[1.25/beta] kubernetes-control-plane errors with hook failed: "certificates-relation-changed"
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Kubernetes Control Plane Charm |
Fix Released
|
High
|
George Kraft |
Bug Description
In testrun https:/
```
kubernetes-
calico/4 waiting idle 18.232.60.34 Waiting to retry Calico node configuration
containerd/4 active idle 18.232.60.34 Container runtime available
filebeat/15 active idle 18.232.60.34 Filebeat ready.
ntp/15 active idle 18.232.60.34 123/udp chrony: Ready
telegraf/15 active idle 18.232.60.34 9103/tcp Monitoring kubernetes-
```
In the log we see
```
Traceback (most recent call last):
File "/var/lib/
hookenv.
File "/var/lib/
callback(*args, **kwargs)
File "/var/lib/
app_kv = vault_kv.
File "/var/lib/
cls.
File "/var/lib/
super(
File "/var/lib/
response = self._client.
File "/var/lib/
client.
File "/var/lib/
return method(*args, **kwargs)
File "/var/lib/
return self.login(
File "/var/lib/
return self._adapter.
File "/var/lib/
response = self.post(url, **kwargs)
File "/var/lib/
return self.request(
File "/var/lib/
response = super(JSONAdapter, self).request(
File "/var/lib/
utils.
File "/var/lib/
raise exceptions.
hvac.exceptions
```
We have seen other testruns of the same SKU pass this point.
Crashdumps can be found here:
https:/
tags: | added: cdo-qa foundations-engine |
Changed in charm-kubernetes-master: | |
importance: | Undecided → High |
status: | New → Triaged |
assignee: | nobody → George Kraft (cynerva) |
status: | Triaged → In Progress |
milestone: | none → 1.25+ck1 |
tags: | added: backport-needed |
tags: | removed: backport-needed |
Changed in charm-kubernetes-master: | |
status: | Fix Committed → Fix Released |
We get to this state by /charmhub. io/vault/ actions? channel= 1.7/stable# reissue- certificates
1) deploying cdk 1.25/beta with vault. Relating vault as both the certificate manager and for managing the vault-kv store
2) once vault settles, we unseal it following the steps in the charm documentation
3) run the action "reissue certificates" from vault - https:/
Once vault has been unsealed and certificates are re-issued, sometimes k8s cp will reach this state, I would guess it happens about 30% of the time based on our small sample size