Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

The Consul k8s component auth method name in UI is not the same with the one in the 'consul-k8s-control-plane acl-init' command when specify the global.federation.primaryDatacenter value #1309

Closed
mntforever opened this issue Jun 28, 2022 · 4 comments
Closed

The Consul k8s component auth method name in UI is not the same with the one in the 'consul-k8s-control-plane acl-init' command when specify the global.federation.primaryDatacenter value #1309

mntforever opened this issue Jun 28, 2022 · 4 comments
Labels
type/bug Something isn't working waiting-reply Waiting on the issue creator for a response before taking further action

Comments

@mntforever
Copy link

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request. Searching for pre-existing feature requests helps us consolidate datapoints for identical requirements into a single place, thank you!
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment.

Overview of the Issue

The consul controller and mesh gateway are crashed when running helm with the global.federation.enabled = true and the global.federation.primaryDatacenter = "dc1".

  • The component auth name in consul is: dc1-consul-k8s-component-auth-method
  • The component auth name controller/mesh gateway needed is: dc1-consul-k8s-component-auth-method-dc1

In the helm chart template, we can see that:
consul-k8s/charts/consul/templates/controller-deployment.yaml
Screen Shot 2022-06-28 at 13 51 52

consul-k8s/charts/consul/templates/mesh-gateway-deployment.yaml
Screen Shot 2022-06-28 at 13 53 12

Reproduction Steps

  1. Create values.yaml with the following values:
global:
  enabled: true
  domain: consul
  image: "consul:1.12.2"
  imageK8S: hashicorp/consul-k8s-control-plane:0.45.0
  imageEnvoy: envoyproxy/envoy-alpine:v1.22.2
  datacenter: dc1
  federation:
    enabled: true
    createFederationSecret: true
    primaryDatacenter: dc1
  gossipEncryption:
    autoGenerate: true
  tls:
    enabled: true
    verify: true
    enableAutoEncrypt: true
    httpsOnly: false
  acls:
    manageSystemACLs: true
    createReplicationToken: true
server:
  replicas: 1
  bootstrapExpect: 1
connectInject:
  enabled: true
controller:
  enabled: true
  1. Run the command:
helm install dc1 -f values.yaml hashicorp/consul --version "0.45.0" -n consul
  1. View the pods:
NAME                                               READY   STATUS                  RESTARTS          AGE
...
dc1-consul-controller-84d5c44454-455f7             0/1     Init:CrashLoopBackOff   155 (2m58s ago)   17h
...
dc1-consul-mesh-gateway-84b968c499-96cqs           0/2     Init:CrashLoopBackOff   155 (4m13s ago)   17h
...
  1. Check the consul server auth methods

Screen Shot 2022-06-28 at 11 36 21

Logs

2022-06-28T04:29:20.658Z [ERROR] unable to login: error="Unexpected response code: 403 (rpc error making call: ACL not found: auth method "dc1-consul-k8s-component-auth-method-dc1" not found)"
2022-06-28T04:29:21.660Z [ERROR] unable to login: error="Unexpected response code: 403 (rpc error making call: rpc error making call: ACL not found: auth method "dc1-consul-k8s-component-auth-method-dc1" not found)"

Expected behavior

The consul controller and the mesh gateway can be deployed successfully.

Environment details

consul-k8s: v0.45.0

consul: v1.12.2
@mntforever mntforever added the type/bug Something isn't working label Jun 28, 2022
@jmurret
Copy link
Member

jmurret commented Jun 28, 2022

Hi @mntforever, thank you for reporting this. I think this may just be a matter of the docs not being clear enough that global.federation.primaryDataCenter should only be supplied in datacenters that are not the primary. Can you try removing global.federation.primaryDataCenter from your values and installing? I think this issue will go away.

@jmurret jmurret added the waiting-reply Waiting on the issue creator for a response before taking further action label Jun 28, 2022
@mntforever
Copy link
Author

Hi @mntforever, thank you for reporting this. I think this may just be a matter of the docs not being clear enough that global.federation.primaryDataCenter should only be supplied in datacenters that are not the primary. Can you try removing global.federation.primaryDataCenter from your values and installing? I think this issue will go away.

Yah, it works well now. I think they should have an updated on the document. Thank you so much @jmurret

@jmurret jmurret mentioned this issue Jul 1, 2022
Merged
@jmurret
Copy link
Member

jmurret commented Jul 1, 2022

👍 @mntforever, I opened a PR to update the docs. Thank you for bringing this to our attention.

@chrisjohnson chrisjohnson mentioned this issue Nov 8, 2022
Closed
@btkrausen
Copy link

This still has not been updated in the docs...
https://developer.hashicorp.com/consul/docs/k8s/helm#v-global-federation-primarydatacenter

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
type/bug Something isn't working waiting-reply Waiting on the issue creator for a response before taking further action
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jmurret @btkrausen @mntforever