Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[BUG] init yurtcoordinator failed: fail to write CA assets into secret when initializing yurtcoordinator: create secret client yurt-coordinator-ca-certs fail #2127

Open
twosson opened this issue Aug 17, 2024 · 8 comments
Labels
kind/bug kind/bug

Comments

@twosson
Copy link

twosson commented Aug 17, 2024

What happened:
Install yurt-manager err:
deleg.go:144] setup "msg"="unable to setup controllers" "error"="init yurtcoordinator failed: fail to write CA assets into secret when initializing yurtcoordinator: create secret client yurt-coordinator-ca-certs fail: secrets is forbidden: User "system:serviceaccount:kube-system:yurt-manager" cannot create resource "secrets" in API group "" in the namespace "kube-system""

What you expected to happen:

How to reproduce it (as minimally and precisely as possible):
helm upgrade --install yurt-manager -n kube-system openyurt/yurt-manager

Anything else we need to know?:

Environment:

  • OpenYurt version: helm 1.5
  • Kubernetes version (use kubectl version): 1.31
  • OS (e.g: cat /etc/os-release): ubuntu22.04
  • Kernel (e.g. uname -a): Linux k8s-master001 5.15.0-118-generic refactor: proxy handler of yurthub #128-Ubuntu SMP Fri Jul 5 09:28:59 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux
  • Install tools:
  • Others:

others

/kind bug

@twosson twosson added the kind/bug kind/bug label Aug 17, 2024
@rambohe-ch
Copy link
Member

@twosson Thanks for raising this issue. It seems that create secret rbac right is missed for yurt-coordinator-ca-certs controller.

@rambohe-ch
Copy link
Member

@twosson Sorry, I have checked the code of yurt-coordinator-ca-certs controller that use yurt-coordinator-cert-controller serviceaccount instead yurt-manager.

kubeClient, err := client.NewForConfig(yurtClient.GetConfigByControllerNameOrDie(mgr, names.YurtCoordinatorCertController))

Moreover, Create secrets rbac setting are configured for yurt-coordinator-cert-controller serviceaccount as following:

so would you like to check the yurt-manger component version that you have used?

@YunWZ
Copy link

YunWZ commented Oct 11, 2024

@twosson Sorry, I have checked the code of yurt-coordinator-ca-certs controller that use yurt-coordinator-cert-controller serviceaccount instead yurt-manager.

kubeClient, err := client.NewForConfig(yurtClient.GetConfigByControllerNameOrDie(mgr, names.YurtCoordinatorCertController))

Moreover, Create secrets rbac setting are configured for yurt-coordinator-cert-controller serviceaccount as following:

so would you like to check the yurt-manger component version that you have used?

the same problem to me, as the log of yurt-manager:

deleg.go:144] setup "msg"="unable to setup controllers" "error"="init yurtcoordinator failed: fail to write CA assets into secret when initializing yurtcoordinator: create secret client yurt-coordinator-ca-certs fail: secrets is forbidden: User \"system:serviceaccount:kube-system:yurt-manager\" cannot create resource \"secrets\" in API group \"\" in the namespace \"kube-system\""

yurt-manager use serviceaccount yurt-manager instead yurt-manager-yurt-coordinator-cert-controller

@luc99hen
Copy link
Member

@twosson Sorry, I have checked the code of yurt-coordinator-ca-certs controller that use yurt-coordinator-cert-controller serviceaccount instead yurt-manager.

kubeClient, err := client.NewForConfig(yurtClient.GetConfigByControllerNameOrDie(mgr, names.YurtCoordinatorCertController))

Moreover, Create secrets rbac setting are configured for yurt-coordinator-cert-controller serviceaccount as following:

so would you like to check the yurt-manger component version that you have used?

the same problem to me, as the log of yurt-manager:

deleg.go:144] setup "msg"="unable to setup controllers" "error"="init yurtcoordinator failed: fail to write CA assets into secret when initializing yurtcoordinator: create secret client yurt-coordinator-ca-certs fail: secrets is forbidden: User \"system:serviceaccount:kube-system:yurt-manager\" cannot create resource \"secrets\" in API group \"\" in the namespace \"kube-system\""

yurt-manager use serviceaccount yurt-manager instead yurt-manager-yurt-coordinator-cert-controller

As mentioned before, please post the yurt-manger component version that you used. It's unusual that yurt-manager use serviceaccount yurt-manager instead of yurt-manager-yurt-coordinator-cert-controller.

@YunWZ
Copy link

YunWZ commented Oct 11, 2024

Member

I installed openyurt by helm -- helm upgrade --install yurt-manager -n kube-system openyurt/yurt-manager.
As the pod of yurt-manager, the spec define image is openyurt/yurt-manager:v1.4.0

@YunWZ
Copy link

YunWZ commented Oct 11, 2024

Also, I have tried install with 1.5.0 version -- helm upgrade --install yurt-manager -n kube-system openyurt/yurt-manager --version 1.5.0
The image of yurt-manager is still openyurt/yurt-manager:v1.4.0(Image ID: docker.io/openyurt/yurt-manager@sha256:12d4d9eb734164c7a3ece4aee9c59dce47ca91d786fbe8d34463b6872c88d2a0).

The log of yurt-manager like this(kubectl -n kube-system logs yurt-manager-867d5f8989-q6vpt):

I1011 11:52:26.834723       1 yurtappset_controller.go:81] yurtappset-controller add controller apps.openyurt.io/v1alpha1, Resource=yurtappsets
I1011 11:52:26.835401       1 daemon_pod_updater_controller.go:104] daemonupdater-controller add controller apps/v1, Kind=DaemonSet
I1011 11:52:26.835518       1 node_lifecycle_controller.go:464] Starting node controller
I1011 11:52:26.838433       1 yurtcoordinatorcert_controller.go:416] yurt-coordinator-cert-controller: secret(kube-system/yurt-coordinator-ca-certs) is not found, create new CA
E1011 11:52:27.105626       1 deleg.go:144] setup "msg"="unable to setup controllers" "error"="init yurtcoordinator failed: fail to write CA assets into secret when initializing yurtcoordinator: create secret client yurt-coordinator-ca-certs fail: secrets is forbidden: User \"system:serviceaccount:kube-system:yurt-manager\" cannot create resource \"secrets\" in API group \"\" in the namespace \"kube-system\""

@luc99hen
Copy link
Member

luc99hen commented Oct 11, 2024

Also, I have tried install with 1.5.0 version -- helm upgrade --install yurt-manager -n kube-system openyurt/yurt-manager --version 1.5.0 The image of yurt-manager is still openyurt/yurt-manager:v1.4.0(Image ID: docker.io/openyurt/yurt-manager@sha256:12d4d9eb734164c7a3ece4aee9c59dce47ca91d786fbe8d34463b6872c88d2a0).

The log of yurt-manager like this(kubectl -n kube-system logs yurt-manager-867d5f8989-q6vpt):

I1011 11:52:26.834723       1 yurtappset_controller.go:81] yurtappset-controller add controller apps.openyurt.io/v1alpha1, Resource=yurtappsets
I1011 11:52:26.835401       1 daemon_pod_updater_controller.go:104] daemonupdater-controller add controller apps/v1, Kind=DaemonSet
I1011 11:52:26.835518       1 node_lifecycle_controller.go:464] Starting node controller
I1011 11:52:26.838433       1 yurtcoordinatorcert_controller.go:416] yurt-coordinator-cert-controller: secret(kube-system/yurt-coordinator-ca-certs) is not found, create new CA
E1011 11:52:27.105626       1 deleg.go:144] setup "msg"="unable to setup controllers" "error"="init yurtcoordinator failed: fail to write CA assets into secret when initializing yurtcoordinator: create secret client yurt-coordinator-ca-certs fail: secrets is forbidden: User \"system:serviceaccount:kube-system:yurt-manager\" cannot create resource \"secrets\" in API group \"\" in the namespace \"kube-system\""

Thanks for your reply. It seems that the online helm repo is not updated. @rambohe-ch

Please try use openyurt/yurt-manager:v1.5.0 @YunWZ

@rambohe-ch
Copy link
Member

@YunWZ by the way, openyurt charts have been moved here: https://github.com/openyurtio/charts after version v1.5.0. please have a try.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
kind/bug kind/bug
Projects
None yet
Development

Successfully merging a pull request may close this issue.

4 participants