Closed deadlysyn closed 7 months ago
Thanks for pointing this out! I wired up an hclog -> logr type and it's trying to log this:
[ERROR] handler.leader: Failed to get Node: error="nodes \"kind-control-plane\" is forbidden: User \"system:serviceaccount:vault:vault-agent-injector\" cannot get resource \"nodes\" in API group \"\" at the cluster scope" Node.Name=kind-control-plane
That seems to be coming from the operator-lib's Become logic that we use for determining which injector replica generates TLS: https://github.com/operator-framework/operator-lib/blob/8e41bd5ce4899a67024f070e3d3286d20b2a5668/leader/leader.go#L190
So we're missing a get
for nodes
in the injector's ClusterRole when using multiple replicas with auto-tls.
Describe the bug
Updated to 1.4.0 on EKS 1.29 and several of our pods logged:
appears related to https://github.com/kubernetes-sigs/controller-runtime/issues/2622
To Reproduce
Likely other ways, but for us it was:
kubectl logs -l app.kubernetes.io/name=vault-injector -f
to see strack tracethis appears to be harmless noise, but wanted to report. health checks pass, pods are ready/running, and injection still works.
Application deployment:
including full detail here in case useful, don't judge vault version too harshly upgrade is in progress :-)
kubectl describe deployment:
kubectl describe replicaset:
Expected behavior
No stack trace in logs.
Environment