[BUG] init yurtcoordinator failed: fail to write CA assets into secret when initializing yurtcoordinator: create secret client yurt-coordinator-ca-certs fail

[twosson]

What happened: Install yurt-manager err: deleg.go:144] setup "msg"="unable to setup controllers" "error"="init yurtcoordinator failed: fail to write CA assets into secret when initializing yurtcoordinator: create secret client yurt-coordinator-ca-certs fail: secrets is forbidden: User \"system:serviceaccount:kube-system:yurt-manager\" cannot create resource \"secrets\" in API group \"\" in the namespace \"kube-system\""

What you expected to happen:

How to reproduce it (as minimally and precisely as possible): helm upgrade --install yurt-manager -n kube-system openyurt/yurt-manager

Anything else we need to know?:

Environment:

• OpenYurt version: helm 1.5
• Kubernetes version (use kubectl version): 1.31
• OS (e.g: cat /etc/os-release): ubuntu22.04
• Kernel (e.g. uname -a): Linux k8s-master001 5.15.0-118-generic #128-Ubuntu SMP Fri Jul 5 09:28:59 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux
• Install tools:
• Others:

others

/kind bug

[rambohe-ch]

@twosson Thanks for raising this issue. It seems that create secret rbac right is missed for yurt-coordinator-ca-certs controller.

[rambohe-ch]

@twosson Sorry, I have checked the code of yurt-coordinator-ca-certs controller that use yurt-coordinator-cert-controller serviceaccount instead yurt-manager.

https://github.com/openyurtio/openyurt/blob/734da95df42010d13b26625cc118dc59a2343a1f/pkg/yurtmanager/controller/yurtcoordinator/cert/yurt_coordinator_cert_controller.go#L201

Moreover, Create secrets rbac setting are configured for yurt-coordinator-cert-controller serviceaccount as following:

https://github.com/openyurtio/openyurt/blob/734da95df42010d13b26625cc118dc59a2343a1f/charts/yurt-manager/templates/yurt-manager-auto-generated.yaml#L1055

so would you like to check the yurt-manger component version that you have used?

[YunWZ]

@twosson Sorry, I have checked the code of yurt-coordinator-ca-certs controller that use yurt-coordinator-cert-controller serviceaccount instead yurt-manager.

https://github.com/openyurtio/openyurt/blob/734da95df42010d13b26625cc118dc59a2343a1f/pkg/yurtmanager/controller/yurtcoordinator/cert/yurt_coordinator_cert_controller.go#L201

Moreover, Create secrets rbac setting are configured for yurt-coordinator-cert-controller serviceaccount as following:

https://github.com/openyurtio/openyurt/blob/734da95df42010d13b26625cc118dc59a2343a1f/charts/yurt-manager/templates/yurt-manager-auto-generated.yaml#L1055

so would you like to check the yurt-manger component version that you have used?

the same problem to me, as the log of yurt-manager:

deleg.go:144] setup "msg"="unable to setup controllers" "error"="init yurtcoordinator failed: fail to write CA assets into secret when initializing yurtcoordinator: create secret client yurt-coordinator-ca-certs fail: secrets is forbidden: User \"system:serviceaccount:kube-system:yurt-manager\" cannot create resource \"secrets\" in API group \"\" in the namespace \"kube-system\""

yurt-manager use serviceaccount yurt-manager instead yurt-manager-yurt-coordinator-cert-controller

[luc99hen]

@twosson Sorry, I have checked the code of yurt-coordinator-ca-certs controller that use yurt-coordinator-cert-controller serviceaccount instead yurt-manager. https://github.com/openyurtio/openyurt/blob/734da95df42010d13b26625cc118dc59a2343a1f/pkg/yurtmanager/controller/yurtcoordinator/cert/yurt_coordinator_cert_controller.go#L201

Moreover, Create secrets rbac setting are configured for yurt-coordinator-cert-controller serviceaccount as following: https://github.com/openyurtio/openyurt/blob/734da95df42010d13b26625cc118dc59a2343a1f/charts/yurt-manager/templates/yurt-manager-auto-generated.yaml#L1055

so would you like to check the yurt-manger component version that you have used?

the same problem to me, as the log of yurt-manager:

deleg.go:144] setup "msg"="unable to setup controllers" "error"="init yurtcoordinator failed: fail to write CA assets into secret when initializing yurtcoordinator: create secret client yurt-coordinator-ca-certs fail: secrets is forbidden: User \"system:serviceaccount:kube-system:yurt-manager\" cannot create resource \"secrets\" in API group \"\" in the namespace \"kube-system\""

yurt-manager use serviceaccount yurt-manager instead yurt-manager-yurt-coordinator-cert-controller

As mentioned before, please post the yurt-manger component version that you used. It's unusual that yurt-manager use serviceaccount yurt-manager instead of yurt-manager-yurt-coordinator-cert-controller.

[YunWZ]

Member

I installed openyurt by helm -- helm upgrade --install yurt-manager -n kube-system openyurt/yurt-manager. As the pod of yurt-manager, the spec define image is openyurt/yurt-manager:v1.4.0

[YunWZ]

Also, I have tried install with 1.5.0 version -- helm upgrade --install yurt-manager -n kube-system openyurt/yurt-manager --version 1.5.0 The image of yurt-manager is still openyurt/yurt-manager:v1.4.0(Image ID: docker.io/openyurt/yurt-manager@sha256:12d4d9eb734164c7a3ece4aee9c59dce47ca91d786fbe8d34463b6872c88d2a0).

The log of yurt-manager like this(kubectl -n kube-system logs yurt-manager-867d5f8989-q6vpt):

I1011 11:52:26.834723       1 yurtappset_controller.go:81] yurtappset-controller add controller apps.openyurt.io/v1alpha1, Resource=yurtappsets
I1011 11:52:26.835401       1 daemon_pod_updater_controller.go:104] daemonupdater-controller add controller apps/v1, Kind=DaemonSet
I1011 11:52:26.835518       1 node_lifecycle_controller.go:464] Starting node controller
I1011 11:52:26.838433       1 yurtcoordinatorcert_controller.go:416] yurt-coordinator-cert-controller: secret(kube-system/yurt-coordinator-ca-certs) is not found, create new CA
E1011 11:52:27.105626       1 deleg.go:144] setup "msg"="unable to setup controllers" "error"="init yurtcoordinator failed: fail to write CA assets into secret when initializing yurtcoordinator: create secret client yurt-coordinator-ca-certs fail: secrets is forbidden: User \"system:serviceaccount:kube-system:yurt-manager\" cannot create resource \"secrets\" in API group \"\" in the namespace \"kube-system\""

[luc99hen]

Also, I have tried install with 1.5.0 version -- helm upgrade --install yurt-manager -n kube-system openyurt/yurt-manager --version 1.5.0 The image of yurt-manager is still openyurt/yurt-manager:v1.4.0(Image ID: docker.io/openyurt/yurt-manager@sha256:12d4d9eb734164c7a3ece4aee9c59dce47ca91d786fbe8d34463b6872c88d2a0).

The log of yurt-manager like this(kubectl -n kube-system logs yurt-manager-867d5f8989-q6vpt):

I1011 11:52:26.834723       1 yurtappset_controller.go:81] yurtappset-controller add controller apps.openyurt.io/v1alpha1, Resource=yurtappsets
I1011 11:52:26.835401       1 daemon_pod_updater_controller.go:104] daemonupdater-controller add controller apps/v1, Kind=DaemonSet
I1011 11:52:26.835518       1 node_lifecycle_controller.go:464] Starting node controller
I1011 11:52:26.838433       1 yurtcoordinatorcert_controller.go:416] yurt-coordinator-cert-controller: secret(kube-system/yurt-coordinator-ca-certs) is not found, create new CA
E1011 11:52:27.105626       1 deleg.go:144] setup "msg"="unable to setup controllers" "error"="init yurtcoordinator failed: fail to write CA assets into secret when initializing yurtcoordinator: create secret client yurt-coordinator-ca-certs fail: secrets is forbidden: User \"system:serviceaccount:kube-system:yurt-manager\" cannot create resource \"secrets\" in API group \"\" in the namespace \"kube-system\""

Thanks for your reply. It seems that the online helm repo is not updated. @rambohe-ch

Please try use openyurt/yurt-manager:v1.5.0 @YunWZ