-
Notifications
You must be signed in to change notification settings - Fork 91
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Secrets "v4-0-config-system-router-certs" not found for cluster-authentication operator #95
Comments
I see this in CI too: $ curl -s https://storage.googleapis.com/origin-ci-test/pr-logs/pull/openshift_installer/1432/pull-ci-openshift-installer-master-e2e-aws/4532/artifacts/e2e-aws/pods/openshift-authentication-operator_openshift-authentication-operator-6548bcfb48-b2scr_operator.log.gz | gunzip | grep '^E'
E0319 14:58:50.103266 1 controller.go:130] {🐼 🐼} failed with: Operation cannot be fulfilled on authentications.operator.openshift.io "cluster": the object has been modified; please apply your changes to the latest version and try again
E0319 14:58:50.501338 1 controller.go:130] {🐼 🐼} failed with: secrets "v4-0-config-system-router-certs" not found
... In my case, it eventually surfaced as: $ curl -s https://storage.googleapis.com/origin-ci-test/pr-logs/pull/openshift_installer/1432/pull-ci-openshift-installer-master-e2e-a
ws/4532/artifacts/e2e-aws/pods/openshift-console_console-7f655c4974-mrq4p_console_previous.log.gz | gunzip | tail -n1
2019/03/19 15:21:39 auth: error contacting auth provider (retrying in 10s): discovery through endpoint https://172.30.0.1:443/.well-known/oauth-authorization-server failed: 404 Not Found and triggered:
|
@enj pointed out that the certs come from ingress, and in my case the ingress operator started very late: $ curl -s https://storage.googleapis.com/origin-ci-test/pr-logs/pull/openshift_installer/1432/pull-ci-openshift-installer-master-e2e-aws/4532/artifacts/e2e-aws/pods/openshift-ingress-operator_ingress-operator-66cc97d7bf-cfggf_ingress-operator.log.gz | gunzip | head -n1
2019-03-19T15:22:32.161Z INFO operator log/log.go:26 started zapr logger and had the certs out very quickly after that: $ curl -s https://storage.googleapis.com/origin-ci-test/pr-logs/pull/openshift_installer/1432/pull-ci-openshift-installer-master-e2e-aws/4532/artifacts/e2e-aws/pods/openshift-ingress-operator_ingress-operator-66cc97d7bf-cfggf_ingress-operator.log.gz | gunzip | grep 'Published router certificates'
2019-03-19T15:22:33.866Z DEBUG operator.init.kubebuilder.manager.events recorder/recorder.go:53 Normal {"object": {"kind":"Secret","namespace":"openshift-config-managed","name":"router-certs","uid":"d1c7abcb-4a5a-11e9-8b3b-126e53c8f1fa","apiVersion":"v1","resourceVersion":"26640"}, "reason": "PublishedRouterCertificates", "message": "Published router certificates"} So not a console or auth issue. /close |
@wking: Closing this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
The issue has something to do with delays for some resources during CVO roll-out. GitHub doesn't support inline SVGs, so this isn't interactive, but: Here's the SVG for folks who want to view it locally: The slow objects: $ grep 'width="[0-9][0-9][0-9][0-9]' cvo.svg
<rect x="0.053627" y="292" width="1506.327718" height="4" fill="blue"><title>servicemonitor openshift-kube-scheduler-operator/kube-scheduler-operator 301/308 (0:25:06.327718)</title></rect>
<rect x="0.053747" y="296" width="1507.264621" height="4" fill="blue"><title>servicemonitor openshift-controller-manager-operator/openshift-controller-manager-operator 307/308 (0:25:07.264621)</title></rect>
<rect x="0.055222" y="316" width="1507.238081" height="4" fill="blue"><title>servicemonitor openshift-kube-apiserver-operator/kube-apiserver-operator 295/308 (0:25:07.238081)</title></rect>
<rect x="0.061379" y="320" width="1507.756473" height="4" fill="blue"><title>servicemonitor openshift-kube-controller-manager-operator/kube-controller-manager-operator 298/308 (0:25:07.756473)</title></rect>
<rect x="0.064809" y="388" width="1507.62846" height="4" fill="blue"><title>servicemonitor openshift-apiserver-operator/openshift-apiserver-operator 304/308 (0:25:07.628460)</title></rect>
<rect x="0.983909" y="504" width="1508.813288" height="4" fill="blue"><title>rolebinding openshift-cluster-storage-operator/cluster-storage-operator 229/308 (0:25:08.813288)</title></rect>
<rect x="6.329864" y="812" width="1503.218897" height="4" fill="blue"><title>rolebinding openshift-ingress-operator/ingress-operator 189/308 (0:25:03.218897)</title></rect>
<rect x="26.910242" y="936" width="1481.558137" height="4" fill="blue"><title>servicemonitor openshift-image-registry/image-registry 286/308 (0:24:41.558137)</title></rect>
<rect x="27.116099" y="964" width="1480.551961" height="4" fill="blue"><title>servicemonitor openshift-service-catalog-apiserver-operator/openshift-service-catalog-apiserver-operator 289/308 (0:24:40.551961)</title></rect>
<rect x="27.265212" y="972" width="1480.078164" height="4" fill="blue"><title>servicemonitor openshift-service-catalog-controller-manager-operator/openshift-service-catalog-controller-manager-operator 292/308 (0:24:40.078164)</title></rect>
<rect x="27.887874" y="1012" width="1501.151953" height="4" fill="blue"><title>clusteroperator authentication 154/308 (0:25:01.151953)</title></rect>
<rect x="29.428165" y="1084" width="1609.796623" height="4" fill="blue"><title>clusteroperator monitoring 199/308 (0:26:49.796623)</title></rect> Logs for the ingress rolebinding: $ curl -s https://storage.googleapis.com/origin-ci-test/pr-logs/pull/openshift_installer/1432/pull-ci-openshift-installer-master-e2e-aws/4532/artifacts/e2e-aws/pods/openshift-cluster-version_cluster-version-operator-7759674cb6-5lf6m_cluster-version-operator.log.gz | gunzip | grep 'rolebinding "openshift-ingress-operator/ingress-operator"'
I0319 14:57:15.055171 1 sync_worker.go:462] Running sync for rolebinding "openshift-ingress-operator/ingress-operator" (189 of 308)
E0319 14:57:15.204004 1 task.go:58] error running apply for rolebinding "openshift-ingress-operator/ingress-operator" (189 of 308): rolebindings.rbac.authorization.k8s.io "ingress-operator" is forbidden: the server could not find the requested resource (get rolebindingrestrictions.authorization.openshift.io)
...
E0319 14:57:22.503107 1 task.go:58] error running apply for rolebinding "openshift-ingress-operator/ingress-operator" (189 of 308): rolebindings.rbac.authorization.k8s.io "ingress-operator" is forbidden: the server could not find the requested resource (get rolebindingrestrictions.authorization.openshift.io)
I0319 15:21:45.157019 1 task_graph.go:566] Result of work: [Could not update rolebinding "openshift-cluster-storage-operator/cluster-storage-operator" (229 of 308): the server has forbidden updates to this resource...
...
I0319 15:22:16.937922 1 sync_worker.go:462] Running sync for rolebinding "openshift-ingress-operator/ingress-operator" (189 of 308)
I0319 15:22:18.274068 1 sync_worker.go:475] Done syncing for rolebinding "openshift-ingress-operator/ingress-operator" (189 of 308)
... @enj has some idea what's going on with those, although this is all beyond me ;). |
Not able to start the auth service because of
"v4-0-config-system-router-certs" not found
error.The text was updated successfully, but these errors were encountered: