Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

[BUG] init yurtcoordinator failed: fail to write CA assets into secret when initializing yurtcoordinator: create secret client yurt-coordinator-ca-certs fail #2127

Open
twosson opened this issue Aug 17, 2024 · 8 comments
Open

[BUG] init yurtcoordinator failed: fail to write CA assets into secret when initializing yurtcoordinator: create secret client yurt-coordinator-ca-certs fail #2127

twosson opened this issue Aug 17, 2024 · 8 comments
Labels
kind/bug kind/bug

Comments

@twosson
Copy link

twosson commented Aug 17, 2024

What happened:
Install yurt-manager err:
deleg.go:144] setup "msg"="unable to setup controllers" "error"="init yurtcoordinator failed: fail to write CA assets into secret when initializing yurtcoordinator: create secret client yurt-coordinator-ca-certs fail: secrets is forbidden: User "system:serviceaccount:kube-system:yurt-manager" cannot create resource "secrets" in API group "" in the namespace "kube-system""

What you expected to happen:

How to reproduce it (as minimally and precisely as possible):
helm upgrade --install yurt-manager -n kube-system openyurt/yurt-manager

Anything else we need to know?:

Environment:

  • OpenYurt version: helm 1.5
  • Kubernetes version (use kubectl version): 1.31
  • OS (e.g: cat /etc/os-release): ubuntu22.04
  • Kernel (e.g. uname -a): Linux k8s-master001 5.15.0-118-generic refactor: proxy handler of yurthub #128-Ubuntu SMP Fri Jul 5 09:28:59 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux
  • Install tools:
  • Others:

others

/kind bug
@twosson twosson added the kind/bug kind/bug label Aug 17, 2024
@rambohe-ch
Copy link
Member

@twosson Thanks for raising this issue. It seems that create secret rbac right is missed for yurt-coordinator-ca-certs controller.

@YunWZ YunWZ mentioned this issue Aug 22, 2024
Closed
@rambohe-ch
Copy link
Member

@twosson Sorry, I have checked the code of yurt-coordinator-ca-certs controller that use yurt-coordinator-cert-controller serviceaccount instead yurt-manager.

openyurt/pkg/yurtmanager/controller/yurtcoordinator/cert/yurt_coordinator_cert_controller.go

Line 201 in 734da95

kubeClient, err := client.NewForConfig(yurtClient.GetConfigByControllerNameOrDie(mgr, names.YurtCoordinatorCertController))

Moreover, Create secrets rbac setting are configured for yurt-coordinator-cert-controller serviceaccount as following:

openyurt/charts/yurt-manager/templates/yurt-manager-auto-generated.yaml

Line 1055 in 734da95

- create

so would you like to check the yurt-manger component version that you have used?

@YunWZ
Copy link

YunWZ commented Oct 11, 2024

@twosson Sorry, I have checked the code of yurt-coordinator-ca-certs controller that use yurt-coordinator-cert-controller serviceaccount instead yurt-manager.

openyurt/pkg/yurtmanager/controller/yurtcoordinator/cert/yurt_coordinator_cert_controller.go

Line 201 in 734da95

kubeClient, err := client.NewForConfig(yurtClient.GetConfigByControllerNameOrDie(mgr, names.YurtCoordinatorCertController))

Moreover, Create secrets rbac setting are configured for yurt-coordinator-cert-controller serviceaccount as following:

openyurt/charts/yurt-manager/templates/yurt-manager-auto-generated.yaml

Line 1055 in 734da95

- create

so would you like to check the yurt-manger component version that you have used?

the same problem to me, as the log of yurt-manager:

deleg.go:144] setup "msg"="unable to setup controllers" "error"="init yurtcoordinator failed: fail to write CA assets into secret when initializing yurtcoordinator: create secret client yurt-coordinator-ca-certs fail: secrets is forbidden: User \"system:serviceaccount:kube-system:yurt-manager\" cannot create resource \"secrets\" in API group \"\" in the namespace \"kube-system\""

yurt-manager use serviceaccount yurt-manager instead yurt-manager-yurt-coordinator-cert-controller

@luc99hen
Copy link
Member

@twosson Sorry, I have checked the code of yurt-coordinator-ca-certs controller that use yurt-coordinator-cert-controller serviceaccount instead yurt-manager.

openyurt/pkg/yurtmanager/controller/yurtcoordinator/cert/yurt_coordinator_cert_controller.go

Line 201 in 734da95

kubeClient, err := client.NewForConfig(yurtClient.GetConfigByControllerNameOrDie(mgr, names.YurtCoordinatorCertController))

Moreover, Create secrets rbac setting are configured for yurt-coordinator-cert-controller serviceaccount as following:

openyurt/charts/yurt-manager/templates/yurt-manager-auto-generated.yaml

Line 1055 in 734da95

- create

so would you like to check the yurt-manger component version that you have used?

the same problem to me, as the log of yurt-manager:

deleg.go:144] setup "msg"="unable to setup controllers" "error"="init yurtcoordinator failed: fail to write CA assets into secret when initializing yurtcoordinator: create secret client yurt-coordinator-ca-certs fail: secrets is forbidden: User \"system:serviceaccount:kube-system:yurt-manager\" cannot create resource \"secrets\" in API group \"\" in the namespace \"kube-system\""

yurt-manager use serviceaccount yurt-manager instead yurt-manager-yurt-coordinator-cert-controller

As mentioned before, please post the yurt-manger component version that you used. It's unusual that yurt-manager use serviceaccount yurt-manager instead of yurt-manager-yurt-coordinator-cert-controller.

@YunWZ
Copy link

YunWZ commented Oct 11, 2024

Member

I installed openyurt by helm -- helm upgrade --install yurt-manager -n kube-system openyurt/yurt-manager.
As the pod of yurt-manager, the spec define image is openyurt/yurt-manager:v1.4.0

@YunWZ
Copy link

YunWZ commented Oct 11, 2024

Also, I have tried install with 1.5.0 version -- helm upgrade --install yurt-manager -n kube-system openyurt/yurt-manager --version 1.5.0
The image of yurt-manager is still openyurt/yurt-manager:v1.4.0(Image ID: docker.io/openyurt/yurt-manager@sha256:12d4d9eb734164c7a3ece4aee9c59dce47ca91d786fbe8d34463b6872c88d2a0).

The log of yurt-manager like this(kubectl -n kube-system logs yurt-manager-867d5f8989-q6vpt):

I1011 11:52:26.834723       1 yurtappset_controller.go:81] yurtappset-controller add controller apps.openyurt.io/v1alpha1, Resource=yurtappsets
I1011 11:52:26.835401       1 daemon_pod_updater_controller.go:104] daemonupdater-controller add controller apps/v1, Kind=DaemonSet
I1011 11:52:26.835518       1 node_lifecycle_controller.go:464] Starting node controller
I1011 11:52:26.838433       1 yurtcoordinatorcert_controller.go:416] yurt-coordinator-cert-controller: secret(kube-system/yurt-coordinator-ca-certs) is not found, create new CA
E1011 11:52:27.105626       1 deleg.go:144] setup "msg"="unable to setup controllers" "error"="init yurtcoordinator failed: fail to write CA assets into secret when initializing yurtcoordinator: create secret client yurt-coordinator-ca-certs fail: secrets is forbidden: User \"system:serviceaccount:kube-system:yurt-manager\" cannot create resource \"secrets\" in API group \"\" in the namespace \"kube-system\""

@luc99hen
Copy link
Member

luc99hen commented Oct 11, 2024
edited
Loading

Also, I have tried install with 1.5.0 version -- helm upgrade --install yurt-manager -n kube-system openyurt/yurt-manager --version 1.5.0 The image of yurt-manager is still openyurt/yurt-manager:v1.4.0(Image ID: docker.io/openyurt/yurt-manager@sha256:12d4d9eb734164c7a3ece4aee9c59dce47ca91d786fbe8d34463b6872c88d2a0).

The log of yurt-manager like this(kubectl -n kube-system logs yurt-manager-867d5f8989-q6vpt):

I1011 11:52:26.834723       1 yurtappset_controller.go:81] yurtappset-controller add controller apps.openyurt.io/v1alpha1, Resource=yurtappsets
I1011 11:52:26.835401       1 daemon_pod_updater_controller.go:104] daemonupdater-controller add controller apps/v1, Kind=DaemonSet
I1011 11:52:26.835518       1 node_lifecycle_controller.go:464] Starting node controller
I1011 11:52:26.838433       1 yurtcoordinatorcert_controller.go:416] yurt-coordinator-cert-controller: secret(kube-system/yurt-coordinator-ca-certs) is not found, create new CA
E1011 11:52:27.105626       1 deleg.go:144] setup "msg"="unable to setup controllers" "error"="init yurtcoordinator failed: fail to write CA assets into secret when initializing yurtcoordinator: create secret client yurt-coordinator-ca-certs fail: secrets is forbidden: User \"system:serviceaccount:kube-system:yurt-manager\" cannot create resource \"secrets\" in API group \"\" in the namespace \"kube-system\""

Thanks for your reply. It seems that the online helm repo is not updated. @rambohe-ch

Please try use openyurt/yurt-manager:v1.5.0 @YunWZ

@rambohe-ch
Copy link
Member

@YunWZ by the way, openyurt charts have been moved here: https://github.com/openyurtio/charts after version v1.5.0. please have a try.

# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
kind/bug kind/bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

add missed permissions for yurt-manager (#2127) YunWZ/openyurt
4 participants
@YunWZ @luc99hen @rambohe-ch @twosson