Replacing vault with easyrsa results in "error: You must be logged in to the server (Unauthorized)"
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Kubernetes Control Plane Charm |
Fix Released
|
Medium
|
George Kraft |
Bug Description
I tried to switch from vault to easyrsa as a certificate provider. This resulted in "error: You must be logged in to the server (Unauthorized)" being returned for each kubectl command and kubernetes-master units stuck in waiting/blocked loop.
### Steps to reproduce:
1) Deploy CDK cluster with vault acting as the certificates provider (fully initialized, "green" model).
2) Remove "vault:
3) Add relations between easyrsa and kubernetes-master, kubernetes-worker and kubeapi-
4) Model doesn't settle, all kubectl commands result in "error: You must be logged in to the server (Unauthorized)"
kube-apiserver logs get filled with error messages:
2022-01-
kubernetes-master juju agents get stuck on:
unit-kubernetes
unit-kubernetes
unit-kubernetes
### Workaround:
Run against each kubernetes-master unit:
$ juju ssh kubernetes-master/0 sudo systemctl restart cdk.master.
After that Juju model turned all green and kubectl started working again with all functionalities being fully restored.
### Versions:
App Version Store Channel Rev
containerd go1.13.8 charmstore stable 200
easyrsa 3.0.1 charmstore stable 441
etcd 3.4.5 charmstore stable 655
flannel 0.11.0 charmstore stable 619
keystone 17.0.1 charmhub stable 539
keystone-
kubeapi-
kubernetes-master 1.23.1 charmstore stable 1106
kubernetes-worker 1.23.1 charmstore stable 838
mysql-innodb-
openstack-
vault 1.5.9 charmhub stable 54
vault-mysql-router 8.0.27 charmhub stable 15
Juju: 2.9.15
OS: Ubuntu 20.04.3 LTS (Focal Fossa)
Kernel: 5.4.0-92-generic
Changed in charm-kubernetes-master: | |
assignee: | nobody → George Kraft (cynerva) |
status: | Triaged → In Progress |
milestone: | none → 1.24+ck1 |
Changed in charm-kubernetes-master: | |
status: | In Progress → Fix Committed |
tags: | added: backport-needed |
tags: | removed: backport-needed |
Changed in charm-kubernetes-master: | |
status: | Fix Committed → Fix Released |
Thanks for the detailed report.
The certs_changed handler[1] needs to be updated to also restart the cdk.master. auth-webhook service.
[1]: https:/ /github. com/charmed- kubernetes/ charm-kubernete s-master/ blob/2d7eda74e2 2b1fe67e2ed0ae1 7556c95da935077 /reactive/ kubernetes_ master. py#L1227- L1230