External secret error when running `apply.sh` on management cluster
Summary
When running apply.sh on my management cluster I have 2 errors. I suppose, but not 100% sure, the main problem is comming from external secrets generation.
Details
When I run:
APPLY_WATCH_TIMEOUT_MIN=30 ./apply.sh environment-values/my-cluster/I have the following errors:
⢎⡰ Kustomization/capo-cluster-resources - HealthCheckFailed - health check failed after 30.028888228s: timeout waiting for: [HeatStack/sylva-system/heatstack-capo-cluster-resources status: 'InProgress']
⢎⡰ Kustomization/eso-secret-stores - Progressing - Reconciliation in progress
✗ Command timeout exceeded
Timed-out waiting for the following resources to be ready:
IDENTIFIER STATUS REASON MESSAGE
Kustomization/sylva-system/capo-cluster-resources InProgress Kustomization generation is 4, but latest observed generation is 3
╰┄╴HeatStack/sylva-system/heatstack-capo-cluster-resources InProgress HeatStack generation is 5, but latest observed generation is 4
╰┄╴┬┄┄[Conditions]
├┄╴Ready False INTERNAL_ERROR Gateway Timeout
╰┄╴Stalled True INTERNAL_ERROR Gateway Timeout
Kustomization/sylva-system/eso-secret-stores InProgress Running health checks for revision sha1:c8cecca87a0a054141a9a555a264999c4e7de303 with a timeout of 30s
╰┄╴ClusterSecretStore/vault InProgress unable to create client
╰┄╴┬┄┄[Conditions]
╰┄╴Ready False InvalidProviderConfig unable to create clientWatching closer to the external secret error I get:
kubectl describe ClusterSecretStore/vault
Name: vault
Namespace:
Labels: kustomize.toolkit.fluxcd.io/name=eso-secret-stores
kustomize.toolkit.fluxcd.io/namespace=sylva-system
Annotations: <none>
API Version: external-secrets.io/v1beta1
Kind: ClusterSecretStore
Metadata:
Creation Timestamp: 2024-06-27T11:54:21Z
Generation: 1
Resource Version: 371883756
UID: f6959bbf-583f-470e-8d3b-b1cb89a909f1
Spec:
Provider:
Vault:
Auth:
Kubernetes:
Mount Path: kubernetes
Role: secret-reader
Service Account Ref:
Name: default
Namespace: vault
Ca Provider:
Key: ca.crt
Name: ca-key-pair
Namespace: cert-manager
Type: Secret
Path: secret
Server: https://vault.vault.svc.cluster.local:8200
Version: v2
Status:
Capabilities: ReadWrite
Conditions:
Last Transition Time: 2024-09-25T11:56:29Z
Message: unable to create client
Reason: InvalidProviderConfig
Status: False
Type: Ready
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Warning InvalidProviderConfig 42m cluster-secret-store unable to log in to auth method: unable to log in with Kubernetes auth: Put "https://vault.vault.svc.cluster.local:8200/v1/auth/kubernetes/login": tls: failed to verify certificate: x509: certificate has expired or is not yet valid: current time 2024-10-07T10:58:40Z is after 2024-09-25T11:52:41Z
Warning InvalidProviderConfig 25m cluster-secret-store unable to log in to auth method: unable to log in with Kubernetes auth: Put "https://vault.vault.svc.cluster.local:8200/v1/auth/kubernetes/login": tls: failed to verify certificate: x509: certificate has expired or is not yet valid: current time 2024-10-07T11:15:25Z is after 2024-09-25T11:52:41Z
Warning InvalidProviderConfig 9m7s cluster-secret-store unable to log in to auth method: unable to log in with Kubernetes auth: Put "https://vault.vault.svc.cluster.local:8200/v1/auth/kubernetes/login": tls: failed to verify certificate: x509: certificate has expired or is not yet valid: current time 2024-10-07T11:32:09Z is after 2024-09-25T11:52:41ZI don't know what to look at first now. Any idea?
Best regards Vincent