Unable to run the kubectl commands as the vault token was expired on the master nodes.
Nodelet phases getting stuck on Gen-Certs Phase
File \"<string>\", line 1, in <module>"}KeyError:'data'"} CertificateisnotsignedbyCA"}Errorloadingfile/tmp/authbs-certs.abc/apiserver/errorsendingstatusupdatetosunpike:rpcerror:code=Unknowndesc=apiserverstorageerror:anerrorontheserver"rpc error: code = DeadlineExceeded desc = latest balancer error: all SubConns are in TransientFailure, latest connection error: connection error: desc = \"transport: authentication handshake failed: x509: certificate has expired or is not yet valid\""}
While checking the directory/tmp/authbs-certs.abc/apiserver/ mentioned in the error, the file request.json had the entryPermission denied instead of the certificate information.
To recover from this issue, it is required to regenerate the vault token.
Validation
Steps to validate the token expiry:
SSH into the DU VM as root user.
Export the required details.
Run the below command to know token expiry details:
Example:
Procedure
The steps to regenerate the vault token are:
Perform below 1 to 7 steps as a root user in the DU VM:
1. Retrieve the affected cluster's UUID
2. Check the current vault token for the affected cluster
3. Set the value for the following variables to regenerate the token:
4. Verify the values of the variables $OLD_VAULT_TOKENand $ROOT_VAULT_TOKEN
5. Generate new vault token using the below commands:
6. Update the new token in the qbert database:
7. Verify the newly generated token using:
Restart the nodeletd phases on each master nodes/affected nodes one at a time.
9. Check the new token in the file /etc/pf9/kube.env
Additional Information
Post pf9-vault token renewal, if the new token generated in the DU VM is not propagated to the nodes in file /etc/pf9/kube.env perform the below workaround:
Manually copy the vault token from the DU VM:
Replace the token in the node in file /etc/pf9/kube.env
Restart the nodeletd phases in the nodes. This should pick up the new pf9-vault token.
export VAULT_TOKEN=$(mysql qbert -Bse "SELECT credential_value FROM qbert_secrets where credential_name='root_token'")
export VAULT_ADDR=http://127.0.0.1:8200
CLUSTER_UUID=<CLUSTER_UUID>
OLD_VAULT_TOKEN=$(mysql qbert -Bse "SELECT vaultToken FROM clusters WHERE uuid='$CLUSTER_UUID'")
ROOT_VAULT_TOKEN=$(mysql qbert -Bse "SELECT credential_value FROM qbert_secrets where credential_name='root_token'")
CLUSTER_VAULT_TOKEN=$(mysql qbert -Bse "SELECT vaultToken FROM clusters WHERE uuid='$CLUSTER_UUID'")
SAMPLE:
# /usr/local/bin/vault token lookup $CLUSTER_VAULT_TOKEN
Key Value
--- -----
accessor [ACCESSOR-ID]
creation_time [CREATION TIMESTAMP]
creation_ttl 26280h
display_name token
entity_id n/a
expire_time [EXPIRY TIMESTAMP]
explicit_max_ttl 0s
id [ID]
issue_time [ISSUE TIMESTAMP]
meta <nil>
num_uses 0
orphan false
path auth/token/create
policies [POLICIES]
renewable true
ttl 26215h49m50s
type service
mysql qbert -e "select name,id,uuid,status,lastOk,lastOp,taskStatus,kubeRoleVersion from clusters;"
mysql qbert -e "select name,uuid,vaultToken from clusters where uuid='$CLUSTER_UUID';"
CLUSTER_UUID=<Cluster-UUID>
OLD_VAULT_TOKEN=$(mysql qbert -Bse "SELECT vaultToken FROM clusters WHERE uuid='$CLUSTER_UUID'")
ROOT_VAULT_TOKEN=$(mysql qbert -Bse "SELECT credential_value FROM qbert_secrets where credential_name='root_token'")
