Troubleshooting Key Management Service plug-in

Troubleshoot common Key Management Service plug-in issues.

Install the Kubernetes CLI to run the troubleshooting commands. For more information, see Installing the Kubernetes CLI (kubectl).

• Failed to create a secret: API key could not be found
• Failed to create a secret: the connection is unavailable
• Failed to create a secret: Request requires valid Instance Header containing a valid UUID
• Failed to create a secret: Client.Timeout exceeded while awaiting headers

Failed to create a secret: API key could not be found

Symptom

Failed to create a secret by using the CLI or the management console. You see the error Error from server (InternalError): Internal error occurred: rpc error: code = Unknown desc = BXNIM0415E:Provided API key could not be found.

Cause

The API key that you provided is not correct.

Solution

1. Specify the correct API_Key in the /etc/cfc/conf/kmsplugin-config.yaml file.
2. Restart the KMS plug-in container after you update the file. You can restart the KMS plug-in container by deleting the existing KMS plug-in pod.

   kubectl delete pods k8s_kmsplugin-<master_node_IP_address>
   

Failed to create a secret: the connection is unavailable

Symptom

Failed to create a secret by using the CLI or the management console. You see the error Internal error occurred: rpc error: code = Unavailable desc = grpc: the connection is unavailable.

Cause

The Customer Root Key ID is not correct.

Solution

1. Correct the CRK_ID in the /etc/cfc/conf/kmsplugin-config.yaml file.
2. Restart the KMS plug-in container after you update the file. You can restart the KMS plug-in container by deleting the existing KMS plug-in pod.

   kubectl delete pods k8s_kmsplugin-<master_node_IP_address>
   

Failed to create a secret: Request requires valid Instance Header containing a valid UUID

Symptom

Failed to create a secret by using the CLI or the management console. You see the error Internal error occurred: rpc error: code = Unknown desc = Bad Request: Request requires valid Instance Header containing a valid UUID.

Cause

The Key Management Service instance ID is not correct.

Solution

1. Correct the INSTANCE_ID in the /etc/cfc/conf/kmsplugin-config.yaml file.
2. Restart the KMS plug-in container after you update the file. You can restart the KMS plug-in container by deleting the existing KMS plug-in pod.

   kubectl delete pods k8s_kmsplugin-<master_node_IP_address>
   

Failed to create a secret: Client.Timeout exceeded while awaiting headers

Symptom

Failed to create a secret by using the CLI or the management console. You see the error Error from server (InternalError): Internal error occurred: rpc error: code = Unknown desc = Post https://kms-api.kube-system:28674/api/v2/keys/3ecbc3be-3534-41cd-9898-a224134fbb55?action=wrap: net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers).

Cause

The Key Management Service did not respond.

Solution

1. Log in to the management console.
2. From the navigation menu, select Workloads > Deployments.
3. Select key-management-api.
4. Scroll down to Pods.
5. Place the cursor over the only row listed under Pods.
6. Click ... > Remove to remove the pod and to create a new pod.