New seed bootstrap tokens cannot be created for existing seeds #4687
Labels
area/ops-productivity
Operator productivity related (how to improve operations)
area/robustness
Robustness, reliability, resilience related
kind/bug
Bug
priority/3
Priority (lower number equals higher priority)
How to categorize this issue?
/area robustness ops-productivity
/kind bug
/priority 3
What happened:
The client certificate of one of the managedseed clusters has expired and it has not been renewed on purpose.
Then, the parent gardenlet can create new bootstrap token and let the child seed use it to request new certificate. According to the code
gardener/pkg/gardenlet/controller/managedseed/managedseed_actuator.go
Lines 687 to 694 in 981aa35
gardenClientConnection.kubeconfigSecret
of the child seeds must not exist. I have deleted it, but then the parent gardenlet is failing to generate the token with error likeThis gardener landscape has the SeedAuthorizer enabled and it is indeed rejecting the request with
What you expected to happen:
A new bootstrap token to be successfully generated and gardenlet re-deployed.
How to reproduce it (as minimally and precisely as possible):
Anything else we need to know?:
Environment:
kubectl version
):The text was updated successfully, but these errors were encountered: