etcd is unreachable, please check your endpoints #12877
Comments
|
You purge your entire etcd and re-deploy it should work fine. @DougTrajano |
I deleted all the resources related to my minio-etcd and re-deploy it again, but it stays in the same issue. :/ |
AFAICS @DougTrajano etcd is not taking any writes we are trying to create a key on it and that's failing - you need to first check if etcd is taking writes or at least how much time it takes to write a key into etcd. It looks like it's beyond 30secs - since that is the deadline we have for our individual etcd API calls. |
I'll check that |
|
Hey buddy, sorry for the late answer, I did some tests and changes in my deployment manifest. helm charts
apiVersion: helm.fluxcd.io/v1
kind: HelmRelease
metadata:
name: minio
namespace: minio
spec:
helmVersion: v3
chart:
repository: https://charts.bitnami.com/bitnami
name: minio
version: 7.1.6
values:
global:
minio:
existingSecret: minio-secret
existingSecret: minio-secret
mode: distributed
persistence:
enabled: false
serviceAccount:
name: minio-svc-account
annotations:
eks.amazonaws.com/role-arn: <AWS-ARN>
gateway:
sse:
enabled: false
enabled: true
type: s3
auth:
s3:
useIAMRole: true
containerPort: 9000
extraEnv:
- name: MINIO_IDENTITY_OPENID_CONFIG_URL
value: <KEYCLOAK-INTERNAL-URL>/realms/<KEYCLOAK-REALM>/.well-known/openid-configuration
- name: MINIO_IDENTITY_OPENID_REDIRECT_URI
value: <KEYCLOAK-INTERNAL-URL>/minio/oauth_callback
- name: MINIO_IDENTITY_OPENID_CLAIM_NAME
value: minio_policies
- name: MINIO_IDENTITY_OPENID_CLIENT_ID
value: minio
- name: MINIO_IDENTITY_OPENID_CLIENT_SECRET
valueFrom:
secretKeyRef:
name: minio-auth-secret
key: client_secret
- name: MINIO_IDENTITY_OPENID_VENDOR
value: keycloak
- name: MINIO_IDENTITY_OPENID_KEYCLOAK_REALM
value: <KEYCLOAK-REALM>
- name: MINIO_IDENTITY_OPENID_KEYCLOAK_ADMIN_URL
value: <KEYCLOAK-EXTERNAL-URL>
- name: MINIO_IDENTITY_OPENID_SCOPES
value: openid,email,minio_policies,profile
- name: MINIO_ETCD_ENDPOINTS
value: http://minio-etcd.minio.svc.cluster.local:2379
- name: MINIO_HTTP_TRACE
value: /dev/stdout
---
apiVersion: helm.fluxcd.io/v1
kind: HelmRelease
metadata:
name: etcd
namespace: minio
spec:
helmVersion: v3
chart:
repository: https://charts.bitnami.com/bitnami
name: etcd
version: 6.3.3
values:
image:
registry: <MY-REGISTRY>
repository: bitnami/etcd
tag: 3.5.0-debian-10-r42
auth:
rbac:
enabled: false
rootPassword: root
allowNoneAuthentication: true
commonLabels:
app: minio-etcd
version: 3.5.0
persistence:
enabled: true
storageClass: efs
accessMode: ReadWriteMany
size: 20Gi
podLabels:
app: minio-etcd
version: 3.5.0Then, I did several troubleshooting steps that I'll describe below. Troubleshooting stepsetcd configs...
auth:
rbac:
enabled: false
rootPassword: root
allowNoneAuthentication: true
...
{
"level": "warn",
"ts": "2021-08-06T17:55:34.117Z",
"logger": "etcd-client",
"caller": "v3/retry_interceptor.go:62",
"msg": "retrying of unary invoker failed",
"target": "etcd-endpoints://0xc00010e380/#initially=[http://minio-etcd.minio:2379]",
"attempt": 0,
"error": "rpc error: code = Unavailable desc = error reading from server: EOF"
}
{
"level": "warn",
"ts": "2021-08-06T17:46:10.232Z",
"logger": "etcd-client",
"caller": "v3/retry_interceptor.go:62",
"msg": "retrying of unary invoker failed",
"target": "etcd-endpoints://0xc000620000/#initially=[http://minio-etcd.minio.svc.cluster.local:2379]",
"attempt": 0,
"error": "rpc error: code = Unavailable desc = error reading from server: read tcp XXX.XX.XXX.XX:XXXXX->XX.XXX.XXX.XX:2379: read: connection reset by peer"
}
{
"level": "warn",
"ts": 999999999,
"logger": "client",
"caller": "v3/retry_interceptor.go:62",
"msg": "retrying of unary invoker failed",
"target": "etcd-endpoints://0xc00031e700/#initially=[127.0.0.1:2379]",
"attempt": 0,
"error": "rpc error: code = DeadlineExceeded desc = latest balancer error: last connection error: connection error: desc = \"transport: Error while dialing dial tcp 127.0.0.1:2379: connect: connection refused\""
}
{
"header": {
"cluster_id": "XX",
"member_id": "XX",
"revision": "4",
"raft_term": "2"
}
}
{
"etcdserver": "3.5.0",
"etcdcluster": "3.5.0"
} |
|
It seems that I can write to etcd using |
Downgrade etcd version (from 3.5.0-debian-10-r42 to 3.3.9-debian-9-r73)
{
"header": {
"cluster_id": "XXX",
"member_id": "XXX",
"revision": "3",
"raft_term": "6"
}
}
{
"header": {
"cluster_id": "XXX",
"member_id": "XXX",
"revision": "3",
"raft_term": "9"
},
"kvs": [
{
"key": "Zm9v",
"create_revision": "2",
"mod_revision": "3",
"version": "2",
"value": "YmFy"
}
],
"count": "1"
}
{
"header": {
"cluster_id": "XXX",
"member_id": "XXX",
"revision": "3",
"raft_term": "8"
},
"kvs": [
{
"key": "Zm9v",
"create_revision": "2",
"mod_revision": "3",
"version": "2",
"value": "YmFy"
}
],
"count": "1"
}Conclusionsetcd has critical changes between the patch versions, someone knows what is a stable version tested within minio? |
etcd v3.3 and v3.4 - I have tested, not sure v3.5 |
|
Hey, @harshavardhana I did some more tests. Actually, the most important test that I did is create a Docker Compose to validate the Bitnami images and application versions. All of these works fine on that. For someone that wants to check the Docker Compose, I added this to a repository on my GitHub. github.com/DougTrajano/docker-compose-examples/minio-sts So, I'm still facing this issue yet, but I think that this is not related to any of the applications, is something in my environment. If you want to close this issue, I'll post here the solution (when I find it) to help in the future. Ps: I used etcd v.3.5 and works fine! :) |
👍🏽 |
|
@harshavardhana we founded the reason. It's the same issue that was described in #13192. When I downgrade minIO to an old version ( As I have Istio (Envoy Proxy) in my Kubernetes Cluster the requests are refusing because the |
Error: Unable to decrypt an encrypted ETCD backend for IAM users and policies: etcd is unreachable
Expected Behavior
I expected to use etcd to store IAM users and policies as I'm using minIO Gateway. My goal is to setup minIO STS (with Keycloak).
Current Behavior
I'm getting an error message that says that etcd is unreachable.
If I make a curl to the etcd pod inside the minIO pod, I can connect with that properly.
Command:
curl http://minio-etcd.minio:2379/versionThe endpoint
http://minio-etcd.minio:2379/isn't available, I don't know if it is the error.Steps to Reproduce (for bugs)
I deployed both minIO and etcd using the bitnami helm charts.
Your Environment
The text was updated successfully, but these errors were encountered: