Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

failed to generate zone-proxy token with ingress,egress #10216

Open
Icarus9913 opened this issue May 13, 2024 · 4 comments
Open

failed to generate zone-proxy token with ingress,egress #10216

Icarus9913 opened this issue May 13, 2024 · 4 comments
Labels
kind/bug A bug triage/accepted The issue was reviewed and is complete enough to start working on it

Comments

@Icarus9913
Copy link
Contributor

What happened?

Version: v2.7.1
Deploy mode: universal

What happened

Following the official docs Set up the zone control planes
 step by step, I can't generate the zone-token with ingress && egress.

I have 1 global-cp-k8s and try to add 1 zone-universal. With the step-1 I started up a zone-universal-cp as well. Then I try to generate a zone-token with ingress and egress, it returned me an error.

Context

root@icarus-zone-universal:/tmp# kumactl generate zone-token --valid-for 720h --zone=zone-universal --scope egress --scope ingress > /tmp/zone-token
Error: Signing Key not found (there is no signing key with KID 1. GlobalSecret of name "zone-token-signing-key-1" is not found. If signing key was rotated, regenerate the token)
root@icarus-zone-universal:/tmp# 
root@icarus-zone-universal:/tmp# kumactl get global-secrets
NAME                              AGE
admin-user-token                  2m
envoy-admin-ca                    2m
inter-cp-ca                       2m
user-token-signing-key-1          2m
zone-token-signing-public-key-1   2m

Additional

With the upper error, I gave up running the Ingress and switched to use the standard dataplane. I generated the dataplane-zone-token successfully. The following commands run well

kumactl generate dataplane-token --name demo-dataplane --mesh default --valid-for 720h > ./dp-zone-token
kuma-dp run --cp-address https://127.0.0.1:5678 --dataplane-file ./dp-outbound.yaml --dataplane-token-file ./dp-zone-token
@Icarus9913 Icarus9913 added kind/bug A bug triage/pending This issue will be looked at on the next triage meeting labels May 13, 2024
@Icarus9913
Copy link
Contributor Author

100% reproduce

@jakubdyszkiewicz jakubdyszkiewicz added triage/accepted The issue was reviewed and is complete enough to start working on it and removed triage/pending This issue will be looked at on the next triage meeting labels May 13, 2024
@jakubdyszkiewicz
Copy link
Contributor

Triage: improve docs and error in kumactl

@Icarus9913
Copy link
Contributor Author

Triage: improve docs and error in kumactl

I suppose it might be a Bug? Since we only have zone-token-signing-public-key-1 global-secret in the universal environment and the kuma-system needs a zone-token-signing-key-1 global-secret to generate the zone-token.

@lahabana
Copy link
Contributor

Triage: improve docs and error in kumactl

@jakubdyszkiewicz this is not very complete. Can we maybe expand a little on how docs would need to improve? Is this a user error and @Icarus9913 should do something differently?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug A bug triage/accepted The issue was reviewed and is complete enough to start working on it
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@lahabana @jakubdyszkiewicz @Icarus9913