when waiting for certificates relation, status messages are unhelpful
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Kubernetes Control Plane Charm |
Fix Released
|
Medium
|
Martin Kalcok | ||
Kubernetes Worker Charm |
Fix Released
|
Medium
|
Martin Kalcok |
Bug Description
== Quick summary:
* Juju 2.7.5 (from 2.7/candidate channel)
* k8s deployed on top of bionic-stein
* Kubernetes channel: 1.17/stable
* All k8s services deployed except vault
* Several minutes later, vault application is also deployed
* Hours later, vault is unsealed
* after the weekend, kubernetes-master machines were removed and bundle redeployed, getting the same status
* "juju status --format yaml": https:/
== Longer explanation
Status showed that kubernetes-master was: Waiting for master components to start.
I tried to remove the relation between vault<-
https:/
I removed the following applications (had to "juju resolve --no-retry" on each -relation-departed, -broken, stop hook, etc.) and redeployed them again (all of them running on 2 nova instances):
* 2x units of kubernetes-master
* 1x easyrsa/0
* 1x openstack-
After redeployment (nova instances were recreated), "juju status" looks the same:
https:/
"journalctl -xe" shows:
Mar 23 09:57:24 juju-f5d4f1-
~# ls /root/cdk/
audit basic_auth.csv known_tokens.csv serviceaccount.key
summary: |
- Fresh k8s deployment, and later Vault deployment + unseal: Waiting for - master components to start + when certificates relation is missing, "Waiting for master components to + start" status message is unclear |
summary: |
when certificates relation is missing, "Waiting for master components to - start" status message is unclear + start" status message is unhelpful |
Changed in charm-kubernetes-master: | |
importance: | Undecided → Medium |
status: | New → Triaged |
summary: |
- when certificates relation is missing, "Waiting for master components to - start" status message is unhelpful + when certificates relation is missing or stalled, "Waiting for master + components to start" status message is unhelpful |
summary: |
- when certificates relation is missing or stalled, "Waiting for master - components to start" status message is unhelpful + when waiting for certificates relation, "Waiting for master components + to start" status message is unhelpful |
Changed in charm-kubernetes-master: | |
assignee: | nobody → Martin Kalcok (martin-kalcok) |
Changed in charm-kubernetes-worker: | |
assignee: | nobody → Martin Kalcok (martin-kalcok) |
tags: |
added: backport-needed removed: review-needed |
Changed in charm-kubernetes-master: | |
status: | Triaged → Fix Committed |
Changed in charm-kubernetes-worker: | |
status: | Triaged → Fix Committed |
Changed in charm-kubernetes-master: | |
milestone: | none → 1.20+ck1 |
Changed in charm-kubernetes-worker: | |
milestone: | none → 1.20+ck1 |
Changed in charm-kubernetes-master: | |
status: | Fix Committed → Fix Released |
Changed in charm-kubernetes-worker: | |
status: | Fix Committed → Fix Released |
I initially escalated to ~field-critical but have now de-escalated it after some help in #k8s irc channel.
Several vault:certificates relations were missing. I followed the shared doc [1] by cynerva, and things started working.
FWIW, both easyrsa: client< ->kubernetes- master: certificates and vault:certifica tes<->kubernete s-master: certificates were missing. I've used the second option, as well as related vault to kubernetes-worker, the LB and etcd.
1. https:/ /ubuntu. com/kubernetes/ docs/using- vault