Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Secret generation fails due to Kubectl API connection failure #5

Closed
TheDarkUndoing opened this issue Feb 18, 2024 · 7 comments
Closed

Secret generation fails due to Kubectl API connection failure #5

TheDarkUndoing opened this issue Feb 18, 2024 · 7 comments

Comments

@TheDarkUndoing
Copy link

TheDarkUndoing commented Feb 18, 2024
edited by remram44

I'm running this chart as a subchart. The generation of the matrix secret job fails when the internal kubectl command is run. The service accounts and Role/Role-bindings seem fine but still getting this error. Hoping someone has encountered this.

Ive tried disabling generation but the main matrix server pod needs that secrets volume there to init.

Screenshot from 2024-02-17 19-17-54

transcribed error 
couldn't get current server API group list: Get "https://10.43.0.1:443/api?timeout=32s": dial tcp 10.43.0.1:443: connect: connection refused
couldn't get current server API group list: Get "https://10.43.0.1:443/api?timeout=32s": dial tcp 10.43.0.1:443: connect: connection refused
couldn't get current server API group list: Get "https://10.43.0.1:443/api?timeout=32s": dial tcp 10.43.0.1:443: connect: connection refused
couldn't get current server API group list: Get "https://10.43.0.1:443/api?timeout=32s": dial tcp 10.43.0.1:443: connect: connection refused
couldn't get current server API group list: Get "https://10.43.0.1:443/api?timeout=32s": dial tcp 10.43.0.1:443: connect: connection refused
The connection to the server 10.43.0.1:443 was refused - did you specify the right host or port?
error: failed to create secret Post "https://10.43.0.1:443/api/v1/namespaces/default/secrets?fieldManager=kubectl-create&fieldValidation=String": dial tcp 10.43.0.1:443: connect: connection refused
@remram44
Copy link
Owner

That's weird, does you cluster apiserver otherwise work? Can other workload use in-cluster config successfully?

@remram44
Copy link
Owner

Is 10.43.0.1:443 the right endpoint to reach the apiserver? Do you perhaps have firewall rules or NetworkPolicies that would prevent reaching it?

@TheDarkUndoing
Copy link
Author

When I attempt to reach it from the istio-envoy-proxy attached to the pod, I can reach it but get an unauthorized HTTPS response. In the picture above I'm getting blocked at the TCP connection stage. Oh I am also using istio btw. no netpols set either.

@TheDarkUndoing
Copy link
Author

Screenshot from 2024-02-17 20-48-23

Screencast.from.2024-02-17.20-49-56.webm

@remram44
Copy link
Owner

This is probably an Istio issue. I am not familiar with it so I can't help you, but if pods can't reach the apiserver, this is something you'll have to fix before you can install this chart. It is not a bug in the matrix chart.

A summary web search turned up istio/istio#8696 which sounds related.

@remram44
Copy link
Owner

Don't hesitate to let me know if I can help or clarify anything about the chart, but I can't help with Istio, sorry.

@TheDarkUndoing
Copy link
Author

thank you for the response. It's a homelab project, so I'll debug further when I have time

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@remram44 @TheDarkUndoing