istio-csr icon indicating copy to clipboard operation
istio-csr copied to clipboard

Published 20 hours ago verified publisher icon cert-manager

updating ConfigMap data doesn't stop

Open ceastman-r7 opened this issue 2 years ago • 6 comments

helm chart version:v0.4.2 for istio-csr

The log entry updating ConfigMap data just keeps repeating for all the namespaces in the cluster.

2022-06-13T16:23:06.577141Z info klog "msg"="-----------------------------------------------------------------"
2022-06-13T16:23:06.577166Z info klog "msg"="Using root CAs from file: /var/run/secrets/istio-csr/ca.crt"
2022-06-13T16:23:06.577171Z info klog "msg"="-----------------------------------------------------------------"
2022-06-13T16:23:06.610615Z info klog tls-provider/root-ca-watcher "msg"="loading root CAs bundle" "file"="/var/run/secrets/istio-csr/ca.crt" 2022-06-13T16:23:06.610651Z info klog manager "msg"="Starting server" "addr"={"IP":"::","Port":9402,"Zone":""} "kind"="metrics" "path"="/metrics" 2022-06-13T16:23:06.610664Z info klog tls-provider/root-ca-watcher "msg"="updating root CAs from file" "file"="/var/run/secrets/istio-csr/ca.crt" 2022-06-13T16:23:06.610760Z info klog manager "msg"="Starting server" "addr"={"IP":"::","Port":6060,"Zone":""} "kind"="health probe" 2022-06-13T16:23:06.610813Z info klog attempting to acquire leader lease istio-system/istio-csr... 2022-06-13T16:23:06.639640Z info klog successfully acquired lease istio-system/istio-csr 2022-06-13T16:23:06.640303Z info klog manager/events "msg"="Normal" "message"="cert-manager-istio-csr-7bf86d579f-5xg8f_b59ef618-0e58-4001-9b52-b8489467929d became leader" "object"={"kind":"ConfigMap","namespace":"is tio-system","name":"istio-csr","uid":"3f358c3a-79ea-47b4-a4a2-96b886847ad6","apiVersion":"v1","resourceVersion":"5297621"} "reason"="LeaderElection" 2022-06-13T16:23:06.640366Z info klog manager/events "msg"="Normal" "message"="cert-manager-istio-csr-7bf86d579f-5xg8f_b59ef618-0e58-4001-9b52-b8489467929d became leader" "object"={"kind":"Lease","namespace":"istio- system","name":"istio-csr","uid":"aa2672a4-54b5-4dfb-856a-4e58ae2e8b76","apiVersion":"coordination.k8s.io/v1","resourceVersion":"5297622"} "reason"="LeaderElection" 2022-06-13T16:23:06.640380Z info klog manager/controller/configmap "msg"="Starting EventSource" "reconciler group"="" "reconciler kind"="ConfigMap" "source"="kind source: *v1.PartialObjectMetadata" 2022-06-13T16:23:06.640411Z info klog manager/controller/configmap "msg"="Starting EventSource" "reconciler group"="" "reconciler kind"="ConfigMap" "source"="kind source: *v1.Namespace" 2022-06-13T16:23:06.640456Z info klog manager/controller/configmap "msg"="Starting EventSource" "reconciler group"="" "reconciler kind"="ConfigMap" "source"="channel source: 0xc000eb0b40" 2022-06-13T16:23:06.640484Z info klog manager/controller/configmap "msg"="Starting Controller" "reconciler group"="" "reconciler kind"="ConfigMap" 2022-06-13T16:23:06.741832Z info klog manager/controller/configmap "msg"="Starting workers" "reconciler group"="" "reconciler kind"="ConfigMap" "worker count"=1 2022-06-13T16:23:06.843105Z info klog controller/configmap "msg"="updating ConfigMap data" "configmap"="istio-ca-root-cert" "namespace"="platform-delivery" 2022-06-13T16:23:06.857005Z info klog controller/configmap "msg"="updating ConfigMap data" "configmap"="istio-ca-root-cert" "namespace"="istio-addons-ingress" 2022-06-13T16:23:06.870137Z info klog controller/configmap "msg"="updating ConfigMap data" "configmap"="istio-ca-root-cert" "namespace"="cert-manager" 2022-06-13T16:23:06.884143Z info klog controller/configmap "msg"="creating configmap with root CA data" "configmap"="istio-ca-root-cert" "namespace"="kube-public" 2022-06-13T16:23:06.897590Z info klog controller/configmap "msg"="updating ConfigMap data" "configmap"="istio-ca-root-cert" "namespace"="calico-system" 2022-06-13T16:23:06.909220Z info klog controller/configmap updating ConfigMap data"istio-ca-root-cert" "namespace"="gatekeeper-system" 2022-06-13T16:23:06.918472Z info klog controller/configmap "msg"="updating ConfigMap data" "configmap"="istio-ca-root-cert" "namespace"="istio-ingress" 2022-06-13T16:23:06.928778Z info klog controller/configmap "msg"="updating ConfigMap data" "configmap"="istio-ca-root-cert" "namespace"="istio-system"

ceastman-r7 avatar Jun 13 '22 16:06 ceastman-r7

Hi @ceastman-r7, do you mean it is repeated once for each namespace, or is continuously logged for every namespace over and over again?

If the latter, then this suggests that some other entity (like istiod) is also attempting to write to these ConfigMaps which will thrash both controllers.

JoshVanL avatar Jun 13 '22 17:06 JoshVanL

continuously logging.

Oh could istiod be trying to reset it back to the self signed certificate?

ceastman-r7 avatar Jun 13 '22 17:06 ceastman-r7

Yes, sounds like to me istiod might be missing this configuration

https://github.com/cert-manager/istio-csr/blob/4200304ed29471f4bde2c499da7e60614e69efeb/hack/istio-config-1.13.4.yaml#L20

JoshVanL avatar Jun 13 '22 17:06 JoshVanL

yeah i havent switched the istio config yet. thank you.

ceastman-r7 avatar Jun 13 '22 17:06 ceastman-r7

Do you have a values.yaml override file that can be used with helm instead of an istiooperating yaml to accomplish: https://github.com/cert-manager/istio-csr/blob/main/docs/istio-config-getting-started.yaml

ceastman-r7 avatar Jun 13 '22 18:06 ceastman-r7

This thread should be of help 🙂

https://github.com/cert-manager/istio-csr/issues/113

JoshVanL avatar Jun 13 '22 19:06 JoshVanL