Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Gossip encryption key secret name mismatched when set autoGenerate=true with a custom chart name #1186

Closed
mntforever opened this issue Apr 25, 2022 · 2 comments
Closed

Gossip encryption key secret name mismatched when set autoGenerate=true with a custom chart name #1186

mntforever opened this issue Apr 25, 2022 · 2 comments
Assignees
@t-eckert
Labels
type/bug Something isn't working

Comments

@mntforever
Copy link

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request. Searching for pre-existing feature requests helps us consolidate datapoints for identical requirements into a single place, thank you!
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment.

Overview of the Issue

When i run the helm install hashicorp/consul with a name dc1 and the global.gossipEncryption.autoGenerate set to true. The job dc1-consul-create-federation-secret can't be completed. Because this job needs a secret with the name consul-gossip-encryption-key, but the secret with the name dc1-consul-gossip-encryption-key was created instead.

In the helm chart template, we can see that:

  • consul-k8s/charts/consul/templates/gossip-encryption-autogenerate-job.yaml
...
      containers:
        - name: gossip-encryption-autogen
          image: "{{ .Values.global.imageK8S }}"
          command:
            - "/bin/sh"
            - "-ec"
            - |
              consul-k8s-control-plane gossip-encryption-autogenerate \
                -namespace={{ .Release.Namespace }} \
                -secret-name={{ template "consul.fullname" . }}-gossip-encryption-key \
                -secret-key="key" \
                -log-level={{ .Values.global.logLevel }} \
                -log-json={{ .Values.global.logJSON }}
          resources:
            requests:
              memory: "50Mi"
              cpu: "50m"
            limits:
              memory: "50Mi"
              cpu: "50m"
...
  • consul-k8s/charts/consul/templates/create-federation-secret-job.yaml
...
{{- else if .Values.global.gossipEncryption.autoGenerate }}
- name: gossip-encryption-key
    secret:
    secretName: consul-gossip-encryption-key
    items:
        - key: key
        path: gossip.key
{{- end }}
...

Reproduction Steps

  1. Create values.yaml with the following values:
global:
  enabled: true
  domain: consul
  image: "consul:1.11.5"
  imageK8S: hashicorp/consul-k8s-control-plane:0.41.1
  imageEnvoy: envoyproxy/envoy-alpine:v1.20.2
  datacenter: dc1
  federation:
    enabled: true
    createFederationSecret: true
    primaryDatacenter: dc1
  gossipEncryption:
    autoGenerate: true
  tls:
    enabled: true
    verify: true
    enableAutoEncrypt: true
    httpsOnly: false
  acls:
    manageSystemACLs: true
    createReplicationToken: true
server:
  replicas: 1
  bootstrapExpect: 1
connectInject:
  enabled: true
controller:
  enabled: true
  1. Run the command:
helm install dc1 -f values.yaml hashicorp/consul --version "0.41.1" -n consul
  1. View the secrets:
NAME                                                           TYPE                                  DATA   AGE
...
dc1-consul-gossip-encryption-key                               Opaque                                1      32m
...
  1. View the error:
dc1-consul-create-federation-secret-t4r4s          0/1     Init:0/1    0          12m   <none>

Logs

Warning  FailedMount  113s                kubelet            Unable to attach or mount volumes: unmounted volumes=[gossip-encryption-key], unattached volumes=[kube-api-access-g6nz6 consul-ca-key gossip-encryption-key consul-ca-cert consul-auto-encrypt-ca-cert]: timed out waiting for the condition
Warning  FailedMount  42s (x14 over 13m)  kubelet            MountVolume.SetUp failed for volume "gossip-encryption-key" : secret "consul-gossip-encryption-key" not found

Expected behavior

The consul create federation secret job can be done.

Environment details

consul-k8s: v0.41.1

consul: v1.11.5
@mntforever mntforever added the type/bug Something isn't working label Apr 25, 2022
@mntforever mntforever changed the title Gossip encryption key secret name mismat Gossip encryption key secret name mismatched when set autoGenerate=true with a custom chart name Apr 25, 2022
@kschoche kschoche added waiting-reply Waiting on the issue creator for a response before taking further action and removed waiting-reply Waiting on the issue creator for a response before taking further action labels Apr 28, 2022
@t-eckert t-eckert mentioned this issue Apr 29, 2022
Merged
2 tasks
@t-eckert
Copy link
Contributor

Hi @mntforever,

Thank you for bringing this to our attention. I was able to recreate the issue with your description and have opened a pull request with the fix. This issue will be fixed in the 0.44.0 release of Consul on Kubernetes. For now, you can bypass the issue by installing Consul on Kubernetes with the dc1 release name omitted so long as that is acceptable to you.

The command would be

helm install -f values.yaml hashicorp/consul --version "0.41.1" -n consul

@david-yu
Copy link
Contributor

Fixed by #1196

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@t-eckert t-eckert

Labels
type/bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@david-yu @kschoche @t-eckert @mntforever