Cluster install fails due to Vault failure

[tdcox]

Summary

Cluster install terminates prematurely due to a health check error from Vault:

error creating cluster configuring the git auth: creating the git auth config service: wait for vault to be initialized and unsealed: reading vault health: Error making API request.

Steps to reproduce the behavior

jx create cluster gke \
--cluster-name='d21' \
--default-admin-password='xxxxx' \
--environment-git-owner='tdcox' \
--enhanced-apis=true \
--enhanced-scopes=true \
--git-username='tdcox' \
--git-private=false \
--labels='demo=true' \
--machine-type='n1-standard-4' \
--max-num-nodes='3' \
--min-num-nodes='2' \
--no-tiller=true \
--preemptible=true \
--project-id='jx-mar19' \
--prow=true \
--skip-login=true \
--vault=true \
--zone='europe-west1-d'

Expected behavior

Completion of the install script.

Actual behavior

Ingress rules recreated
Vault jx-vault-d21 exposed
System vault created named jx-vault-d21 in namespace jx.
Lets set up a Git user name and API token to be able to perform CI/CD

error creating cluster configuring the git auth: creating the git auth config service: wait for vault to be initialized and unsealed: reading vault health: Error making API request.

URL: GET http://jx-vault-d21.jx.35.195.246.238.nip.io/v1/sys/health?drsecondarycode=299&performancestandbycode=299&sealedcode=299&standbycode=299&uninitcode=299
Code: 503. Raw Message:

<html>
<head><title>503 Service Temporarily Unavailable</title></head>
<body>
<center><h1>503 Service Temporarily Unavailable</h1></center>
<hr><center>nginx/1.15.8</center>
</body>
</html>
error: configuring the git auth: creating the git auth config service: wait for vault to be initialized and unsealed: reading vault health: Error making API request.

URL: GET http://jx-vault-d21.jx.35.195.246.238.nip.io/v1/sys/health?drsecondarycode=299&performancestandbycode=299&sealedcode=299&standbycode=299&uninitcode=299
Code: 503. Raw Message:

<html>
<head><title>503 Service Temporarily Unavailable</title></head>
<body>
<center><h1>503 Service Temporarily Unavailable</h1></center>
<hr><center>nginx/1.15.8</center>
</body>
</html>

D21_logs_2019-03-14.txt

Looks like the vault pod has a repeating error failed to set up mount table

Jx version

The output of jx version is:

NAME               VERSION
jx                 1.3.974
Kubernetes cluster v1.11.7-gke.4
kubectl            v1.13.4
helm client        Client: v2.13.0+g79d0794
git                git version 2.21.0
Operating System   Mac OS X 10.13.6 build 17G4015

Jenkins type

• Classic Jenkins
• Serverless Jenkins

Kubernetes cluster

[tdcox]

This seems to be both a problem with Vault and a race condition of sorts. I have just run this again and got a different partial failure of one of the Vault pods but the install continued.

This time, one of the Vault containers returned a 503 Service Temporarily Available to a health check, then started returning 429 Too Many Requests to subsequent health checks.

The healthcheck schedule is pretty aggressive at 5s.

I am also sometimes seeing the message:

error while evaluating the ingress spec: service "jx/jx-vault-d22" is type "ClusterIP", expected "NodePort" or "LoadBalancer"

[ccojocar]

@tdcox Can you provide some logs from the vault container which runs in the jx-vault-* POD?

How many containers do you see running on each jx-vault POD?

You can also try to remove the cloud resources allocated for vault backend with jx delete vault -r jx-vault-d22 and try again.

[tdcox]

@ccojocar The Vault log is attached above.

One of the Vault Pods only has 2 out of 3 containers healthy because the third is throwing 429 errors.

This cluster instance was deleted last week but the problem has shown up on multiple attempts to install so should be easy to reproduce using the config above.

[tychota]

I face the same issue.

I think readineessProbe is too fast, so it get ratelimited :)

[tychota]

Or this helm/charts#9462 (see comments just after close).

[ccojocar]

@tdcox I think by looking at the logs that the original issue is caused by an invalid ciphertext already stored in the bucket

jx,vault,2019-03-14T13:59:39.948679139Z,fluentd-gcp-v3.2.0-6kg8m,projects/jx-mar19/logs/vault,"2019-03-14T13:59:39.948Z [ERROR] core: failed to read auth table: error=""decryption failed: cipher: message authentication failed""",ERROR

It might be that the data was encrypted with different sealing keys, when you tried multiple types. The bucket name is normally built from the cluster name. Can you also reproduce it with an empty bucket?

You can also run jx delete vault -r <vault-name> to clean up the cloud resources allocated for that vault.

[BenCoffeed]

I'm still receiving a 503 error when running:

NAME               VERSION
jx                 2.0.128
Kubernetes cluster v1.11.8-eks-7c34c0
kubectl            v1.14.1
git                git version 2.21.0
Operating System   Mac OS X 10.14.4 build 18E226 

install command

jx install --provider=$provider \
--ng \
--gitops \
--no-tiller \
--no-default-environments \
--vault --aws-dynamodb-region=$aws_region \
--aws-dynamodb-table=$dynamodb_table \
--aws-kms-region=$aws_region \
--aws-kms-key-id=$aws_kms_kid\
--aws-s3-region=$aws_region  \
--aws-s3-bucket=vault-unseal.$aws_region.$domain \
--aws-access-key-id=$aws_akid \
--aws-secret-access-key=$aws_sak \
--domain $domain

I attempted to delete the bucket, the vault, and the DynamoDB table, recreated the table, and the bucket, and still receiving a 503. I even did:

jx logs vault-operator

{"level":"info","ts":1558020468.6252208,"logger":"controller_vault","msg":"Reconciling Vault","Request.Namespace":"jx","Request.Name":"jx-vault-devqa"}
{"level":"info","ts":1558020498.625383,"logger":"controller_vault","msg":"Reconciling Vault","Request.Namespace":"jx","Request.Name":"jx-vault-devqa"}
{"level":"info","ts":1558020528.6255558,"logger":"controller_vault","msg":"Reconciling Vault","Request.Namespace":"jx","Request.Name":"jx-vault-devqa"}
{"level":"info","ts":1558020558.6257367,"logger":"controller_vault","msg":"Reconciling Vault","Request.Namespace":"jx","Request.Name":"jx-vault-devqa"}
{"level":"info","ts":1558020588.6260183,"logger":"controller_vault","msg":"Reconciling Vault","Request.Namespace":"jx","Request.Name":"jx-vault-devqa"}
{"level":"info","ts":1558020618.6261528,"logger":"controller_vault","msg":"Reconciling Vault","Request.Namespace":"jx","Request.Name":"jx-vault-devqa"}
{"level":"info","ts":1558020648.6262853,"logger":"controller_vault","msg":"Reconciling Vault","Request.Namespace":"jx","Request.Name":"jx-vault-devqa"}
{"level":"info","ts":1558020678.6265512,"logger":"controller_vault","msg":"Reconciling Vault","Request.Namespace":"jx","Request.Name":"jx-vault-devqa"}
{"level":"info","ts":1558020708.6266658,"logger":"controller_vault","msg":"Reconciling Vault","Request.Namespace":"jx","Request.Name":"jx-vault-devqa"}
{"level":"info","ts":1558020738.6268415,"logger":"controller_vault","msg":"Reconciling Vault","Request.Namespace":"jx","Request.Name":"jx-vault-devqa"}
{"level":"info","ts":1558020768.6269846,"logger":"controller_vault","msg":"Reconciling Vault","Request.Namespace":"jx","Request.Name":"jx-vault-devqa"}

jx logs jx-vault-devqa-configurer

time="2019-05-16T15:32:36Z" level=error msg="error checking if vault is sealed: error checking status: Get http://jx-vault-devqa.jx:8200/v1/sys/seal-status: dial tcp 172.20.131.49:8200: i/o timeout, waiting 5s before trying again..."
time="2019-05-16T15:32:41Z" level=info msg="checking if vault is sealed...

kubectl get pods

NAME                                        READY   STATUS             RESTARTS   AGE
jx-vault-devqa-0                            1/3     CrashLoopBackOff   18         23m
jx-vault-devqa-configurer-bd5b747bf-4jtkv   1/1     Running            0          23m
vault-operator-6dc9ffd4c5-vhlc2             1/1     Running            0          54m

kubectl logs jx-vault-devqa-0 -c vault

kubectl logs jx-vault-devqa-0 -c vault
Using eth0 for VAULT_CLUSTER_ADDR: https://10.20.60.71:8201
telemetry.disable_hostname has been set to false. Recommended setting is true for Prometheus to avoid poorly named metrics.
Error parsing Seal configuration: error fetching AWS KMS sealkey information: NotFoundException: Invalid keyId
	status code: 400, request id: <redacted>

I used https://jenkins-x.io/getting-started/aws-terraform-install-gitops/ to build my EKS environment.

[ccojocar]

The original issue was for Google Cloud. It seems to be fixed now.

@BenCoffeed Please could you open another issue for AWS? I am going to close this issue for now. Thanks