search

okd-project / okd

The self-managing, auto-upgrading, Kubernetes distribution for everyone
https://okd.io
Apache License 2.0
1.67k stars 289 forks source link

kube-apiserver failing to bump to new revision on SNI error #1944

Open japhar81 opened 1 month ago

japhar81 commented 1 month ago

Describe the bug After updating API certificates, the kube-apiserver pod goes into CrashLoopBackoff. It's apparently failing on a CLI parameter for SNI certs:

E0520 14:26:56.563182 15 run.go:74] "command failed" err="invalid argument \"/etc/kubernetes/static-pod-certs/secrets/user-serving-cert-000/tls.crt,/etc/kubernetes/static-pod-certs/secrets/user-serving-cert-000/tls.key:\" for \"--tls-sni-cert-key\" flag: empty names list is not allowed"
I0520 14:26:56.568218 1 main.go:235] Termination finished with exit code 1
I0520 14:26:56.568346 1 main.go:188] Deleting termination lock file "/var/log/kube-apiserver/.terminating"

Version 4.15.0-0.okd-2024-02-23-163410

How reproducible 100% on my cluster, but I'm not sure how it got into this state

japhar81 commented 1 month ago

quick note: editing /etc/kubernetes/static-pod-resources/kube-apiserver-pod-477/configmaps/config/config.yaml (along with the other revisions of kube-apiserver-pod-*) and populating the empty name:"" value with my API endpoint resolves the issue, but then it reverts.. Its unclear where this should be set.