secret-watcher and security-onboarding pods fail to start
During IBM Cloud Pak foundational services installation, the secret-watcher
and security-onboarding
pods fail to start.
Causes
The identity management (IM) pods are not ready.
To get the status of secret-watcher
and security-onboarding
pods, run the following command:
oc get pod -A | grep -e secret-watcher -e security-onboarding
After you run the command, you might get the following output. The STATUS
in the sample output shows that the secret-watcher
pod is running successfully and the security-onboarding
pod is completed.
NAMESPACE NAME READY STATUS RESTARTS AGE
<your-foundational-services-namespace> secret-watcher-5c79cb8969-7w4nw 1/1 Running 0 19h
<your-foundational-services-namespace> security-onboarding-8kh8l 0/1 Completed 0 20h
For an instance, the STATUS
of the pods can also display the error:
NAMESPACE NAME READY STATUS RESTARTS AGE
<your-foundational-services-namespace> secret-watcher-cccd54d9f-vdnn2 0/1 CreateContainerConfigError 0 20m
<your-foundational-services-namespace> security-onboarding-btlhh 0/1 CreateContainerConfigError 0 20m
If you observe the error in the pod's status, you can run the following command to know the cause of the CreateContainerConfigError
error. The following command display the list of events for the security-onboarding
pod:
oc get event --namespace <your-foundational-services-namespace> --field-selector involvedObject.name=security-onboarding-xxxx
After you run the command, you might get the following status that indicates that the "icp-serviceid-apikey-secret" key is missing due to which the pod is showing CreateContainerConfigError
error. It indicates the issue with
the iam-onboarding
job.
108m Warning Failed pod/security-onboarding-8kh8l Error: secret "icp-serviceid-apikey-secret" not found
Resolving the problem
Restart the iam-onboarding
job to resolve the issue.
-
Log in to your boot node by running the
oc login
command. -
Restart the
iam-onboarding
job.- Get the
iam-onboarding
job.
oc get job iam-onboarding
- If the
iam-onboarding
doesn't exist, restart the IM operator.
oc delete po -l name=ibm-iam-operator
- If the
iam-onboarding
job exists, restart the iam-onboarding job.
oc get job iam-onboarding -o json | jq 'del(.spec.selector)' | jq 'del(.spec.template.metadata.labels)' | kubectl replace --force -f -
- Get the