Hub and spoke connection issues
Procedure to debug issue in the hub and spoke connections. Backup & Restore service uses connection CR to setup hub and spoke connection.
You might encounter an error when you attempt setup connections between clusters.
Bootstrap token in init secret is not correct or expired: Unauthorized
- Problem statement
- Connection setup fails with the following message in the connection CR:
apiVersion: application.isf.ibm.com/v1 kind: Connection metadata: name: <connection-name> namespace: <connection-namespace> spec: remoteCluster: apiEndpoint: <cluster api endpoint> connectionOperatorNamespace: <connection-namespace> heartBeatInterval: 10m initSecretName: <init-secret-name> status: conditions: - lastTransitionTime: '2023-06-15T02:31:01Z' message: 'Bootstrap token in init secret is not correct or expired: Unauthorized' reason: CreateBootstrapSecret status: 'False' type: BootstrapSecretAvaliable connectionFromRemoteClusterHealth: message: '' messageCode: '' messageType: '' connectionState: Failed connectionToRemoteClusterHealth: message: '' messageCode: '' messageType: ''
- Cause
- The bootstrap token in the
initsecret is not correct or expired.
- Resolution
-
- Get the bootstrap token
again.
oc create token isf-application-operator-cluster-bootstrap -n <connection-namespace> - Replace the token in
initsecret:oc edit secret <init-secret-name> -n <connection-namespace>
- Get the bootstrap token
again.
CA certificate of peer cluster is not correct
- Problem statement
- The CA certificate of peer cluster is not correct error occurs in connection CR.
- Cause
- The CAcert in the configmap
kube-root-ca.crtin namespacekube-publicof the remote cluster is not correct.
- Resolution
- In the remote cluster, place the right CAcert in the configmap
kube-root-ca.crtand namespacekube-public. Connection pkg also provides a customized configmap.