community icon indicating copy to clipboard operation
community copied to clipboard
verified publisher icon istio

istioctl install failure

Open cy-zheng opened this issue 4 years ago • 1 comments

Hi contributors,

I want to setup a demo istio using istioctl install, but got an error like failed to validate the JWT from cluster "Kubernetes": the service account authentication returns an error: [invalid bearer token, square/go-jose: error in cryptographic primitive]

Could you tell me what the properly reason is? Do I config something in K8s or istio wrong?

Istio 1.12.0 Kubernetes 1.19.9

istioctl install output:

~/istio-1.12.0# istioctl install --set profile=demo -y
✔ Istio core installed
✔ Istiod installed
✘ Egress gateways encountered an error: failed to wait for resource: resources not ready after 5m0s: timed out waiting for the condition
  Deployment/istio-system/istio-egressgateway (containers with unready status: [istio-proxy])
✘ Ingress gateways encountered an error: failed to wait for resource: resources not ready after 5m0s: timed out waiting for the condition
  Deployment/istio-system/istio-ingressgateway (containers with unready status: [istio-proxy])
- Pruning removed resources                                                                                              Error: failed to install manifests: errors occurred during operation

istiod logs

2021-12-01T13:00:15.203431Z	error	ads	Failed to authenticate client from 192.168.183.46:36214: Authenticator ClientCertAuthenticator: no verified chain is found; Authenticator KubeJWTAuthenticator: failed to validate the JWT from cluster "Kubernetes": the service account authentication returns an error: [invalid bearer token, square/go-jose: error in cryptographic primitive]
2021-12-01T13:00:27.080463Z	warn	serverca	Authentication failed for 192.168.183.46:34262: Authenticator ClientCertAuthenticator at index 0 got error: no verified chain is found. Authenticator KubeJWTAuthenticator at index 1 got error: failed to validate the JWT from cluster "Kubernetes": the service account authentication returns an error: [invalid bearer token, square/go-jose: error in cryptographic primitive].
2021-12-01T13:00:27.870598Z	warn	serverca	Authentication failed for 192.168.6.222:33440: Authenticator ClientCertAuthenticator at index 0 got error: no verified chain is found. Authenticator KubeJWTAuthenticator at index 1 got error: failed to validate the JWT from cluster "Kubernetes": the service account authentication returns an error: [invalid bearer token, square/go-jose: error in cryptographic primitive].
2021-12-01T13:00:31.634439Z	error	ads	Failed to authenticate client from 192.168.6.222:35098: Authenticator ClientCertAuthenticator: no verified chain is found; Authenticator KubeJWTAuthenticator: failed to validate the JWT from cluster "Kubernetes": the service account authentication returns an error: [invalid bearer token, square/go-jose: error in cryptographic primitive]
2021-12-01T13:00:41.660940Z	error	ads	Failed to authenticate client from 192.168.183.46:36286: Authenticator ClientCertAuthenticator: no verified chain is found; Authenticator KubeJWTAuthenticator: failed to validate the JWT from cluster "Kubernetes": the service account authentication returns an error: [invalid bearer token, square/go-jose: error in cryptographic primitive]
2021-12-01T13:00:42.371452Z	error	ads	Failed to authenticate client from 192.168.6.222:35122: Authenticator ClientCertAuthenticator: no verified chain is found; Authenticator KubeJWTAuthenticator: failed to validate the JWT from cluster "Kubernetes": the service account authentication returns an error: [invalid bearer token, square/go-jose: error in cryptographic primitive]
2021-12-01T13:01:10.690570Z	error	ads	Failed to authenticate client from 192.168.183.46:36378: Authenticator ClientCertAuthenticator: no verified chain is found; Authenticator KubeJWTAuthenticator: failed to validate the JWT from cluster "Kubernetes": the service account authentication returns an error: [invalid bearer token, square/go-jose: error in cryptographic primitive]
2021-12-01T13:01:10.718861Z	error	ads	Failed to authenticate client from 192.168.6.222:35192: Authenticator ClientCertAuthenticator: no verified chain is found; Authenticator KubeJWTAuthenticator: failed to validate the JWT from cluster "Kubernetes": the service account authentication returns an error: [invalid bearer token, square/go-jose: error in cryptographic primitive]
2021-12-01T13:01:13.583942Z	info	ads	Push debounce stable[9] 1 for config ServiceEntry/cfs/objectnode-service.cfs.svc.cluster.local: 100.193077ms since last change, 100.192972ms since last push, full=false
2021-12-01T13:01:13.583982Z	info	ads	XDS: Incremental Pushing:2021-12-01T12:59:05Z/5 ConnectedEndpoints:0 Version:2021-12-01T12:59:05Z/5
2021-12-01T13:01:14.485910Z	info	ads	Incremental push, service objectnode-service.cfs.svc.cluster.local has no endpoints
2021-12-01T13:01:14.586483Z	info	ads	Push debounce stable[10] 1 for config ServiceEntry/cfs/objectnode-service.cfs.svc.cluster.local: 100.543662ms since last change, 100.543494ms since last push, full=false
2021-12-01T13:01:14.586521Z	info	ads	XDS: Incremental Pushing:2021-12-01T12:59:05Z/5 ConnectedEndpoints:0 Version:2021-12-01T12:59:05Z/5

cy-zheng avatar Dec 01 '21 13:12 cy-zheng

This is likely an issue with your k8s cluster. I recommend trying:

function token-review() {
    kubectl create --raw /apis/authentication.k8s.io/v1/tokenreviews -f - <<EOF
{"apiVersion":"authentication.k8s.io/v1","kind":"TokenReview","spec":{"audiences":["istio-ca"],"token":"$(cat < /dev/stdin)"}}
EOF
}

function token-request() {
  echo '{"kind":"TokenRequest","apiVersion":"authentication.k8s.io/v1","spec":{"audiences":["istio-ca"], "expirationSeconds":2592000}}' | \
    kubectl create --raw /api/v1/namespaces/${1:-default}/serviceaccounts/${2:-default}/token -f - | \
    jq -j '.status.token'
}

token-request | token-review

howardjohn avatar Dec 01 '21 16:12 howardjohn