search

kumahq / kuma

🐻 The multi-zone service mesh for containers, Kubernetes and VMs. Built with Envoy. CNCF Sandbox Project.
https://kuma.io/install
Apache License 2.0
3.67k stars 333 forks source link

failed to generate zone-proxy token with ingress,egress #10216

Open Icarus9913 opened 6 months ago

Icarus9913 commented 6 months ago

What happened?

Version: v2.7.1 Deploy mode: universal

What happened

Following the official docs Set up the zone control planes step by step, I can't generate the zone-token with ingress && egress.

I have 1 global-cp-k8s and try to add 1 zone-universal. With the step-1 I started up a zone-universal-cp as well. Then I try to generate a zone-token with ingress and egress, it returned me an error.

Context

root@icarus-zone-universal:/tmp# kumactl generate zone-token --valid-for 720h --zone=zone-universal --scope egress --scope ingress > /tmp/zone-token
Error: Signing Key not found (there is no signing key with KID 1. GlobalSecret of name "zone-token-signing-key-1" is not found. If signing key was rotated, regenerate the token)
root@icarus-zone-universal:/tmp# 
root@icarus-zone-universal:/tmp# kumactl get global-secrets
NAME                              AGE
admin-user-token                  2m
envoy-admin-ca                    2m
inter-cp-ca                       2m
user-token-signing-key-1          2m
zone-token-signing-public-key-1   2m

Additional

With the upper error, I gave up running the Ingress and switched to use the standard dataplane. I generated the dataplane-zone-token successfully. The following commands run well

kumactl generate dataplane-token --name demo-dataplane --mesh default --valid-for 720h > ./dp-zone-token
kuma-dp run --cp-address https://127.0.0.1:5678 --dataplane-file ./dp-outbound.yaml --dataplane-token-file ./dp-zone-token
Icarus9913 commented 6 months ago

100% reproduce

jakubdyszkiewicz commented 6 months ago

Triage: improve docs and error in kumactl

Icarus9913 commented 6 months ago

Triage: improve docs and error in kumactl

I suppose it might be a Bug? Since we only have zone-token-signing-public-key-1 global-secret in the universal environment and the kuma-system needs a zone-token-signing-key-1 global-secret to generate the zone-token.

lahabana commented 5 months ago

Triage: improve docs and error in kumactl

@jakubdyszkiewicz this is not very complete. Can we maybe expand a little on how docs would need to improve? Is this a user error and @Icarus9913 should do something differently?

github-actions[bot] commented 2 months ago

This issue was inactive for 90 days. It will be reviewed in the next triage meeting and might be closed. If you think this issue is still relevant, please comment on it or attend the next triage meeting.