search

kumahq / kuma

🐻 The multi-zone service mesh for containers, Kubernetes and VMs. Built with Envoy. CNCF Sandbox Project.
https://kuma.io/install
Apache License 2.0
3.55k stars 326 forks source link

failed to generate zone-proxy token with ingress,egress #10216

Open Icarus9913 opened 1 month ago

Icarus9913 commented 1 month ago

What happened?

Version: v2.7.1 Deploy mode: universal

What happened

Following the official docs Set up the zone control planes step by step, I can't generate the zone-token with ingress && egress.

I have 1 global-cp-k8s and try to add 1 zone-universal. With the step-1 I started up a zone-universal-cp as well. Then I try to generate a zone-token with ingress and egress, it returned me an error.

Context

root@icarus-zone-universal:/tmp# kumactl generate zone-token --valid-for 720h --zone=zone-universal --scope egress --scope ingress > /tmp/zone-token
Error: Signing Key not found (there is no signing key with KID 1. GlobalSecret of name "zone-token-signing-key-1" is not found. If signing key was rotated, regenerate the token)
root@icarus-zone-universal:/tmp# 
root@icarus-zone-universal:/tmp# kumactl get global-secrets
NAME                              AGE
admin-user-token                  2m
envoy-admin-ca                    2m
inter-cp-ca                       2m
user-token-signing-key-1          2m
zone-token-signing-public-key-1   2m

Additional

With the upper error, I gave up running the Ingress and switched to use the standard dataplane. I generated the dataplane-zone-token successfully. The following commands run well

kumactl generate dataplane-token --name demo-dataplane --mesh default --valid-for 720h > ./dp-zone-token
kuma-dp run --cp-address https://127.0.0.1:5678 --dataplane-file ./dp-outbound.yaml --dataplane-token-file ./dp-zone-token
Icarus9913 commented 1 month ago

100% reproduce

jakubdyszkiewicz commented 1 month ago

Triage: improve docs and error in kumactl

Icarus9913 commented 1 month ago

Triage: improve docs and error in kumactl

I suppose it might be a Bug? Since we only have zone-token-signing-public-key-1 global-secret in the universal environment and the kuma-system needs a zone-token-signing-key-1 global-secret to generate the zone-token.

lahabana commented 1 month ago

Triage: improve docs and error in kumactl

@jakubdyszkiewicz this is not very complete. Can we maybe expand a little on how docs would need to improve? Is this a user error and @Icarus9913 should do something differently?