Agent injector CrashLoopBackOff when replicas>1 : TLS handshake error - no certificate available #388
Comments
|
Hi @masterphenix, sorry to hear you're running into trouble with multiple replicas! Those chart values look good to me, though with them I haven't been able to reproduce your issue yet. I wonder if the liveness and readiness timeouts are just too low for your system? It looks like the chart doesn't have those as configurable options yet, so if you can adjust them manually that might shed some light on what the problem is. You may also want to set |
|
Hello @tvoran , thank you for having a look at this. I have tried changing liveness/readiness, and you were right, it started working. As a definitive solution, I have added a startupProbe to give the pods enough time to elect leader and generate certificates. |
|
That's great to hear! Would you mind sharing what you changed/added to get it working? That will better inform how to go about adding support for this to the chart. |
|
Sure, here is the startupProbe I added: startupProbe:
failureThreshold: 12
httpGet:
path: /health/ready
port: 8080
scheme: HTTPS
initialDelaySeconds: 5
periodSeconds: 5
successThreshold: 1
timeoutSeconds: 5Since I am using Flux, and deploying the injector with the vault helm chart, I used a kustomize postRenderer in the HelmRelease to add the probe: postRenderers:
# Instruct helm-controller to use built-in "kustomize" post renderer.
- kustomize:
patchesJson6902:
- target:
group: apps
version: v1
kind: Deployment
name: vault-agent-injector
patch:
- op: add
path: /spec/template/spec/containers/0/startupProbe
value: { "failureThreshold": 12, "initialDelaySeconds": 5, "periodSeconds": 5, "timeoutSeconds": 5, "successThreshold": 1, "httpGet": {"path":"/health/ready", "port": 8080, "scheme": "HTTPS"} } |
|
+1 to say we have just ran into this as well and changing replica to 1 fixed for us. |
|
The same config (with regards to probe etc) in other environment for us works fine so we are wondering if it is a race condition thing? |
|
Yeah I suspect it just takes the injector's leader election a little too long on some systems to establish a leader and generate the certificates for communicating with the k8s API, and so the pod is killed by the liveness probe. |
|
I get below even with 1 replica. FYI I'm using external Vault address. |
|
Hi @ajiteb that looks like a different issue, so you may want to start by reviewing the connectivity requirements: https://developer.hashicorp.com/vault/docs/platform/k8s/injector/examples#before-using-the-vault-agent-injector |
|
@tvoran thanks for your reply. Yes, at least pod doesn't go into CrashLoopBackOff but it stays in running state. Anyways I'm not able to understand the reason for these logs. I'm on EKS 1.23 with vault version 1.12.1. |
|
I have exactly same problem on few OpenShift cluster (not all of them) where I can deploy Vault injector with only 1 replica. Secret for leader elector is always empty. Newest chart and newest images. OpenShift 4.8.35 Logs: |
|
@tvoran Hi, I think it's same issue. Thanks! |
|
@tvoran we have faced the exact same issue and the hot fix was making the replica count 1. However, this definitely indicates this to be a bug and I believe should be fixed. |
Describe the bug
I have deployed the vault-agent-injector using Helm, with auto-TLS and 2 replicas, and both pods go into CrashLoopBackOff. Logs show the following errors:
A describe on the pods shows both liveness and readiness failing:
Also, the vault-injector-certs secret is of type "Opaque" and shows no data, which doesn't seem right.
To Reproduce
Steps to reproduce the behavior:
Application deployment:
Expected behavior
Pods should start the same way as they do when replicas=1
Environment
Additional context
This is what the vault-k8s-leader configMap looks like:
The text was updated successfully, but these errors were encountered: