Hub and spoke connection issues

Procedure to debug issue in the hub and spoke connections. Backup & Restore service uses connection CR to setup hub and spoke connection.

You might encounter an error when you attempt setup connections between clusters.

Bootstrap token in init secret is not correct or expired: Unauthorized

Problem statement
Connection setup fails with the following message in the connection CR:

apiVersion: application.isf.ibm.com/v1
kind: Connection
metadata:
  name: <connection-name>
  namespace: <connection-namespace>
spec:
  remoteCluster:
    apiEndpoint: <cluster api endpoint>
    connectionOperatorNamespace: <connection-namespace>
    heartBeatInterval: 10m
    initSecretName: <init-secret-name>
status:
  conditions:
    - lastTransitionTime: '2023-06-15T02:31:01Z'
      message: 'Bootstrap token in init secret is not correct or expired: Unauthorized'
      reason: CreateBootstrapSecret
      status: 'False'
      type: BootstrapSecretAvaliable
  connectionFromRemoteClusterHealth:
    message: ''
    messageCode: ''
    messageType: ''
  connectionState: Failed
  connectionToRemoteClusterHealth:
    message: ''
    messageCode: ''
    messageType: ''
Cause
The bootstrap token in the init secret is not correct or expired.
Resolution
  1. Get the bootstrap token again.
    oc create token isf-application-operator-cluster-bootstrap -n <connection-namespace>
  2. Replace the token in init secret:
    oc edit secret <init-secret-name> -n <connection-namespace>

CA certificate of peer cluster is not correct

Problem statement
The CA certificate of peer cluster is not correct error occurs in connection CR.
Cause
The CAcert in the configmap kube-root-ca.crt in namespace kube-public of the remote cluster is not correct.
Resolution
In the remote cluster, place the right CAcert in the configmap kube-root-ca.crt and namespace kube-public. Connection pkg also provides a customized configmap.
If it is not possible to place the right CAcert in configmap kube-root-ca.crt and namespace kube-public, then place the right CAcert in custom-ca.crt and Fusion namespace:

kind: ConfigMap
apiVersion: v1
metadata:
  name: custom-ca.crt
  namespace: <connection-namespace>
data:
  ca.crt: <right CAcert>