168.32.10\"\n - name: \"ETCD_STATIC_POD_VERSION\"\n value: \"REVISION\"\n resources:\n requests:\n \ memory: 600Mi\n cpu: 300m\n readinessProbe:\n httpGet:\n \ port: 9980\n path: readyz\n scheme: HTTPS\n timeoutSeconds: 30\n failureThreshold: 5\n periodSeconds: 5\n successThreshold: 1\n livenessProbe:\n httpGet:\n path: healthz\n port: 9980\n scheme: HTTPS\n timeoutSeconds: 30\n periodSeconds: 5\n successThreshold: 1\n failureThreshold: 5\n startupProbe:\n \ httpGet:\n port: 9980\n path: readyz\n scheme: HTTPS\n \ initialDelaySeconds: 10\n timeoutSeconds: 1\n periodSeconds: 10\n successThreshold: 1\n failureThreshold: 18\n securityContext:\n \ privileged: true\n volumeMounts:\n - mountPath: /etc/kubernetes/manifests\n \ name: static-pod-dir\n - mountPath: /etc/kubernetes/static-pod-resources\n \ name: resource-dir\n - mountPath: /etc/kubernetes/static-pod-certs\n \ name: cert-dir\n - mountPath: /var/lib/etcd/\n name: data-dir\n\n \ - name: etcd-metrics\n image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:e29dc9f042f2d0471171a0611070886cb2f7c57338ab7f112613417bcd33b278\n \ imagePullPolicy: IfNotPresent\n terminationMessagePolicy: FallbackToLogsOnError\n \ command:\n - /bin/sh\n - -c\n - |\n #!/bin/sh\n set -euo pipefail\n\n export ETCD_NAME=${NODE_NODE_ENVVAR_NAME_ETCD_NAME}\n\n \ exec nice -n -18 etcd grpc-proxy start \\\n --endpoints https://${NODE_NODE_ENVVAR_NAME_ETCD_URL_HOST}:9978 \\\n --metrics-addr https://0.0.0.0:9979 \\\n --listen-addr 127.0.0.1:9977 \\\n --advertise-client-url \"\" \\\n --key /etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.key \\\n --key-file /etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-serving-metrics-NODE_NAME.key \\\n --cert /etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.crt \\\n --cert-file /etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-serving-metrics-NODE_NAME.crt \\\n --cacert /etc/kubernetes/static-pod-certs/configmaps/etcd-all-bundles/server-ca-bundle.crt \\\n --trusted-ca-file /etc/kubernetes/static-pod-certs/configmaps/etcd-all-bundles/metrics-ca-bundle.crt \\\n --listen-cipher-suites TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 \\\n --tls-min-version $(ETCD_TLS_MIN_VERSION)\n ports:\n - containerPort: 9979\n name: proxy-metrics\n protocol: TCP\n env:\n - name: \"ALL_ETCD_ENDPOINTS\"\n value: \"https://192.168.32.10:2379\"\n \n \ - name: \"ETCDCTL_API\"\n value: \"3\"\n \n - name: \"ETCDCTL_CACERT\"\n \ value: \"/etc/kubernetes/static-pod-certs/configmaps/etcd-all-bundles/server-ca-bundle.crt\"\n \ \n - name: \"ETCDCTL_CERT\"\n value: \"/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.crt\"\n \ \n - name: \"ETCDCTL_ENDPOINTS\"\n value: \"https://192.168.32.10:2379\"\n \ \n - name: \"ETCDCTL_KEY\"\n value: \"/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.key\"\n \ \n - name: \"ETCD_CIPHER_SUITES\"\n value: \"TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256\"\n \ \n - name: \"ETCD_DATA_DIR\"\n value: \"/var/lib/etcd\"\n \n \ - name: \"ETCD_ELECTION_TIMEOUT\"\n value: \"2500\"\n \n - name: \"ETCD_ENABLE_PPROF\"\n value: \"true\"\n \n - name: \"ETCD_EXPERIMENTAL_MAX_LEARNERS\"\n \ value: \"1\"\n \n - name: \"ETCD_EXPERIMENTAL_WARNING_APPLY_DURATION\"\n \ value: \"200ms\"\n \n - name: \"ETCD_EXPERIMENTAL_WATCH_PROGRESS_NOTIFY_INTERVAL\"\n \ value: \"5s\"\n \n - name: \"ETCD_HEARTBEAT_INTERVAL\"\n value: \"500\"\n \n - name: \"ETCD_IMAGE\"\n value: \"quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:e29dc9f042f2d0471171a0611070886cb2f7c57338ab7f112613417bcd33b278\"\n \ \n - name: \"ETCD_INITIAL_CLUSTER_STATE\"\n value: \"existing\"\n \ \n - name: \"ETCD_QUOTA_BACKEND_BYTES\"\n value: \"8589934592\"\n \ \n - name: \"ETCD_SOCKET_REUSE_ADDRESS\"\n value: \"true\"\n \n \ - name: \"ETCD_TLS_MIN_VERSION\"\n value: \"TLS1.2\"\n \n - name: \"NODE_master_0_ETCD_NAME\"\n value: \"master-0\"\n \n - name: \"NODE_master_0_ETCD_URL_HOST\"\n \ value: \"192.168.32.10\"\n \n - name: \"NODE_master_0_IP\"\n value: \"192.168.32.10\"\n - name: \"ETCD_STATIC_POD_VERSION\"\n value: \"REVISION\"\n \ resources:\n requests:\n memory: 200Mi\n cpu: 40m\n securityContext:\n \ privileged: true\n volumeMounts:\n - mountPath: /etc/kubernetes/static-pod-resources\n \ name: resource-dir\n - mountPath: /etc/kubernetes/static-pod-certs\n \ name: cert-dir\n - mountPath: /var/lib/etcd/\n name: data-dir\n \ - name: etcd-readyz\n image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:d5a971d5889f167cfe61a64c366424b87c17a6dc141ffcc43406cdcbb50cae2a\n \ imagePullPolicy: IfNotPresent\n terminationMessagePolicy: FallbackToLogsOnError\n \ command:\n - /bin/sh\n - -c\n - |\n #!/bin/sh\n set -euo pipefail\n \n exec nice -n -18 cluster-etcd-operator readyz \\\n --target=https://localhost:2379 \\\n --listen-port=9980 \\\n --serving-cert-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-serving-NODE_NAME.crt \\\n --serving-key-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-serving-NODE_NAME.key \\\n --client-cert-file=$(ETCDCTL_CERT) \\\n --client-key-file=$(ETCDCTL_KEY) \\\n --client-cacert-file=$(ETCDCTL_CACERT) \\\n --listen-cipher-suites TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 \\\n --listen-tls-min-version=$(ETCD_TLS_MIN_VERSION)\n securityContext:\n \ privileged: true\n ports:\n - containerPort: 9980\n name: readyz\n \ protocol: TCP\n resources:\n requests:\n memory: 50Mi\n \ cpu: 10m\n env:\n - name: \"ALL_ETCD_ENDPOINTS\"\n value: \"https://192.168.32.10:2379\"\n - name: \"ETCDCTL_API\"\n value: \"3\"\n \ - name: \"ETCDCTL_CACERT\"\n value: \"/etc/kubernetes/static-pod-certs/configmaps/etcd-all-bundles/server-ca-bundle.crt\"\n \ - name: \"ETCDCTL_CERT\"\n value: \"/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.crt\"\n \ - name: \"ETCDCTL_ENDPOINTS\"\n value: \"https://192.168.32.10:2379\"\n \ - name: \"ETCDCTL_KEY\"\n value: \"/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.key\"\n \ - name: \"ETCD_CIPHER_SUITES\"\n value: \"TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256\"\n \ - name: \"ETCD_DATA_DIR\"\n value: \"/var/lib/etcd\"\n - name: \"ETCD_ELECTION_TIMEOUT\"\n \ value: \"2500\"\n - name: \"ETCD_ENABLE_PPROF\"\n value: \"true\"\n \ - name: \"ETCD_EXPERIMENTAL_MAX_LEARNERS\"\n value: \"1\"\n - name: \"ETCD_EXPERIMENTAL_WARNING_APPLY_DURATION\"\n value: \"200ms\"\n - name: \"ETCD_EXPERIMENTAL_WATCH_PROGRESS_NOTIFY_INTERVAL\"\n value: \"5s\"\n \ - name: \"ETCD_HEARTBEAT_INTERVAL\"\n value: \"500\"\n - name: \"ETCD_IMAGE\"\n \ value: \"quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:e29dc9f042f2d0471171a0611070886cb2f7c57338ab7f112613417bcd33b278\"\n \ - name: \"ETCD_INITIAL_CLUSTER_STATE\"\n value: \"existing\"\n - name: \"ETCD_QUOTA_BACKEND_BYTES\"\n value: \"8589934592\"\n - name: \"ETCD_SOCKET_REUSE_ADDRESS\"\n value: \"true\"\n - name: \"ETCD_TLS_MIN_VERSION\"\n \ value: \"TLS1.2\"\n - name: \"NODE_master_0_ETCD_NAME\"\n value: \"master-0\"\n - name: \"NODE_master_0_ETCD_URL_HOST\"\n value: \"192.168.32.10\"\n \ - name: \"NODE_master_0_IP\"\n value: \"192.168.32.10\"\n volumeMounts:\n \ - mountPath: /var/log/etcd/\n name: log-dir\n - mountPath: /etc/kubernetes/static-pod-certs\n name: cert-dir\n - name: etcd-rev\n \ image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:d5a971d5889f167cfe61a64c366424b87c17a6dc141ffcc43406cdcbb50cae2a\n \ imagePullPolicy: IfNotPresent\n terminationMessagePolicy: FallbackToLogsOnError\n \ command:\n - /bin/sh\n - -c\n - |\n #!/bin/sh\n set -euo pipefail\n \n cluster-etcd-operator rev \\\n --endpoints=$(ALL_ETCD_ENDPOINTS) \\\n --client-cert-file=$(ETCDCTL_CERT) \\\n --client-key-file=$(ETCDCTL_KEY) \\\n --client-cacert-file=$(ETCDCTL_CACERT)\n securityContext:\n \ privileged: true\n resources:\n requests:\n memory: 50Mi\n \ cpu: 10m\n env:\n - name: \"ALL_ETCD_ENDPOINTS\"\n value: \"https://192.168.32.10:2379\"\n - name: \"ETCDCTL_API\"\n value: \"3\"\n \ - name: \"ETCDCTL_CACERT\"\n value: \"/etc/kubernetes/static-pod-certs/configmaps/etcd-all-bundles/server-ca-bundle.crt\"\n \ - name: \"ETCDCTL_CERT\"\n value: \"/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.crt\"\n \ - name: \"ETCDCTL_ENDPOINTS\"\n value: \"https://192.168.32.10:2379\"\n \ - name: \"ETCDCTL_KEY\"\n value: \"/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.key\"\n \ - name: \"ETCD_CIPHER_SUITES\"\n value: \"TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256\"\n \ - name: \"ETCD_DATA_DIR\"\n value: \"/var/lib/etcd\"\n - name: \"ETCD_ELECTION_TIMEOUT\"\n \ value: \"2500\"\n - name: \"ETCD_ENABLE_PPROF\"\n value: \"true\"\n \ - name: \"ETCD_EXPERIMENTAL_MAX_LEARNERS\"\n value: \"1\"\n - name: \"ETCD_EXPERIMENTAL_WARNING_APPLY_DURATION\"\n value: \"200ms\"\n - name: \"ETCD_EXPERIMENTAL_WATCH_PROGRESS_NOTIFY_INTERVAL\"\n value: \"5s\"\n \ - name: \"ETCD_HEARTBEAT_INTERVAL\"\n value: \"500\"\n - name: \"ETCD_IMAGE\"\n \ value: \"quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:e29dc9f042f2d0471171a0611070886cb2f7c57338ab7f112613417bcd33b278\"\n \ - name: \"ETCD_INITIAL_CLUSTER_STATE\"\n value: \"existing\"\n - name: \"ETCD_QUOTA_BACKEND_BYTES\"\n value: \"8589934592\"\n - name: \"ETCD_SOCKET_REUSE_ADDRESS\"\n value: \"true\"\n - name: \"ETCD_TLS_MIN_VERSION\"\n \ value: \"TLS1.2\"\n - name: \"NODE_master_0_ETCD_NAME\"\n value: \"master-0\"\n - name: \"NODE_master_0_ETCD_URL_HOST\"\n value: \"192.168.32.10\"\n \ - name: \"NODE_master_0_IP\"\n value: \"192.168.32.10\"\n volumeMounts:\n \ - mountPath: /var/lib/etcd\n name: data-dir\n - mountPath: /etc/kubernetes/static-pod-certs\n \ name: cert-dir\n hostNetwork: true\n priority: 2000001000\n priorityClassName: system-node-critical\n tolerations:\n - operator: \"Exists\"\n volumes:\n \ - hostPath:\n path: /etc/kubernetes/manifests\n name: static-pod-dir\n \ - hostPath:\n path: /etc/kubernetes/static-pod-resources/etcd-pod-REVISION\n \ name: resource-dir\n - hostPath:\n path: /etc/kubernetes/static-pod-resources/etcd-certs\n \ name: cert-dir\n - hostPath:\n path: /var/lib/etcd\n type: \"\"\n name: data-dir\n - hostPath:\n path: /usr/local/bin\n \ name: usr-local-bin\n - hostPath:\n path: /var/log/etcd\n name: log-dir\n - hostPath:\n path: /etc/kubernetes\n name: config-dir\n \ - hostPath:\n path: /var/lib/etcd-auto-backup\n name: etcd-auto-backup-dir\n" version: 4.18.0-202602261953.p2.gb7e21f5.assembly.stream.el9-b7e21f5 kind: ConfigMap metadata: creationTimestamp: "2026-03-19T12:01:51Z" labels: operator.openshift.io/controller-instance-name: etcd-RevisionController managedFields: - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:data: .: {} f:forceRedeploymentReason: {} f:pod.yaml: {} f:version: {} f:metadata: f:labels: .: {} f:operator.openshift.io/controller-instance-name: {} f:ownerReferences: .: {} k:{"uid":"572bb0ba-657d-4eb6-8f6c-9c2ff0bd96fc"}: {} manager: cluster-etcd-operator operation: Update time: "2026-03-19T12:01:51Z" name: etcd-pod-2 namespace: openshift-etcd ownerReferences: - apiVersion: v1 kind: ConfigMap name: revision-status-2 uid: 572bb0ba-657d-4eb6-8f6c-9c2ff0bd96fc resourceVersion: "11700" uid: 1612bd0b-7e02-4ed9-a392-43918c778404 - apiVersion: v1 data: cluster-backup.sh: | #!/usr/bin/env bash ### Created by cluster-etcd-operator. DO NOT edit. set -o errexit set -o pipefail set -o errtrace # example # cluster-backup.sh $path-to-snapshot if [[ $EUID -ne 0 ]]; then echo "This script must be run as root" exit 1 fi function usage { echo 'Path to backup dir required: ./cluster-backup.sh [--force] ' exit 1 } IS_DIRTY="" if [ "$1" == "--force" ]; then IS_DIRTY="__POSSIBLY_DIRTY__" shift fi # If the first argument is missing, or it is an existing file, then print usage and exit if [ -z "$1" ] || [ -f "$1" ]; then usage fi if [ ! -d "$1" ]; then mkdir -p "$1" fi function check_if_operator_is_progressing { local operator="$1" if [ ! -f "${KUBECONFIG}" ]; then echo "Valid kubeconfig is not found in kube-apiserver-certs. Exiting!" exit 1 fi progressing=$(oc get co "${operator}" -o jsonpath='{.status.conditions[?(@.type=="Progressing")].status}') || true if [ "$progressing" == "" ]; then echo "Could not find the status of the $operator. Check if the API server is running. Pass the --force flag to skip checks." exit 1 elif [ "$progressing" != "False" ]; then echo "Currently the $operator operator is progressing. A reliable backup requires that a rollout is not in progress. Aborting!" exit 1 fi } # backup latest static pod resources function backup_latest_kube_static_resources { local backup_tar_file="$1" local backup_resource_list=("kube-apiserver" "kube-controller-manager" "kube-scheduler" "etcd") local latest_resource_dirs=() for resource in "${backup_resource_list[@]}"; do if [ ! -f "/etc/kubernetes/manifests/${resource}-pod.yaml" ]; then echo "error finding manifests for the ${resource} pod. please check if it is running." exit 1 fi local latest_resource latest_resource=$(grep -o -m 1 "/etc/kubernetes/static-pod-resources/${resource}-pod-[0-9]*" "/etc/kubernetes/manifests/${resource}-pod.yaml") || true if [ -z "${latest_resource}" ]; then echo "error finding static-pod-resources for the ${resource} pod. please check if it is running." exit 1 fi if [ "${IS_DIRTY}" == "" ]; then check_if_operator_is_progressing "${resource}" fi echo "found latest ${resource}: ${latest_resource}" latest_resource_dirs+=("${latest_resource#${CONFIG_FILE_DIR}/}") done # tar latest resources with the path relative to CONFIG_FILE_DIR tar -cpzf "$backup_tar_file" -C "${CONFIG_FILE_DIR}" "${latest_resource_dirs[@]}" chmod 600 "$backup_tar_file" } function source_required_dependency { local src_path="$1" if [ ! -f "${src_path}" ]; then echo "required dependencies not found, please ensure this script is run on a node with a functional etcd static pod" exit 1 fi # shellcheck disable=SC1090 source "${src_path}" } BACKUP_DIR="$1" DATESTRING=$(date "+%F_%H%M%S") BACKUP_TAR_FILE=${BACKUP_DIR}/static_kuberesources_${DATESTRING}${IS_DIRTY}.tar.gz SNAPSHOT_FILE="${BACKUP_DIR}/snapshot_${DATESTRING}${IS_DIRTY}.db" trap 'rm -f ${BACKUP_TAR_FILE} ${SNAPSHOT_FILE}' ERR source_required_dependency /etc/kubernetes/static-pod-resources/etcd-certs/configmaps/etcd-scripts/etcd.env source_required_dependency /etc/kubernetes/static-pod-resources/etcd-certs/configmaps/etcd-scripts/etcd-common-tools # replacing the value of variables sourced form etcd.env to use the local node folders if the script is not running into the cluster-backup pod if [ ! -f "${ETCDCTL_CACERT}" ]; then echo "Certificate ${ETCDCTL_CACERT} is missing. Checking in different directory" export ETCDCTL_CACERT=$(echo ${ETCDCTL_CACERT} | sed -e "s|static-pod-certs|static-pod-resources/etcd-certs|") export ETCDCTL_CERT=$(echo ${ETCDCTL_CERT} | sed -e "s|static-pod-certs|static-pod-resources/etcd-certs|") export ETCDCTL_KEY=$(echo ${ETCDCTL_KEY} | sed -e "s|static-pod-certs|static-pod-resources/etcd-certs|") if [ ! -f "${ETCDCTL_CACERT}" ]; then echo "Certificate ${ETCDCTL_CACERT} is also missing in the second directory. Exiting!" exit 1 else echo "Certificate ${ETCDCTL_CACERT} found!" fi fi backup_latest_kube_static_resources "${BACKUP_TAR_FILE}" # Download etcdctl and get the etcd snapshot dl_etcdctl # snapshot save will continue to stay in etcdctl ETCDCTL_ENDPOINTS="https://${NODE_NODE_ENVVAR_NAME_IP}:2379" etcdctl snapshot save "${SNAPSHOT_FILE}" # Check the integrity of the snapshot check_snapshot_status "${SNAPSHOT_FILE}" snapshot_failed=$? # If check_snapshot_status returned 1 it failed, so exit with code 1 if [[ $snapshot_failed -eq 1 ]]; then echo "snapshot failed with exit code ${snapshot_failed}" exit 1 fi echo "snapshot db and kube resources are successfully saved to ${BACKUP_DIR}" cluster-restore.sh: |+ #!/usr/bin/env bash ### Created by cluster-etcd-operator. DO NOT edit. set -o errexit set -o pipefail set -o errtrace # example # ./cluster-restore.sh $path-to-backup # ETCD_ETCDCTL_RESTORE - when set this script will use `etcdctl snapshot restore` instead of a restore pod yaml, # which can be used when restoring a single member (e.g. on single node OCP). # Syncing very big snapshots (>8GiB) from the leader might also be expensive, this aids in # keeping the amount of data pulled to a minimum. This option will neither rev-bump nor mark-compact. if [[ $EUID -ne 0 ]]; then echo "This script must be run as root" exit 1 fi function source_required_dependency { local src_path="$1" if [ ! -f "${src_path}" ]; then echo "required dependencies not found, please ensure this script is run on a node with a functional etcd static pod" exit 1 fi # shellcheck disable=SC1090 source "${src_path}" } source_required_dependency /etc/kubernetes/static-pod-resources/etcd-certs/configmaps/etcd-scripts/etcd.env source_required_dependency /etc/kubernetes/static-pod-resources/etcd-certs/configmaps/etcd-scripts/etcd-common-tools function usage() { echo 'Path to the directory containing backup files is required: ./cluster-restore.sh ' echo 'The backup directory is expected to be contain two files:' echo ' 1. etcd snapshot' echo ' 2. A copy of the Static POD resources at the time of backup' exit 1 } # If the argument is not passed, or if it is not a directory, print usage and exit. if [ "$1" == "" ] || [ ! -d "$1" ]; then usage fi function restore_static_pods() { local backup_file="$1" shift local static_pods=("$@") for pod_file_name in "${static_pods[@]}"; do backup_pod_path=$(tar -tvf "${backup_file}" "*${pod_file_name}" | awk '{ print $6 }') || true if [ -z "${backup_pod_path}" ]; then echo "${pod_file_name} does not exist in ${backup_file}" exit 1 fi echo "starting ${pod_file_name}" tar -xvf "${backup_file}" --strip-components=2 -C "${MANIFEST_DIR}"/ "${backup_pod_path}" done } BACKUP_DIR="$1" # shellcheck disable=SC2012 BACKUP_FILE=$(ls -vd "${BACKUP_DIR}"/static_kuberesources*.tar.gz | tail -1) || true # shellcheck disable=SC2012 SNAPSHOT_FILE=$(ls -vd "${BACKUP_DIR}"/snapshot*.db | tail -1) || true ETCD_STATIC_POD_LIST=("etcd-pod.yaml") ETCD_STATIC_POD_CONTAINERS=("etcd" "etcdctl" "etcd-metrics" "etcd-readyz" "etcd-rev" "etcd-backup-server") if [ ! -f "${SNAPSHOT_FILE}" ]; then echo "etcd snapshot ${SNAPSHOT_FILE} does not exist" exit 1 fi # Download etcdctl and check the snapshot status dl_etcdctl check_snapshot_status "${SNAPSHOT_FILE}" ETCD_CLIENT="${ETCD_ETCDCTL_BIN+etcdctl}" if [ -n "${ETCD_ETCDUTL_BIN}" ]; then ETCD_CLIENT="${ETCD_ETCDUTL_BIN}" fi # always move etcd pod and wait for all containers to exit mv_static_pods "${ETCD_STATIC_POD_LIST[@]}" wait_for_containers_to_stop "${ETCD_STATIC_POD_CONTAINERS[@]}" if [ ! -d "${ETCD_DATA_DIR_BACKUP}" ]; then mkdir -p "${ETCD_DATA_DIR_BACKUP}" fi # backup old data-dir if [ -d "${ETCD_DATA_DIR}/member" ]; then if [ -d "${ETCD_DATA_DIR_BACKUP}/member" ]; then echo "removing previous backup ${ETCD_DATA_DIR_BACKUP}/member" rm -rf "${ETCD_DATA_DIR_BACKUP}"/member fi echo "Moving etcd data-dir ${ETCD_DATA_DIR}/member to ${ETCD_DATA_DIR_BACKUP}" mv "${ETCD_DATA_DIR}"/member "${ETCD_DATA_DIR_BACKUP}"/ fi if [ -z "${ETCD_ETCDCTL_RESTORE}" ]; then # Restore static pod resources tar -C "${CONFIG_FILE_DIR}" -xzf "${BACKUP_FILE}" static-pod-resources # Copy snapshot to backupdir cp -p "${SNAPSHOT_FILE}" "${ETCD_DATA_DIR_BACKUP}"/snapshot.db # Move the revision.json when it exists [ ! -f "${ETCD_REV_JSON}" ] || mv -f "${ETCD_REV_JSON}" "${ETCD_DATA_DIR_BACKUP}"/revision.json # removing any fio perf files left behind that could be deleted without problems rm -f "${ETCD_DATA_DIR}"/etcd_perf* # ensure the folder is really empty, otherwise the restore pod will crash loop if [ -n "$(ls -A "${ETCD_DATA_DIR}")" ]; then echo "folder ${ETCD_DATA_DIR} is not empty, please review and remove all files in it" exit 1 fi echo "starting restore-etcd static pod" cp -p "${RESTORE_ETCD_POD_YAML}" "${MANIFEST_DIR}/etcd-pod.yaml" else echo "removing etcd data dir..." rm -rf "${ETCD_DATA_DIR}" mkdir -p "${ETCD_DATA_DIR}" echo "starting snapshot restore through etcdctl..." # We are never going to rev-bump here to ensure we don't cause a revision split between the # remainder of the running cluster and this restore member. Imagine your non-restore quorum members run at rev 100, # we would attempt to rev bump this with snapshot at rev 120, now this member is 20 revisions ahead and RAFT is confused. if ! ${ETCD_CLIENT} snapshot restore "${SNAPSHOT_FILE}" --data-dir="${ETCD_DATA_DIR}"; then echo "Snapshot restore failed. Aborting!" exit 1 fi # start the original etcd static pod again through the new snapshot echo "restoring old etcd pod to start etcd again" mv "${MANIFEST_STOPPED_DIR}/etcd-pod.yaml" "${MANIFEST_DIR}/etcd-pod.yaml" fi disable-etcd.sh: | #!/usr/bin/env bash ### Created by cluster-etcd-operator. DO NOT edit. set -o errexit set -o pipefail set -o errtrace # disable-etcd.sh # This script will move the etcd static pod into the home/core/assets/manifests-stopped folder and wait for all containers to exit. if [[ $EUID -ne 0 ]]; then echo "This script must be run as root" exit 1 fi function source_required_dependency { local src_path="$1" if [ ! -f "${src_path}" ]; then echo "required dependencies not found, please ensure this script is run on a node with a functional etcd static pod" exit 1 fi # shellcheck disable=SC1090 source "${src_path}" } source_required_dependency /etc/kubernetes/static-pod-resources/etcd-certs/configmaps/etcd-scripts/etcd.env source_required_dependency /etc/kubernetes/static-pod-resources/etcd-certs/configmaps/etcd-scripts/etcd-common-tools ETCD_STATIC_POD_LIST=("etcd-pod.yaml") ETCD_STATIC_POD_CONTAINERS=("etcd" "etcdctl" "etcd-metrics" "etcd-readyz" "etcd-rev" "etcd-backup-server") # always move etcd pod and wait for all containers to exit mv_static_pods "${ETCD_STATIC_POD_LIST[@]}" wait_for_containers_to_stop "${ETCD_STATIC_POD_CONTAINERS[@]}" etcd-common-tools: | # Common environment variables ASSET_DIR="/home/core/assets" CONFIG_FILE_DIR="/etc/kubernetes" MANIFEST_DIR="${CONFIG_FILE_DIR}/manifests" ETCD_DATA_DIR="/var/lib/etcd" ETCD_DATA_DIR_BACKUP="/var/lib/etcd-backup" ETCD_REV_JSON="${ETCD_DATA_DIR}/revision.json" MANIFEST_STOPPED_DIR="${ASSET_DIR}/manifests-stopped" RESTORE_ETCD_POD_YAML="${CONFIG_FILE_DIR}/static-pod-resources/etcd-certs/configmaps/restore-etcd-pod/pod.yaml" QUORUM_RESTORE_ETCD_POD_YAML="${CONFIG_FILE_DIR}/static-pod-resources/etcd-certs/configmaps/restore-etcd-pod/quorum-restore-pod.yaml" ETCDCTL_BIN_DIR="${CONFIG_FILE_DIR}/static-pod-resources/bin" PATH=${PATH}:${ETCDCTL_BIN_DIR} export KUBECONFIG="/etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/node-kubeconfigs/localhost.kubeconfig" export ETCD_ETCDCTL_BIN="etcdctl" # download etcdctl from download release image function dl_etcdctl { # Avoid caching the binary when podman exists, the etcd image is always available locally and we need a way to update etcdctl. # When we're running from an etcd image there's no podman and we can continue without a download. if ([ -n "$(command -v podman)" ]); then local etcdimg=${ETCD_IMAGE} local etcdctr=$(podman create --authfile=/var/lib/kubelet/config.json ${etcdimg}) local etcdmnt=$(podman mount "${etcdctr}") [ ! -d ${ETCDCTL_BIN_DIR} ] && mkdir -p ${ETCDCTL_BIN_DIR} cp ${etcdmnt}/bin/etcdctl ${ETCDCTL_BIN_DIR}/ if [ -f "${etcdmnt}/bin/etcdutl" ]; then cp ${etcdmnt}/bin/etcdutl ${ETCDCTL_BIN_DIR}/ export ETCD_ETCDUTL_BIN=etcdutl fi if ! [ -x "$(command -v jq)" ]; then cp ${etcdmnt}/bin/jq ${ETCDCTL_BIN_DIR}/ fi umount "${etcdmnt}" podman rm "${etcdctr}" etcdctl version return fi if ([ -x "$(command -v etcdctl)" ]); then echo "etcdctl is already installed" if [ -x "$(command -v etcdutl)" ]; then echo "etcdutl is already installed" export ETCD_ETCDUTL_BIN=etcdutl fi return fi echo "Could neither pull etcdctl nor find it locally in cache. Aborting!" exit 1 } function check_snapshot_status() { local snap_file="$1" ETCD_CLIENT="${ETCD_ETCDCTL_BIN}" if [ -n "${ETCD_ETCDUTL_BIN}" ]; then ETCD_CLIENT="${ETCD_ETCDUTL_BIN}" fi if ! ${ETCD_CLIENT} snapshot status "${snap_file}" -w json; then echo "Backup integrity verification failed. Backup appears corrupted. Aborting!" return 1 fi } function wait_for_containers_to_stop() { local containers=("$@") for container_name in "${containers[@]}"; do echo "Waiting for container ${container_name} to stop" while [[ -n $(crictl ps --label io.kubernetes.container.name="${container_name}" -q) ]]; do echo -n "." sleep 1 done echo "complete" done } function mv_static_pods() { local containers=("$@") # Move manifests and stop static pods if [ ! -d "$MANIFEST_STOPPED_DIR" ]; then mkdir -p "$MANIFEST_STOPPED_DIR" fi for POD_FILE_NAME in "${containers[@]}"; do echo "...stopping ${POD_FILE_NAME}" [ ! -f "${MANIFEST_DIR}/${POD_FILE_NAME}" ] && continue mv "${MANIFEST_DIR}/${POD_FILE_NAME}" "${MANIFEST_STOPPED_DIR}" done } etcd.env: | export ALL_ETCD_ENDPOINTS="https://192.168.32.10:2379" export ETCDCTL_API="3" export ETCDCTL_CACERT="/etc/kubernetes/static-pod-certs/configmaps/etcd-all-bundles/server-ca-bundle.crt" export ETCDCTL_CERT="/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.crt" export ETCDCTL_ENDPOINTS="https://192.168.32.10:2379" export ETCDCTL_KEY="/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.key" export ETCD_CIPHER_SUITES="TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256" export ETCD_DATA_DIR="/var/lib/etcd" export ETCD_ELECTION_TIMEOUT="2500" export ETCD_ENABLE_PPROF="true" export ETCD_EXPERIMENTAL_MAX_LEARNERS="1" export ETCD_EXPERIMENTAL_WARNING_APPLY_DURATION="200ms" export ETCD_EXPERIMENTAL_WATCH_PROGRESS_NOTIFY_INTERVAL="5s" export ETCD_HEARTBEAT_INTERVAL="500" export ETCD_IMAGE="quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:e29dc9f042f2d0471171a0611070886cb2f7c57338ab7f112613417bcd33b278" export ETCD_INITIAL_CLUSTER_STATE="existing" export ETCD_QUOTA_BACKEND_BYTES="8589934592" export ETCD_SOCKET_REUSE_ADDRESS="true" export ETCD_TLS_MIN_VERSION="TLS1.2" export NODE_master_0_ETCD_NAME="master-0" export NODE_master_0_ETCD_URL_HOST="192.168.32.10" export NODE_master_0_IP="192.168.32.10" quorum-restore.sh: | #!/usr/bin/env bash ### Created by cluster-etcd-operator. DO NOT edit. set -o errexit set -o pipefail set -o errtrace # ./quorum-restore.sh # This script attempts to restore quorum by spawning a revision-bumped etcd without membership information. if [[ $EUID -ne 0 ]]; then echo "This script must be run as root" exit 1 fi function source_required_dependency { local src_path="$1" if [ ! -f "${src_path}" ]; then echo "required dependencies not found, please ensure this script is run on a node with a functional etcd static pod" exit 1 fi # shellcheck disable=SC1090 source "${src_path}" } source_required_dependency /etc/kubernetes/static-pod-resources/etcd-certs/configmaps/etcd-scripts/etcd.env source_required_dependency /etc/kubernetes/static-pod-resources/etcd-certs/configmaps/etcd-scripts/etcd-common-tools ETCD_STATIC_POD_LIST=("etcd-pod.yaml") ETCD_STATIC_POD_CONTAINERS=("etcd" "etcdctl" "etcd-metrics" "etcd-readyz" "etcd-rev" "etcd-backup-server") # always move etcd pod and wait for all containers to exit mv_static_pods "${ETCD_STATIC_POD_LIST[@]}" wait_for_containers_to_stop "${ETCD_STATIC_POD_CONTAINERS[@]}" echo "starting restore-etcd static pod" cp "${QUORUM_RESTORE_ETCD_POD_YAML}" "${MANIFEST_DIR}/etcd-pod.yaml" kind: ConfigMap metadata: creationTimestamp: "2026-03-19T11:54:01Z" managedFields: - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:data: .: {} f:cluster-backup.sh: {} f:cluster-restore.sh: {} f:disable-etcd.sh: {} f:etcd-common-tools: {} f:etcd.env: {} f:quorum-restore.sh: {} manager: cluster-etcd-operator operation: Update time: "2026-03-19T11:54:01Z" name: etcd-scripts namespace: openshift-etcd resourceVersion: "5177" uid: fac62b77-30ee-45b9-ad30-efefa39038db - apiVersion: v1 data: ca.crt: | -----BEGIN CERTIFICATE----- MIIDMjCCAhqgAwIBAgIIFkYjm8/NNXMwDQYJKoZIhvcNAQELBQAwNzESMBAGA1UE CxMJb3BlbnNoaWZ0MSEwHwYDVQQDExhrdWJlLWFwaXNlcnZlci1sYi1zaWduZXIw HhcNMjYwMzE5MTEzNjI3WhcNMzYwMzE2MTEzNjI3WjA3MRIwEAYDVQQLEwlvcGVu c2hpZnQxITAfBgNVBAMTGGt1YmUtYXBpc2VydmVyLWxiLXNpZ25lcjCCASIwDQYJ KoZIhvcNAQEBBQADggEPADCCAQoCggEBAJn1fSatzjmFYZVi/HxI+VoJ8FjPf2FG OSD0yYdzEZFrsnowcSH+NWVQdx9VZmVMV+73t6tbKkRuYiwfrvYMbDxPAlZMLRGO C6/kOyHh/TyK/kM8E21YEJmdIMoFl0Bb7mP9arCZPo8CtFWtNi1sLJPaN7RXvK31 k5a90SuuzhNkvchFmlvRmim8xD0Ri5GXzjcFAELSZ0E7N0OYu+PYZBG4pA6B4DKB 59uhXvmvxdMAC/474m17LJZRyH2CH43NOrqLZH27WtxG8kkARsj6ASfUxsoYGG0D hWdndc+tKt6hJWKrzbMC7YOmjp2u1i6xg6nw06naei3reArqhsx1IosCAwEAAaNC MEAwDgYDVR0PAQH/BAQDAgKkMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFBAS iM0AP6VjJEltwAzMpb4FFoLwMA0GCSqGSIb3DQEBCwUAA4IBAQAGEDFb4gzgecCK 7xBb/LHjlA8FzBdyHLOAsX0egXa2vnZyCVO0f4DOwYMHuugFE4QTU5sJd3iI0cfn 8vTSXtw+kH7Zi46MKfqFqgQMvb13Vr1dzH7uyv3MliKr8Zvy92X2IS9p2Rl+NTpU h0n216I7yd4OlTjKcFps3DvLQc2p4zdRavr66/rfUO3ciSl1sn5RIDsunR88I1t9 rnYNIIq08KxGT8qRW8bcROqtZoTcOexN0XTX3GsyAdTfe/crczF1E6PHEFHSksE2 cWLWCeoDxJvpnR3NGvRwAzY6zJX59AkGdVdJoyAWqHbvkU9Jhr5lFwMM2IjFIhyi /dTml0Zk -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIDQDCCAiigAwIBAgIIQKWDbE5pLJUwDQYJKoZIhvcNAQELBQAwPjESMBAGA1UE CxMJb3BlbnNoaWZ0MSgwJgYDVQQDEx9rdWJlLWFwaXNlcnZlci1sb2NhbGhvc3Qt c2lnbmVyMB4XDTI2MDMxOTExMzYyN1oXDTM2MDMxNjExMzYyN1owPjESMBAGA1UE CxMJb3BlbnNoaWZ0MSgwJgYDVQQDEx9rdWJlLWFwaXNlcnZlci1sb2NhbGhvc3Qt c2lnbmVyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArCCr2QkJS55E TiNuSozvPCGclk9aKjIX+JVfZlFHhtxmY6FR+tGBn76jPKmr7/0D0H7c83DW6NVY 4Mv88gyNEGSB1Th4LattqiyAjsU1lKaGHwx2IdRf+/GdNIcMXdSMDnYgFxMa5no9 OXTJN50+v7LQvlLkxFk/3u01hMrvfeVR9Yc9oQVpdOrhT5NxWezpQAsuBQhHsq4y EXNnfeEDvP4Cd234FoMtC+lh36W1n8xGrnj+s56mYOXm4TPDPjGqk5zOUPVpBG/7 pr4hcGQrDkhLaiU20ZuYDBcUgT7MSf+kLXTHePDrF3rHMzSrugo8xFRa3PcyDjM+ uGPL/mpJBQIDAQABo0IwQDAOBgNVHQ8BAf8EBAMCAqQwDwYDVR0TAQH/BAUwAwEB /zAdBgNVHQ4EFgQUMRzhBcAXTZoCQq7jI+9JL9PqpUgwDQYJKoZIhvcNAQELBQAD ggEBABQVZd7jN96DQBvARitTo4/w1LstAzJdaSSzfwDA2JCoQf6t4pHvkrZbVbbp OU3GBYBvjnrK2v48Ff/ggh1b0AhUHFefwVo+i3LkuopJlZkeuFkq7arKXIKxbgEo BoDtHmbj1qpEl8L4cyUEC0ublB+yeG09r9e1fE8sFKQ3JIDijqYhJ9wvT/pm83EG qvcGAnqDxsYYI1+F8h9z0qlxJYYVnVkXBSoruchAZ9dLvmMxMKgc+FpA+yZq2dXf wajGksxuqkirCCviso30ikiAW0AuiURr4wEAGs1DbqvP/f+NLx3ugn8tDEXbGZJB tBjNwwRL5xZRLgyzibkXAgNCHX0= -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIDSzCCAjOgAwIBAgIHT7vE1pmTtTANBgkqhkiG9w0BAQsFADBEMRIwEAYDVQQL EwlvcGVuc2hpZnQxLjAsBgNVBAMTJWt1YmUtYXBpc2VydmVyLXNlcnZpY2UtbmV0 d29yay1zaWduZXIwHhcNMjYwMzE5MTEzNjI4WhcNMzYwMzE2MTEzNjI4WjBEMRIw EAYDVQQLEwlvcGVuc2hpZnQxLjAsBgNVBAMTJWt1YmUtYXBpc2VydmVyLXNlcnZp Y2UtbmV0d29yay1zaWduZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB AQDBayDwzg6cENSStmtjhld1wTg9/Af8wCbJx/JK5SNTiR/lRye3Kazmkz27qTSg jQZyf3Hxw6sssM6T9mPS+3XIHMrLgRC28yNjGKdY3CPgRm/1Dk2jgzJrMquLsIGX Tiz9ffpVXFC+k1xlYaWpS6SVpWDKVZgTjD74zAoBtSPGLe2AmPM5nBYaOEOdPGah 5pTp3iag3BJjUXX2SX6kARIMWIGz17LVXOfC5Gt6InyL1iDfGHZxYngFhJohbIIL AffZdBTvDr5UpUUU7lPlcC1dflg/vaCeOyKg1rNkzyDhfFwfx8jepgyjFTv3S25e m2kZpIV/mvdi43X5fd7ZkeULAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwICpDAPBgNV HRMBAf8EBTADAQH/MB0GA1UdDgQWBBSboNv+u6m7VyqoXM3xZVUttu9dHjANBgkq hkiG9w0BAQsFAAOCAQEAdbtxGPZdKQoYUYPg1ADIF5CQIDmQe5THm1WNmMNKJj01 nN2ftCWGwTllLrcF+tD6TEE96XlW34/11fjk8aVAj3dwfp6Aa6BUz/PuyHwH/mLl 6Tkvock01KV6sDFqD8eAcCdVXxcwxK+p1V0Oa4nnvF0Cd4FJ8I1eZzm44ep551b6 ry1IBKkI670IXjYBX2ciT82dly2MIxOG4G8DCjtgKQpNVicdR2gS1Hco9kVSUJ3g 52PIYewH847R2ND2pCnArg574algyRA+VKC1ZxBJ/OfETTBUjKW1N5jnBf9qpo6S 9ffVpRlAlMd53J2ACiIVyaAir6+AuRfPJWW8nnyHlw== -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIDlzCCAn+gAwIBAgIIUStpypaHyTswDQYJKoZIhvcNAQELBQAwWTFXMFUGA1UE AwxOb3BlbnNoaWZ0LWt1YmUtYXBpc2VydmVyLW9wZXJhdG9yX2xvY2FsaG9zdC1y ZWNvdmVyeS1zZXJ2aW5nLXNpZ25lckAxNzczOTIxMjIzMB4XDTI2MDMxOTExNTM0 MloXDTM2MDMxNjExNTM0M1owWTFXMFUGA1UEAwxOb3BlbnNoaWZ0LWt1YmUtYXBp c2VydmVyLW9wZXJhdG9yX2xvY2FsaG9zdC1yZWNvdmVyeS1zZXJ2aW5nLXNpZ25l ckAxNzczOTIxMjIzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2aXP 0S2LockOBBgcp+966vGeTqgLeijOKAZr1imUc+4JQTSuBWH4Jp7qqBlYoYWrobKC IFFcRpozUJOjAreVFv14zgHDPw15V9O0SrIz9Gb6sh6lQMelTlrBsaTI+5c1Qhid lGVgJfwMnG9u0BV3+UUVKEvtz7kANJrPLulr/Z1zdmn2Rqo7pKiw3+UpiPgVInEC OAju2oxPX26BOLXXpWjgGZnsxBavsNJxw/qCF+ILAxIRHge6Qkif0KMeCpU3xvQ3 DNG9ZoE8OncAQX1grioPxoT/g9b9NNi7zykeFxIo4N0FdbB8KC+tco98KTcleW+9 A1/+rPvOlA2B/sV8hQIDAQABo2MwYTAOBgNVHQ8BAf8EBAMCAqQwDwYDVR0TAQH/ BAUwAwEB/zAdBgNVHQ4EFgQUzSja0RmJ6Ef+hwOt8Re2xA7ihIgwHwYDVR0jBBgw FoAUzSja0RmJ6Ef+hwOt8Re2xA7ihIgwDQYJKoZIhvcNAQELBQADggEBADeHCuzJ wQOVTfJyzFcQYKpD41fg0fo6knLhTMkDjds7HWKUd3NTRkJ9RWxQociAzxGw1x6Q tpgBXb4Nl0zJKwhEjQ/7e8/8Cn9hR6ZttjOkueF4Chmt3v41MZJ5/zysEp4xTNRY xBVa4KuCfF4pdVUmr+FhnaQbuwOFhGCtqVlGXI3Ye1MntEe/24uP1s45PfzK5UnY K58IPwELmh1pUdQgX4VGidnTf9tonxLpCqnmq9kBLM+BvXw04tpImhsGGSiFt3y6 A2NN5WqYTlgTTpNWPOgUnaagb0TH2Y/0La45PxErncQ/tdZUlmJ+JkSBBWt4/RDy z1VamiSXUZnVyBA= -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIDZzCCAk+gAwIBAgIIW4Z/+V14w68wDQYJKoZIhvcNAQELBQAwJjEkMCIGA1UE AwwbaW5ncmVzcy1vcGVyYXRvckAxNzczOTIxMjgyMB4XDTI2MDMxOTExNTQ0MloX DTI4MDMxODExNTQ0M1owIzEhMB8GA1UEAwwYKi5hcHBzLnNuby5vcGVuc3RhY2su bGFiMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyHFtFd5egW/f8imN 8Sxzr6koIsntSHgfmgHZMePVFMsAGLXQSZtCmbMAm2sW9vGEtDAcCzhoyzVzf38H 1ncXWSTDdjqZFhaji/ZQfVWjOcce+zpSroG07Ze/juqxjfts73CzahR9EOx3RYyw 8N46K2oFe3oGZ6sWeLU+Pj/i46LdSAJEj3WGKM/WipTTsZZ2gcF1YhlX9cgUx47R IZQIVBOGkBNPjx14bKdJ5qbMqT3tiZCP/bLW5qptCTdZAY0/I8nzYHpCLzcOxhBO xEwqZVatCt6fabc3hyTmi0OObsBUZTJMsO8C/p1aE+gyZTP2mdRL2huwBcJ2H3eC bpde7wIDAQABo4GbMIGYMA4GA1UdDwEB/wQEAwIFoDATBgNVHSUEDDAKBggrBgEF BQcDATAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBSsi66gVMyB21XmaCJ6uu6ASy/v jDAfBgNVHSMEGDAWgBRxlKbE4oN5QatYvJR+XmwIIMTDuTAjBgNVHREEHDAaghgq LmFwcHMuc25vLm9wZW5zdGFjay5sYWIwDQYJKoZIhvcNAQELBQADggEBAFHnUpfj 3afQtWCjQaaL738C/RRjw0mEZtOsi73vYvc8Fo8euWCfA9GspSL2AH8BWzcXzghi ye5Kv0aI0xLnRjcM+QSzFspxAyDuQjhFHOZhOhFFYvlTlyyq1DDOzWkXhhw6Z8+B lYTvxHeqSsvLNmNvgc56yi7Rc8k7ZUp1vbZ4xJfzMa3SeulIjw5BmczVZk1tC1f8 aTh1bYWrp9PJPrvEhI3T7x7UkGUY412ZUot+t7MtusxDFzCZWkTmb3E+XeLxpzHJ nn1hd+dX+ZP2WxTIs/qOr8bOi3RB72jHDOH/5cMvEVZSE9MvoI4BG9oj6mbFPUD8 AyOv4RYYSZaOnA8= -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIDDDCCAfSgAwIBAgIBATANBgkqhkiG9w0BAQsFADAmMSQwIgYDVQQDDBtpbmdy ZXNzLW9wZXJhdG9yQDE3NzM5MjEyODIwHhcNMjYwMzE5MTE1NDQxWhcNMjgwMzE4 MTE1NDQyWjAmMSQwIgYDVQQDDBtpbmdyZXNzLW9wZXJhdG9yQDE3NzM5MjEyODIw ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCqhh/yJ9U2OOPxZQ2oB4r5 axpA5KCF3JWLab2iPNETiFZfxI5u2majlz0VKnGWkhR+X0LL8+/7waI909WsPLas 4zSxYoxust1wOnmexnJvpsXCtdWnyR+mT7o8qxx8LMLowSKN4l4Ihush/mKjlS8h hoqK6Et3BVLWqXuN55l7qgjr6fLvCZGgcWLd75uo5f+qhfMooyXk13NjLcYHfURz U2rTs2IG4h5bLkElcgcrHvYBUoqSAKewdPH1gU32gwpLxBuv9wmPNMX1LiATQWkY QEbMmGRDklfiTi8NRdt/J8mfYhxw6hWthP22JQEjohxBnhnkEt6uNePD1Cjd8EwB AgMBAAGjRTBDMA4GA1UdDwEB/wQEAwICpDASBgNVHRMBAf8ECDAGAQH/AgEAMB0G A1UdDgQWBBRxlKbE4oN5QatYvJR+XmwIIMTDuTANBgkqhkiG9w0BAQsFAAOCAQEA p0g9xfyNVOaqbbgM+E0kBDqWXq/em2nGxRFdJkJhe2uQxmLcyA9OnAITVUxFaI4l 6N9xcDWMtdcRif50fzoUncgcOGfPzVoS+MWStCHTCsJxaevXICDdOnu9Dg253yZm g5d4ISRfvcJczY4bZ07aaRLlbIY/kkw/9i40ur/zK8r7DvzlNcf9LJxzMywSYgcL 2Y8YUGff1f9jZDJFkiQ33riwyTCAadWuaOCoT742d8YYJbeOLlbsxyz4VhvxGF5z Ccwo8VWXJIc1Iz0Z89T6ymYvrERvsj1YEP/fDCVbdsiz8yWkLORIMY6A0rgNWK2l 0y4sMz1s0NgmxU6/K8fM8Q== -----END CERTIFICATE----- kind: ConfigMap metadata: annotations: kubernetes.io/description: Contains a CA bundle that can be used to verify the kube-apiserver when using internal endpoints such as the internal service IP or kubernetes.default.svc. No other usage is guaranteed across distributions of Kubernetes clusters. creationTimestamp: "2026-03-19T11:47:11Z" managedFields: - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:data: .: {} f:ca.crt: {} f:metadata: f:annotations: .: {} f:kubernetes.io/description: {} manager: kube-controller-manager operation: Update time: "2026-03-19T12:07:32Z" name: kube-root-ca.crt namespace: openshift-etcd resourceVersion: "12283" uid: a4167a41-cbeb-46df-a8ec-0bbdf05796ff - apiVersion: v1 data: service-ca.crt: | -----BEGIN CERTIFICATE----- MIIDUTCCAjmgAwIBAgIIDGNTbao6z9MwDQYJKoZIhvcNAQELBQAwNjE0MDIGA1UE Awwrb3BlbnNoaWZ0LXNlcnZpY2Utc2VydmluZy1zaWduZXJAMTc3MzkyMTI0MDAe Fw0yNjAzMTkxMTUzNTlaFw0yODA1MTcxMTU0MDBaMDYxNDAyBgNVBAMMK29wZW5z aGlmdC1zZXJ2aWNlLXNlcnZpbmctc2lnbmVyQDE3NzM5MjEyNDAwggEiMA0GCSqG SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCwZC3fEAAK18xtFYtw1iVCK8HpWyIO0BMF WrkIQ66zHUQADAA9NT+0IEoMGB7W4RsIj4pmNsU0RCcFterzHYKzG4RtiC6/Kd6m hzICCNnK3Du0y1PrEce9rFyT/PCgMq//iGpTtqbN1BOuwXFQjhrjmPuLj3UAnhoc f47kUC4sEfsbbHCAucZq7t6jMqEP3FkdKswsPnR9Szl9qf1bC2s5oYQIGTKxu1GZ PmTCcTz93geOQchd6demZj66KdrlDy7UE8ocU7anh4vu0Lyx+zhQTUjzhn18U6EJ TlBn6o7rRyypZSNv6tjdIdO7uo83PgJz3W/OZckkYvf8cpFKdlRPAgMBAAGjYzBh MA4GA1UdDwEB/wQEAwICpDAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBSvToAY KQM4IyAfkrPYvKZ0OXkRiDAfBgNVHSMEGDAWgBSvToAYKQM4IyAfkrPYvKZ0OXkR iDANBgkqhkiG9w0BAQsFAAOCAQEArr9+9I6onBdjROqU+JVbjen1PNfcExgdS68M QmN9SIbq72JnBCh3auCRvYPy3pt7mjzFIo7RfwBn1EGYZ//d/LjtyokNJV0UrHx3 NT3/QJMy6+pOA4RU6QvikDgv3xrs/7vA3CrqFg0xvFE5QGvjLswivmcWnnDyoSs4 Lyzbdnu+2yNF85nQSzUbWTpavYdheMT2FZDPWvMOZPlbaPurqREVlBp4XGrSwtBU QDFaXD3u9DIc3GrBJ7priSG9jMJvz4ZINuq+7xaqjoxWAcvDsbjy4Cx3yTqTVFrB 7UpzCrwiemGJxLDXJrpAO5If23byRmK+2rVn/LpUWA3d/jedNA== -----END CERTIFICATE----- kind: ConfigMap metadata: annotations: service.beta.openshift.io/inject-cabundle: "true" creationTimestamp: "2026-03-19T11:47:11Z" managedFields: - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:data: {} f:metadata: f:annotations: .: {} f:service.beta.openshift.io/inject-cabundle: {} manager: kube-controller-manager operation: Update time: "2026-03-19T11:47:11Z" - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:data: f:service-ca.crt: {} manager: service-ca-operator operation: Update time: "2026-03-19T11:54:08Z" name: openshift-service-ca.crt namespace: openshift-etcd resourceVersion: "5727" uid: 47dd2c56-18c0-436c-b28b-e2ffc8d17e44 - apiVersion: v1 data: forceRedeploymentReason: "" pod.yaml: "apiVersion: v1\nkind: Pod\nmetadata:\n name: etcd\n namespace: openshift-etcd\n \ labels:\n app: etcd\n k8s-app: etcd\n etcd: \"true\"\n revision: \"REVISION\"\nspec:\n containers:\n - name: etcd\n image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:e29dc9f042f2d0471171a0611070886cb2f7c57338ab7f112613417bcd33b278\n \ imagePullPolicy: IfNotPresent\n terminationMessagePolicy: FallbackToLogsOnError\n \ command:\n - /bin/sh\n - -c\n - |\n #!/bin/sh\n set -euo pipefail\n \n export ETCD_NAME=${NODE_NODE_ENVVAR_NAME_ETCD_NAME}\n \ export ETCD_INITIAL_CLUSTER=\"${ETCD_NAME}=https://${NODE_NODE_ENVVAR_NAME_ETCD_URL_HOST}:2380\"\n \ env | grep ETCD | grep -v NODE\n export ETCD_NODE_PEER_URL=https://${NODE_NODE_ENVVAR_NAME_ETCD_URL_HOST}:2380\n \ export REV_JSON=\"/var/lib/etcd-backup/revision.json\"\n export SNAPSHOT_FILE=\"/var/lib/etcd-backup/snapshot.db\"\n\n # checking if data directory is empty, if not etcdctl restore will fail \n if [ -n \"$(ls -A \"/var/lib/etcd\")\" ]; then\n echo \"please delete the contents of the /var/lib/etcd directory before restoring, running the restore script will do this for you\"\n exit 1\n fi\n \n ETCD_ETCDCTL_BIN=\"etcdctl\"\n \ if [ -x \"$(command -v etcdutl)\" ]; then\n echo \"found etcdutl, using that instead of etcdctl for local operations\"\n ETCD_ETCDCTL_BIN=\"etcdutl\"\n \ fi \n\n # check if we have backup file to be restored\n \ # if the file exist, check if it has not changed size in last 5 seconds\n \ if [ ! -f \"${SNAPSHOT_FILE}\" ]; then\n echo \"please make a copy of the snapshot db file, then move that copy to ${SNAPSHOT_FILE}\"\n \ exit 1\n else\n filesize=$(stat --format=%s \"${SNAPSHOT_FILE}\")\n \ sleep 5\n newfilesize=$(stat --format=%s \"${SNAPSHOT_FILE}\")\n \ if [ \"$filesize\" != \"$newfilesize\" ]; then\n echo \"file size has changed since last 5 seconds, retry sometime after copying is complete\"\n \ exit 1\n fi\n fi\n \n SNAPSHOT_REV=$(etcdutl snapshot status -wjson \"$SNAPSHOT_FILE\" | jq -r \".revision\")\n echo \"snapshot is at revision ${SNAPSHOT_REV}\"\n \n if [ -n \"$(ls -A \"${REV_JSON}\")\" ]; then\n # this will bump by the amount of the last known live revision + 20% slack.\n # Note: the bump amount is an addition to the current revision stored in the snapshot.\n # We're avoiding to do any math with SNAPSHOT_REV, uint64 has plenty of space to double revisions\n # and we're assuming that full disaster restores are a very rare occurrence anyway.\n BUMP_REV=$(jq -r \"(.maxRaftIndex*1.2|floor)\" \"${REV_JSON}\")\n echo \"bumping revisions by ${BUMP_REV}\"\n else\n \ # we can't take SNAPSHOT_REV as an indicator here, because the snapshot might be much older\n # than any currently live served revision. \n \ # 1bn would be an etcd running at 1000 writes/s for about eleven days.\n echo \"no revision.json found, assuming a 1bn revision bump\"\n \ BUMP_REV=1000000000\n fi\n \n UUID=$(uuidgen)\n \ echo \"restoring to a single node cluster\"\n ${ETCD_ETCDCTL_BIN} snapshot restore \"${SNAPSHOT_FILE}\" \\\n --name $ETCD_NAME \\\n --initial-cluster=$ETCD_INITIAL_CLUSTER \\\n --initial-cluster-token \"openshift-etcd-${UUID}\" \\\n --initial-advertise-peer-urls $ETCD_NODE_PEER_URL \\\n --data-dir=\"/var/lib/etcd/restore-${UUID}\" \\\n --mark-compacted \\\n --bump-revision \"${BUMP_REV}\"\n\n \ mv /var/lib/etcd/restore-${UUID}/* /var/lib/etcd/\n # copy the revision.json back in case a second restore needs to be run afterwards\n if [ -n \"$(ls -A \"${REV_JSON}\")\" ]; then\n cp ${REV_JSON} /var/lib/etcd/\n \ fi\n\n rmdir /var/lib/etcd/restore-${UUID}\n rm /var/lib/etcd-backup/snapshot.db\n\n \ set -x\n exec etcd \\\n --logger=zap \\\n --log-level=info \\\n --initial-advertise-peer-urls=https://${NODE_NODE_ENVVAR_NAME_IP}:2380 \\\n --cert-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-serving-NODE_NAME.crt \\\n --key-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-serving-NODE_NAME.key \\\n --trusted-ca-file=/etc/kubernetes/static-pod-certs/configmaps/etcd-all-bundles/server-ca-bundle.crt \\\n --client-cert-auth=true \\\n --peer-cert-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.crt \\\n --peer-key-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.key \\\n --peer-trusted-ca-file=/etc/kubernetes/static-pod-certs/configmaps/etcd-all-bundles/server-ca-bundle.crt \\\n --peer-client-cert-auth=true \\\n --advertise-client-urls=https://${NODE_NODE_ENVVAR_NAME_IP}:2379 \\\n --listen-client-urls=https://0.0.0.0:2379 \\\n --listen-peer-urls=https://0.0.0.0:2380 \\\n --metrics=extensive \\\n --listen-metrics-urls=https://0.0.0.0:9978\n \ env:\n - name: \"ALL_ETCD_ENDPOINTS\"\n value: \"https://192.168.32.10:2379\"\n \ - name: \"ETCDCTL_API\"\n value: \"3\"\n - name: \"ETCDCTL_CACERT\"\n \ value: \"/etc/kubernetes/static-pod-certs/configmaps/etcd-all-bundles/server-ca-bundle.crt\"\n \ - name: \"ETCDCTL_CERT\"\n value: \"/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.crt\"\n \ - name: \"ETCDCTL_ENDPOINTS\"\n value: \"https://192.168.32.10:2379\"\n \ - name: \"ETCDCTL_KEY\"\n value: \"/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.key\"\n \ - name: \"ETCD_CIPHER_SUITES\"\n value: \"TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256\"\n \ - name: \"ETCD_DATA_DIR\"\n value: \"/var/lib/etcd\"\n - name: \"ETCD_ELECTION_TIMEOUT\"\n value: \"2500\"\n - name: \"ETCD_ENABLE_PPROF\"\n \ value: \"true\"\n - name: \"ETCD_EXPERIMENTAL_MAX_LEARNERS\"\n \ value: \"1\"\n - name: \"ETCD_EXPERIMENTAL_WARNING_APPLY_DURATION\"\n \ value: \"200ms\"\n - name: \"ETCD_EXPERIMENTAL_WATCH_PROGRESS_NOTIFY_INTERVAL\"\n \ value: \"5s\"\n - name: \"ETCD_HEARTBEAT_INTERVAL\"\n value: \"500\"\n - name: \"ETCD_IMAGE\"\n value: \"quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:e29dc9f042f2d0471171a0611070886cb2f7c57338ab7f112613417bcd33b278\"\n \ - name: \"ETCD_INITIAL_CLUSTER_STATE\"\n value: \"existing\"\n \ - name: \"ETCD_QUOTA_BACKEND_BYTES\"\n value: \"8589934592\"\n \ - name: \"ETCD_SOCKET_REUSE_ADDRESS\"\n value: \"true\"\n - name: \"ETCD_TLS_MIN_VERSION\"\n value: \"TLS1.2\"\n - name: \"NODE_master_0_ETCD_NAME\"\n \ value: \"master-0\"\n - name: \"NODE_master_0_ETCD_URL_HOST\"\n \ value: \"192.168.32.10\"\n - name: \"NODE_master_0_IP\"\n value: \"192.168.32.10\"\n - name: \"ETCD_STATIC_POD_REV\"\n value: \"REVISION\"\n \ resources:\n requests:\n memory: 600Mi\n cpu: 300m\n \ readinessProbe:\n tcpSocket:\n port: 2380\n failureThreshold: 3\n initialDelaySeconds: 3\n periodSeconds: 5\n successThreshold: 1\n timeoutSeconds: 5\n securityContext:\n privileged: true\n volumeMounts:\n \ - mountPath: /etc/kubernetes/manifests\n name: static-pod-dir\n \ - mountPath: /etc/kubernetes/static-pod-certs\n name: cert-dir\n \ - mountPath: /var/lib/etcd/\n name: data-dir\n - mountPath: /var/lib/etcd-backup/\n name: backup-dir\n - name: etcd-readyz\n image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:d5a971d5889f167cfe61a64c366424b87c17a6dc141ffcc43406cdcbb50cae2a\n \ imagePullPolicy: IfNotPresent\n terminationMessagePolicy: FallbackToLogsOnError\n \ command:\n - /bin/sh\n - -c\n - |\n #!/bin/sh\n set -euo pipefail\n \n exec nice -n -18 cluster-etcd-operator readyz \\\n --target=https://localhost:2379 \\\n --listen-port=9980 \\\n --serving-cert-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-serving-NODE_NAME.crt \\\n --serving-key-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-serving-NODE_NAME.key \\\n --client-cert-file=$(ETCDCTL_CERT) \\\n --client-key-file=$(ETCDCTL_KEY) \\\n --client-cacert-file=$(ETCDCTL_CACERT) \\\n --listen-cipher-suites=$(ETCD_CIPHER_SUITES)\n \ securityContext:\n privileged: true\n ports:\n - containerPort: 9980\n name: readyz\n protocol: TCP\n resources:\n requests:\n \ memory: 50Mi\n cpu: 10m\n env:\n - name: \"ALL_ETCD_ENDPOINTS\"\n \ value: \"https://192.168.32.10:2379\"\n - name: \"ETCDCTL_API\"\n \ value: \"3\"\n - name: \"ETCDCTL_CACERT\"\n value: \"/etc/kubernetes/static-pod-certs/configmaps/etcd-all-bundles/server-ca-bundle.crt\"\n \ - name: \"ETCDCTL_CERT\"\n value: \"/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.crt\"\n \ - name: \"ETCDCTL_ENDPOINTS\"\n value: \"https://192.168.32.10:2379\"\n \ - name: \"ETCDCTL_KEY\"\n value: \"/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.key\"\n \ - name: \"ETCD_CIPHER_SUITES\"\n value: \"TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256\"\n \ - name: \"ETCD_DATA_DIR\"\n value: \"/var/lib/etcd\"\n - name: \"ETCD_ELECTION_TIMEOUT\"\n value: \"2500\"\n - name: \"ETCD_ENABLE_PPROF\"\n \ value: \"true\"\n - name: \"ETCD_EXPERIMENTAL_MAX_LEARNERS\"\n \ value: \"1\"\n - name: \"ETCD_EXPERIMENTAL_WARNING_APPLY_DURATION\"\n \ value: \"200ms\"\n - name: \"ETCD_EXPERIMENTAL_WATCH_PROGRESS_NOTIFY_INTERVAL\"\n \ value: \"5s\"\n - name: \"ETCD_HEARTBEAT_INTERVAL\"\n value: \"500\"\n - name: \"ETCD_IMAGE\"\n value: \"quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:e29dc9f042f2d0471171a0611070886cb2f7c57338ab7f112613417bcd33b278\"\n \ - name: \"ETCD_INITIAL_CLUSTER_STATE\"\n value: \"existing\"\n \ - name: \"ETCD_QUOTA_BACKEND_BYTES\"\n value: \"8589934592\"\n \ - name: \"ETCD_SOCKET_REUSE_ADDRESS\"\n value: \"true\"\n - name: \"ETCD_TLS_MIN_VERSION\"\n value: \"TLS1.2\"\n - name: \"NODE_master_0_ETCD_NAME\"\n \ value: \"master-0\"\n - name: \"NODE_master_0_ETCD_URL_HOST\"\n \ value: \"192.168.32.10\"\n - name: \"NODE_master_0_IP\"\n value: \"192.168.32.10\"\n volumeMounts:\n - mountPath: /etc/kubernetes/static-pod-certs\n \ name: cert-dir\n hostNetwork: true\n priorityClassName: system-node-critical\n \ tolerations:\n - operator: \"Exists\"\n volumes:\n - hostPath:\n path: /etc/kubernetes/manifests\n name: static-pod-dir\n - hostPath:\n path: /etc/kubernetes/static-pod-resources/etcd-certs\n name: cert-dir\n - hostPath:\n path: /var/lib/etcd\n type: \"\"\n name: data-dir\n \ - hostPath:\n path: /var/lib/etcd-backup\n type: \"\"\n name: backup-dir\n" quorum-restore-pod.yaml: "apiVersion: v1\nkind: Pod\nmetadata:\n name: etcd\n \ namespace: openshift-etcd\n labels:\n app: etcd\n k8s-app: etcd\n etcd: \"true\"\n revision: \"REVISION\"\nspec:\n containers:\n - name: etcd\n \ image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:e29dc9f042f2d0471171a0611070886cb2f7c57338ab7f112613417bcd33b278\n \ imagePullPolicy: IfNotPresent\n terminationMessagePolicy: FallbackToLogsOnError\n \ command:\n - /bin/sh\n - -c\n - |\n #!/bin/sh\n set -euo pipefail\n \n export REV_JSON=\"/var/lib/etcd/revision.json\"\n \ \n if [ -n \"$(ls -A \"${REV_JSON}\")\" ]; then\n # this will bump by the amount of 20% of the last known live revision. \n \ BUMP_REV=$(jq -r \"(.maxRaftIndex*0.2|floor)\" \"${REV_JSON}\")\n \ echo \"bumping revisions by ${BUMP_REV}\"\n else\n # 1bn would be an etcd running at 1000 writes/s for about eleven days.\n echo \"no revision.json found, assuming a 1bn revision bump\"\n BUMP_REV=1000000000\n \ fi\n \n set -x\n exec etcd \\\n --logger=zap \\\n --log-level=info \\\n --force-new-cluster \\\n --force-new-cluster-bump-amount=\"${BUMP_REV}\" \\\n --name=\"${NODE_NODE_ENVVAR_NAME_ETCD_NAME}\" \\\n --initial-cluster=\"${NODE_NODE_ENVVAR_NAME_ETCD_NAME}=https://${NODE_NODE_ENVVAR_NAME_ETCD_URL_HOST}:2380\" \\\n --initial-advertise-peer-urls=https://${NODE_NODE_ENVVAR_NAME_IP}:2380 \\\n --cert-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-serving-NODE_NAME.crt \\\n --key-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-serving-NODE_NAME.key \\\n --trusted-ca-file=/etc/kubernetes/static-pod-certs/configmaps/etcd-all-bundles/server-ca-bundle.crt \\\n --client-cert-auth=true \\\n --peer-cert-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.crt \\\n --peer-key-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.key \\\n --peer-trusted-ca-file=/etc/kubernetes/static-pod-certs/configmaps/etcd-all-bundles/server-ca-bundle.crt \\\n --peer-client-cert-auth=true \\\n --advertise-client-urls=https://${NODE_NODE_ENVVAR_NAME_IP}:2379 \\\n --listen-client-urls=https://0.0.0.0:2379 \\\n --listen-peer-urls=https://0.0.0.0:2380 \\\n --metrics=extensive \\\n --listen-metrics-urls=https://0.0.0.0:9978\n \ env:\n - name: \"ALL_ETCD_ENDPOINTS\"\n value: \"https://192.168.32.10:2379\"\n \ - name: \"ETCDCTL_API\"\n value: \"3\"\n - name: \"ETCDCTL_CACERT\"\n \ value: \"/etc/kubernetes/static-pod-certs/configmaps/etcd-all-bundles/server-ca-bundle.crt\"\n \ - name: \"ETCDCTL_CERT\"\n value: \"/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.crt\"\n \ - name: \"ETCDCTL_ENDPOINTS\"\n value: \"https://192.168.32.10:2379\"\n \ - name: \"ETCDCTL_KEY\"\n value: \"/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.key\"\n \ - name: \"ETCD_CIPHER_SUITES\"\n value: \"TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256\"\n \ - name: \"ETCD_DATA_DIR\"\n value: \"/var/lib/etcd\"\n - name: \"ETCD_ELECTION_TIMEOUT\"\n value: \"2500\"\n - name: \"ETCD_ENABLE_PPROF\"\n \ value: \"true\"\n - name: \"ETCD_EXPERIMENTAL_MAX_LEARNERS\"\n \ value: \"1\"\n - name: \"ETCD_EXPERIMENTAL_WARNING_APPLY_DURATION\"\n \ value: \"200ms\"\n - name: \"ETCD_EXPERIMENTAL_WATCH_PROGRESS_NOTIFY_INTERVAL\"\n \ value: \"5s\"\n - name: \"ETCD_HEARTBEAT_INTERVAL\"\n value: \"500\"\n - name: \"ETCD_IMAGE\"\n value: \"quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:e29dc9f042f2d0471171a0611070886cb2f7c57338ab7f112613417bcd33b278\"\n \ - name: \"ETCD_INITIAL_CLUSTER_STATE\"\n value: \"existing\"\n \ - name: \"ETCD_QUOTA_BACKEND_BYTES\"\n value: \"8589934592\"\n \ - name: \"ETCD_SOCKET_REUSE_ADDRESS\"\n value: \"true\"\n - name: \"ETCD_TLS_MIN_VERSION\"\n value: \"TLS1.2\"\n - name: \"NODE_master_0_ETCD_NAME\"\n \ value: \"master-0\"\n - name: \"NODE_master_0_ETCD_URL_HOST\"\n \ value: \"192.168.32.10\"\n - name: \"NODE_master_0_IP\"\n value: \"192.168.32.10\"\n - name: \"ETCD_STATIC_POD_REV\"\n value: \"REVISION\"\n \ resources:\n requests:\n memory: 600Mi\n cpu: 300m\n \ readinessProbe:\n tcpSocket:\n port: 2380\n failureThreshold: 3\n initialDelaySeconds: 3\n periodSeconds: 5\n successThreshold: 1\n timeoutSeconds: 5\n securityContext:\n privileged: true\n volumeMounts:\n \ - mountPath: /etc/kubernetes/manifests\n name: static-pod-dir\n \ - mountPath: /etc/kubernetes/static-pod-certs\n name: cert-dir\n \ - mountPath: /var/lib/etcd/\n name: data-dir\n - mountPath: /var/lib/etcd-backup/\n name: backup-dir\n - name: etcd-readyz\n image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:d5a971d5889f167cfe61a64c366424b87c17a6dc141ffcc43406cdcbb50cae2a\n \ imagePullPolicy: IfNotPresent\n terminationMessagePolicy: FallbackToLogsOnError\n \ command:\n - /bin/sh\n - -c\n - |\n #!/bin/sh\n set -euo pipefail\n \n exec nice -n -18 cluster-etcd-operator readyz \\\n --target=https://localhost:2379 \\\n --listen-port=9980 \\\n --serving-cert-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-serving-NODE_NAME.crt \\\n --serving-key-file=/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-serving-NODE_NAME.key \\\n --client-cert-file=$(ETCDCTL_CERT) \\\n --client-key-file=$(ETCDCTL_KEY) \\\n --client-cacert-file=$(ETCDCTL_CACERT) \\\n --listen-cipher-suites=$(ETCD_CIPHER_SUITES)\n \ securityContext:\n privileged: true\n ports:\n - containerPort: 9980\n name: readyz\n protocol: TCP\n resources:\n requests:\n \ memory: 50Mi\n cpu: 10m\n env:\n - name: \"ALL_ETCD_ENDPOINTS\"\n \ value: \"https://192.168.32.10:2379\"\n - name: \"ETCDCTL_API\"\n \ value: \"3\"\n - name: \"ETCDCTL_CACERT\"\n value: \"/etc/kubernetes/static-pod-certs/configmaps/etcd-all-bundles/server-ca-bundle.crt\"\n \ - name: \"ETCDCTL_CERT\"\n value: \"/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.crt\"\n \ - name: \"ETCDCTL_ENDPOINTS\"\n value: \"https://192.168.32.10:2379\"\n \ - name: \"ETCDCTL_KEY\"\n value: \"/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs/etcd-peer-NODE_NAME.key\"\n \ - name: \"ETCD_CIPHER_SUITES\"\n value: \"TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256\"\n \ - name: \"ETCD_DATA_DIR\"\n value: \"/var/lib/etcd\"\n - name: \"ETCD_ELECTION_TIMEOUT\"\n value: \"2500\"\n - name: \"ETCD_ENABLE_PPROF\"\n \ value: \"true\"\n - name: \"ETCD_EXPERIMENTAL_MAX_LEARNERS\"\n \ value: \"1\"\n - name: \"ETCD_EXPERIMENTAL_WARNING_APPLY_DURATION\"\n \ value: \"200ms\"\n - name: \"ETCD_EXPERIMENTAL_WATCH_PROGRESS_NOTIFY_INTERVAL\"\n \ value: \"5s\"\n - name: \"ETCD_HEARTBEAT_INTERVAL\"\n value: \"500\"\n - name: \"ETCD_IMAGE\"\n value: \"quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:e29dc9f042f2d0471171a0611070886cb2f7c57338ab7f112613417bcd33b278\"\n \ - name: \"ETCD_INITIAL_CLUSTER_STATE\"\n value: \"existing\"\n \ - name: \"ETCD_QUOTA_BACKEND_BYTES\"\n value: \"8589934592\"\n \ - name: \"ETCD_SOCKET_REUSE_ADDRESS\"\n value: \"true\"\n - name: \"ETCD_TLS_MIN_VERSION\"\n value: \"TLS1.2\"\n - name: \"NODE_master_0_ETCD_NAME\"\n \ value: \"master-0\"\n - name: \"NODE_master_0_ETCD_URL_HOST\"\n \ value: \"192.168.32.10\"\n - name: \"NODE_master_0_IP\"\n value: \"192.168.32.10\"\n volumeMounts:\n - mountPath: /etc/kubernetes/static-pod-certs\n \ name: cert-dir\n hostNetwork: true\n priorityClassName: system-node-critical\n \ tolerations:\n - operator: \"Exists\"\n volumes:\n - hostPath:\n path: /etc/kubernetes/manifests\n name: static-pod-dir\n - hostPath:\n path: /etc/kubernetes/static-pod-resources/etcd-certs\n name: cert-dir\n - hostPath:\n path: /var/lib/etcd\n type: \"\"\n name: data-dir\n \ - hostPath:\n path: /var/lib/etcd-backup\n type: \"\"\n name: backup-dir\n" version: 4.18.0-202602261953.p2.gb7e21f5.assembly.stream.el9-b7e21f5 kind: ConfigMap metadata: creationTimestamp: "2026-03-19T11:54:03Z" managedFields: - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:data: .: {} f:forceRedeploymentReason: {} f:pod.yaml: {} f:quorum-restore-pod.yaml: {} f:version: {} manager: cluster-etcd-operator operation: Update time: "2026-03-19T11:54:03Z" name: restore-etcd-pod namespace: openshift-etcd resourceVersion: "5317" uid: 6fc4c3a6-f48d-4fd9-b902-249cda1d8c36 - apiVersion: v1 data: reason: configmap "etcd-pod-0" not found revision: "1" kind: ConfigMap metadata: annotations: operator.openshift.io/revision-ready: "true" creationTimestamp: "2026-03-19T11:54:02Z" labels: operator.openshift.io/controller-instance-name: etcd-RevisionController managedFields: - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:data: .: {} f:reason: {} f:revision: {} f:metadata: f:annotations: .: {} f:operator.openshift.io/revision-ready: {} f:labels: .: {} f:operator.openshift.io/controller-instance-name: {} manager: cluster-etcd-operator operation: Update time: "2026-03-19T11:54:07Z" name: revision-status-1 namespace: openshift-etcd resourceVersion: "5653" uid: b87b8a49-eaba-4aef-91c4-288d56041db5 - apiVersion: v1 data: reason: required configmap/etcd-endpoints has changed revision: "2" kind: ConfigMap metadata: annotations: operator.openshift.io/revision-ready: "true" creationTimestamp: "2026-03-19T12:01:49Z" labels: operator.openshift.io/controller-instance-name: etcd-RevisionController managedFields: - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:data: .: {} f:reason: {} f:revision: {} f:metadata: f:annotations: .: {} f:operator.openshift.io/revision-ready: {} f:labels: .: {} f:operator.openshift.io/controller-instance-name: {} manager: cluster-etcd-operator operation: Update time: "2026-03-19T12:01:56Z" name: revision-status-2 namespace: openshift-etcd resourceVersion: "11744" uid: 572bb0ba-657d-4eb6-8f6c-9c2ff0bd96fc kind: ConfigMapList metadata: resourceVersion: "76684"