Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

api logs not very precise in regards to cert issues on endpoints #122639

Open
KlavsKlavsen opened this issue Jan 8, 2024 · 8 comments
Open

api logs not very precise in regards to cert issues on endpoints #122639

KlavsKlavsen opened this issue Jan 8, 2024 · 8 comments
Assignees
@holgerson97
Labels
help wanted Denotes an issue that needs help from a contributor. Must meet "help wanted" guidelines. kind/bug Categorizes issue or PR as related to a bug. sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. triage/accepted Indicates an issue or PR is ready to be actively worked on.

Comments

@KlavsKlavsen
Copy link

What happened?

our kube-apiserver just started failing to start.. The log from containerd only says:
2023-12-16T07:35:01.426019865+01:00 stderr F }. Err: connection error: desc = "transport: authentication handshake failed: x509: certificate has expired or is not yet valid: current time 2023-12-16T06:35:01Z is after 2023-12-03T03:37:19Z"

we checked apiserver certs etc. -and they were all fine.
We finally checked etcd endpoint - and that had an old cert

/sig api-machinery

a repost - for only log issue - per @neolit123 suggestion kubernetes/kubeadm#2989 (comment)

What did you expect to happen?

a logmessage that told me which endpoint had the bad cert and details about cert.

How can we reproduce it (as minimally and precisely as possible)?

renew api certs and not etcd certs - and then move time forward so etcd certs have run out - and restart kubelet

Anything else we need to know?

No response

Kubernetes version

1.26.4

Cloud provider

hetzner.com - physical servers

OS version

ubuntu 22.04

Install tools

Container runtime (CRI) and version (if applicable)

Related plugins (CNI, CSI, ...) and versions (if applicable)
@KlavsKlavsen KlavsKlavsen added the kind/bug Categorizes issue or PR as related to a bug. label Jan 8, 2024
@k8s-ci-robot k8s-ci-robot added sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. labels Jan 8, 2024
@leilajal
Copy link
Contributor

leilajal commented Jan 9, 2024

/help
/triage accepted

@k8s-ci-robot
Copy link
Contributor

@leilajal:
This request has been marked as needing help from a contributor.

Guidelines

Please ensure that the issue body includes answers to the following questions:

  • Why are we solving this issue?
  • To address this issue, are there any code changes? If there are code changes, what needs to be done in the code and what places can the assignee treat as reference points?
  • Does this issue have zero to low barrier of entry?
  • How can the assignee reach out to you for help?

For more details on the requirements of such an issue, please see here and ensure that they are met.

If this request no longer meets these requirements, the label can be removed
by commenting with the /remove-help command.

In response to this:

/help
/triage accepted

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@k8s-ci-robot k8s-ci-robot added triage/accepted Indicates an issue or PR is ready to be actively worked on. help wanted Denotes an issue that needs help from a contributor. Must meet "help wanted" guidelines. and removed needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. labels Jan 9, 2024
@Affan-7
Copy link

Affan-7 commented Jan 15, 2024

I would love to work on this.
/assign

@Affan-7
Copy link

Affan-7 commented Jan 15, 2024

@leilajal

I think I need to update the log message to be more specific. Like etcd certificate has expired or is not yet valid. Am I right?

@KlavsKlavsen
Copy link
Author

I'd put details for which endpoint "dns name and/or ip" thats being accessed. specificly the IP is important too. It might be a DNS issue (if dns name has multiple ips f.ex. - it may be only one of them)

@Affan-7
Copy link

Affan-7 commented Jan 18, 2024

Hi @neolit123

I am unable to find the code that is logging this error message. Can you please help me with that?

@neolit123
Copy link
Member

try asking in #sig-api-machinery on k8s slack.

@Affan-7 Affan-7 removed their assignment Jan 27, 2024
@holgerson97
Copy link

/assign

@holgerson97 holgerson97 mentioned this issue Feb 2, 2024
Closed
@holgerson97 holgerson97 mentioned this issue Apr 18, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@holgerson97 holgerson97

Labels
help wanted Denotes an issue that needs help from a contributor. Must meet "help wanted" guidelines. kind/bug Categorizes issue or PR as related to a bug. sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. triage/accepted Indicates an issue or PR is ready to be actively worked on.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

add: information about endpoint connection when auth handshake fails holgerson97/kubernetes
6 participants
@neolit123 @KlavsKlavsen @k8s-ci-robot @holgerson97 @leilajal @Affan-7