Description
Recreating issue #6482 which was closed due to inactivity. This is confirmed bug, we just lost our whole cluster created with kops and we can't rotate credentials using method described on https://github.com/kubernetes/kops/blob/master/docs/rotate-secrets.md - so we have complete kubernetes cluster down right now and the problem described in this issue prevents us from bringing cluster back online, following official docs. Hence, ropening a valid and important ticket.
- What kops version are you running? The command kops version, will display
this information.
$ kops version
Version 1.11.0, has also been confirmed with 1.15.0 and 1.16.0.
- What Kubernetes version are you running? kubectl version will print the
version if a cluster is running or provide the Kubernetes version specified as
a kops flag.
Irrelevant.
- What cloud provider are you using?
AWS
- What commands did you run? What is the simplest way to reproduce this issue?
$ kops delete secret keypair kube-controller-manager
I0219 15:22:22.716650 15341 certificate.go:106] Ignoring unexpected PEM block: "RSA PRIVATE KEY"
error deleting secret: error deleting certificate: error loading certificate "s3:////pki/private/kube-controller-manager/.key": could not parse certificate
5. What happened after the commands executed?
They failed.
- What did you expect to happen?
I expect them to remove the kube-controller-manager keypair, according to your documentation https://github.com/kubernetes/kops/blob/master/docs/rotate-secrets.md
- Please provide your cluster manifest. Execute
kops get --name my.example.com -o yaml to display your cluster manifest.
You may want to remove your cluster name and other sensitive information.
Irrelevant to this issue.
- Please run the commands with most verbose logging by adding the -v 10 flag.
Paste the logs into this report, or in a gist and provide the gist link here.
$ kops delete secret keypair kube-controller-manager -v10
I0219 15:23:35.129669 15348 factory.go:68] state store s3:///
I0219 15:23:35.409810 15348 s3context.go:194] found bucket in region "eu-central-1"
I0219 15:23:35.409867 15348 s3fs.go:220] Reading file "s3:////config"
I0219 15:23:36.054560 15348 s3fs.go:257] Listing objects in S3 bucket "" with prefix "/pki/private/kube-controller-manager/"
I0219 15:23:36.095834 15348 s3fs.go:285] Listed files in s3:////pki/private/kube-controller-manager: [s3:////pki/private/kube-controller-manager/.key s3:////pki/private/kube-controller-manager/keyset.yaml]
I0219 15:23:36.096162 15348 s3fs.go:220] Reading file "s3:////pki/private/kube-controller-manager/.key"
I0219 15:23:36.170662 15348 certificate.go:106] Ignoring unexpected PEM block: "RSA PRIVATE KEY"
error deleting secret: error deleting certificate: error loading certificate "s3:////pki/private/kube-controller-manager/.key": could not parse certificate
9. Anything else do we need to know?
Please don't let your bots close this issue and take it seriously.
This was already reported in #5318