Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Upgrade-crds pod is erroring when attempting to validate crd apis #1634

Open
Mo0rBy opened this issue Sep 8, 2024 · 6 comments
Open

Upgrade-crds pod is erroring when attempting to validate crd apis #1634

Mo0rBy opened this issue Sep 8, 2024 · 6 comments
Labels
kind/bug Categorizes issue or PR as related to a bug. lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed.

Comments

@Mo0rBy
Copy link

Mo0rBy commented Sep 8, 2024

What steps did you take and what happened:
Tried to install secrets-store-csi-driver Helm chart.
1st pod I see being deployed is secrets-store-csi-driver-upgrade-crds-zkdc2 with a crds-upgrade container.
The crds-upgrade container instantly fails with the following error:

crds-upgrade error validating "crds/secrets-store.csi.x-k8s.io_secretproviderclasses.yaml": error validating data: failed to download openapi: Get "https://172.20.0.1:443/openapi/v2?timeout=32s": dial tcp 172.20.0.1:443: connect: connection refused; if you choose to ignore these errors, turn validation off with --validate=false
crds-upgrade error validating "crds/secrets-store.csi.x-k8s.io_secretproviderclasspodstatuses.yaml": error validating data: failed to download openapi: Get "https://172.20.0.1:443/openapi/v2?timeout=32s": dial tcp 172.20.0.1:443: connect: connection refused; if you choose to ignore these errors, turn validation off with --validate=false
Stream closed EOF for cluster-addons/secrets-store-csi-driver-upgrade-crds-tzshc (crds-upgrade)

What did you expect to happen:
I expect the installation to happen with no issues (mainly for the crds-upgrade pod to be able to pull the relevant data and continue its process).

Anything else you would like to add:
I'm not actually sure where this crds-upgrade pod is coming from, as the Helm chart does not show any Deployment or even a Pod yaml for it, but I'm sure it's for this installation as it refreshes whenever I try to re-install and the error message fits.

Which provider are you using:
AWS, but this is installing the base package, not AWS's additional package to interact with Secrets Manager

Environment:

  • Secrets Store CSI Driver version: (use the image tag): registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.11.1
  • Kubernetes version: (use kubectl version): v1.30.3-eks-2f46c53
@Mo0rBy Mo0rBy added the kind/bug Categorizes issue or PR as related to a bug. label Sep 8, 2024
@Mo0rBy
Copy link
Author

Mo0rBy commented Sep 8, 2024

Done some more looking and found that this pod is being created by a Job and the correct image tag for this container is registry.k8s.io/csi-secrets-store/driver-crds:v1.4.5, NOT what I put in the original post.

I upgraded from 1.4.4 to 1.4.5 to try and see of that would fix this, so I get the same behaviour with image tag 1.4.4

@Mo0rBy
Copy link
Author

Mo0rBy commented Sep 8, 2024

I have found a similar issue, but unfortunately it went stale and so there is no documented solution within the thread.

I have the ClusterRole described in that thread:
Screenshot 2024-09-08 at 13 53 41

@Mo0rBy
Copy link
Author

Mo0rBy commented Sep 11, 2024

I've just done a quick check with kubectl api-resources and we already have the CRD's available from the previous versions installation:

❯ kubectl api-resources | rg secrets-store
secretproviderclasses                            secrets-store.csi.x-k8s.io/v1            true         SecretProviderClass
secretproviderclasspodstatuses                   secrets-store.csi.x-k8s.io/v1            true         SecretProviderClassPodStatus

@Mo0rBy
Copy link
Author

Mo0rBy commented Sep 11, 2024

I've used a temporary solution of disabling the Helm install hook, so my installation does not wait for the install hook to pass first.

This means I have the failing Job + Pod for upgrade-crds still, but I dont care because I have all the actual secrets-store-csi-river DaemonSet pods so I have what I need.

Will leave this issue open as the crds-upgrade pod should still be working.

@k8s-triage-robot
Copy link

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue as fresh with /remove-lifecycle stale
  • Close this issue with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Dec 10, 2024
@k8s-triage-robot
Copy link

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue as fresh with /remove-lifecycle rotten
  • Close this issue with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten

@k8s-ci-robot k8s-ci-robot added lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. and removed lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. labels Jan 9, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
kind/bug Categorizes issue or PR as related to a bug. lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed.
Projects
None yet
Development

No branches or pull requests

3 participants