Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Coordinate update blocked by ACLs warnings in servers during first installation #3457

Open
defesteban opened this issue Jan 9, 2024 · 0 comments
Open

Coordinate update blocked by ACLs warnings in servers during first installation #3457

defesteban opened this issue Jan 9, 2024 · 0 comments
Labels
type/bug Something isn't working

Comments

@defesteban
Copy link

Community Note

  • Please vote on this issue by adding a 馃憤 reaction to the original issue to help the community and maintainers prioritize this request. Searching for pre-existing feature requests helps us consolidate datapoints for identical requirements into a single place, thank you!
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment.

Overview of the Issue

During first installation two out of three Consul server pods are filled with the following warning:

2024-01-09T15:22:30.296Z [WARN]  agent: Coordinate update blocked by ACLs: accessorID="anonymous token"

Reproduction Steps

Steps to reproduce this issue:

  1. When running helm install with the following values.yml:
global:
  name: consul
  image: hashicorp/consul:1.17.1
  imageK8S: hashicorp/consul-k8s-control-plane:1.3.1
  tls:
    enabled: true
    httpsOnly: false
  acls:
    manageSystemACLs: true
  imageConsulDataplane: hashicorp/consul-dataplane:1.3.1
server:
  replicas: 3
  storageClass: local-storage
client:
  enabled: true
ui:
  ingress:
    enabled: true
    hosts:
      - host: consul-consul-test.kubernetes.example.com
connectInject:
  enabled: false
  1. Two out of three Consul server pods contain a lot of warnings:
2024-01-09T15:20:47.673Z [WARN]  agent: Node info update blocked by ACLs: node=ab434c1d-6642-6617-5c2f-f244f2bcb1bf accessorID="anonymous token"
2024-01-09T15:21:09.227Z [WARN]  agent: Coordinate update blocked by ACLs: accessorID="anonymous token"

Logs

Logs 
Defaulted container "consul" out of: consul, locality-init (init)
==> Starting Consul agent...
               Version: '1.17.1'
            Build Date: '2023-12-12 19:55:27 +0000 UTC'
               Node ID: 'ab434c1d-6642-6617-5c2f-f244f2bcb1bf'
             Node name: 'consul-server-1'
            Datacenter: 'dc1' (Segment: '<all>')
                Server: true (Bootstrap: false)
           Client Addr: [0.0.0.0] (HTTP: 8500, HTTPS: 8501, gRPC: -1, gRPC-TLS: 8502, DNS: 8600)
          Cluster Addr: 10.131.60.169 (LAN: 8301, WAN: 8302)
     Gossip Encryption: false
      Auto-Encrypt-TLS: false
           ACL Enabled: true
     Reporting Enabled: false
    ACL Default Policy: deny
             HTTPS TLS: Verify Incoming: false, Verify Outgoing: true, Min Version: TLSv1_2
              gRPC TLS: Verify Incoming: false, Min Version: TLSv1_2
      Internal RPC TLS: Verify Incoming: true, Verify Outgoing: true (Verify Hostname: true), Min Version: TLSv1_2

==> Log data will now stream in as it occurs:

2024-01-09T15:12:58.040Z [WARN]  agent: bootstrap_expect > 0: expecting 3 servers
2024-01-09T15:12:58.440Z [WARN]  agent.auto_config: bootstrap_expect > 0: expecting 3 servers
2024-01-09T15:12:58.633Z [INFO]  agent.server.raft: initial configuration: index=0 servers=[]
2024-01-09T15:12:58.633Z [INFO]  agent.server.raft: entering follower state: follower="Node at 10.131.60.169:8300 [Follower]" leader-address= leader-id=
2024-01-09T15:12:58.635Z [INFO]  agent.server.serf.wan: serf: EventMemberJoin: consul-server-1.dc1 10.131.60.169
2024-01-09T15:12:58.636Z [INFO]  agent.server.serf.lan: serf: EventMemberJoin: consul-server-1 10.131.60.169
2024-01-09T15:12:58.636Z [INFO]  agent.router: Initializing LAN area manager
2024-01-09T15:12:58.636Z [INFO]  agent.server: Adding LAN server: server="consul-server-1 (Addr: tcp/10.131.60.169:8300) (DC: dc1)"
2024-01-09T15:12:58.637Z [INFO]  agent.server: Handled event for server in area: event=member-join server=consul-server-1.dc1 area=wan
2024-01-09T15:12:58.638Z [INFO]  agent.server.autopilot: reconciliation now disabled
2024-01-09T15:12:58.933Z [INFO]  agent.server.cert-manager: initialized server certificate management
2024-01-09T15:12:58.934Z [INFO]  agent: Started DNS server: address=0.0.0.0:8600 network=udp
2024-01-09T15:12:58.934Z [INFO]  agent: Started DNS server: address=0.0.0.0:8600 network=tcp
2024-01-09T15:12:58.935Z [INFO]  agent.http: Registered resource endpoint: endpoint=/mesh/v2beta1/proxyconfiguration/
2024-01-09T15:12:58.935Z [INFO]  agent.http: Registered resource endpoint: endpoint=/auth/v2beta1/workloadidentity/
2024-01-09T15:12:58.935Z [INFO]  agent.http: Registered resource endpoint: endpoint=/auth/v2beta1/trafficpermissions/
2024-01-09T15:12:58.935Z [INFO]  agent.http: Registered resource endpoint: endpoint=/internal/v1/tombstone/
2024-01-09T15:12:58.935Z [INFO]  agent.http: Registered resource endpoint: endpoint=/mesh/v2beta1/destinations/
2024-01-09T15:12:58.935Z [INFO]  agent.http: Registered resource endpoint: endpoint=/mesh/v2beta1/computedexplicitdestinations/
2024-01-09T15:12:58.935Z [INFO]  agent.http: Registered resource endpoint: endpoint=/catalog/v2beta1/service/
2024-01-09T15:12:58.935Z [INFO]  agent.http: Registered resource endpoint: endpoint=/catalog/v2beta1/serviceendpoints/
2024-01-09T15:12:58.935Z [INFO]  agent.http: Registered resource endpoint: endpoint=/demo/v1/album/
2024-01-09T15:12:58.935Z [INFO]  agent.http: Registered resource endpoint: endpoint=/demo/v2/album/
2024-01-09T15:12:58.935Z [INFO]  agent.http: Registered resource endpoint: endpoint=/tenancy/v1alpha1/namespace/
2024-01-09T15:12:58.935Z [INFO]  agent.http: Registered resource endpoint: endpoint=/mesh/v2beta1/destinationpolicy/
2024-01-09T15:12:58.935Z [INFO]  agent.http: Registered resource endpoint: endpoint=/catalog/v2beta1/workload/
2024-01-09T15:12:58.935Z [INFO]  agent.http: Registered resource endpoint: endpoint=/catalog/v2beta1/node/
2024-01-09T15:12:58.935Z [INFO]  agent.http: Registered resource endpoint: endpoint=/catalog/v2beta1/healthstatus/
2024-01-09T15:12:58.935Z [INFO]  agent.http: Registered resource endpoint: endpoint=/auth/v2beta1/computedtrafficpermissions/
2024-01-09T15:12:58.935Z [INFO]  agent.http: Registered resource endpoint: endpoint=/demo/v1/executive/
2024-01-09T15:12:58.935Z [INFO]  agent.http: Registered resource endpoint: endpoint=/mesh/v2beta1/proxystatetemplate/
2024-01-09T15:12:58.935Z [INFO]  agent.http: Registered resource endpoint: endpoint=/mesh/v2beta1/tcproute/
2024-01-09T15:12:58.935Z [INFO]  agent.http: Registered resource endpoint: endpoint=/catalog/v2beta1/failoverpolicy/
2024-01-09T15:12:58.935Z [INFO]  agent.http: Registered resource endpoint: endpoint=/demo/v1/recordlabel/
2024-01-09T15:12:58.935Z [INFO]  agent.http: Registered resource endpoint: endpoint=/demo/v1/artist/
2024-01-09T15:12:58.935Z [INFO]  agent.http: Registered resource endpoint: endpoint=/mesh/v2beta1/computedproxyconfiguration/
2024-01-09T15:12:58.935Z [INFO]  agent.http: Registered resource endpoint: endpoint=/mesh/v2beta1/grpcroute/
2024-01-09T15:12:58.935Z [INFO]  agent.http: Registered resource endpoint: endpoint=/mesh/v2beta1/computedroutes/
2024-01-09T15:12:58.935Z [INFO]  agent.http: Registered resource endpoint: endpoint=/demo/v1/concept/
2024-01-09T15:12:58.935Z [INFO]  agent.http: Registered resource endpoint: endpoint=/demo/v2/artist/
2024-01-09T15:12:58.935Z [INFO]  agent.http: Registered resource endpoint: endpoint=/mesh/v2beta1/httproute/
2024-01-09T15:12:58.935Z [INFO]  agent.http: Registered resource endpoint: endpoint=/catalog/v2beta1/service/
2024-01-09T15:12:58.935Z [INFO]  agent.http: Registered resource endpoint: endpoint=/catalog/v2beta1/serviceendpoints/
2024-01-09T15:12:58.935Z [INFO]  agent.http: Registered resource endpoint: endpoint=/auth/v2beta1/workloadidentity/
2024-01-09T15:12:58.935Z [INFO]  agent.http: Registered resource endpoint: endpoint=/auth/v2beta1/trafficpermissions/
2024-01-09T15:12:58.935Z [INFO]  agent.http: Registered resource endpoint: endpoint=/internal/v1/tombstone/
2024-01-09T15:12:58.935Z [INFO]  agent.http: Registered resource endpoint: endpoint=/mesh/v2beta1/destinations/
2024-01-09T15:12:58.935Z [INFO]  agent.http: Registered resource endpoint: endpoint=/mesh/v2beta1/computedexplicitdestinations/
2024-01-09T15:12:58.935Z [INFO]  agent.http: Registered resource endpoint: endpoint=/demo/v1/album/
2024-01-09T15:12:58.935Z [INFO]  agent.http: Registered resource endpoint: endpoint=/demo/v2/album/
2024-01-09T15:12:58.935Z [INFO]  agent.http: Registered resource endpoint: endpoint=/catalog/v2beta1/healthstatus/
2024-01-09T15:12:58.935Z [INFO]  agent.http: Registered resource endpoint: endpoint=/auth/v2beta1/computedtrafficpermissions/
2024-01-09T15:12:58.935Z [INFO]  agent.http: Registered resource endpoint: endpoint=/tenancy/v1alpha1/namespace/
2024-01-09T15:12:58.935Z [INFO]  agent.http: Registered resource endpoint: endpoint=/mesh/v2beta1/destinationpolicy/
2024-01-09T15:12:58.935Z [INFO]  agent.http: Registered resource endpoint: endpoint=/catalog/v2beta1/workload/
2024-01-09T15:12:58.935Z [INFO]  agent.http: Registered resource endpoint: endpoint=/catalog/v2beta1/node/
2024-01-09T15:12:58.935Z [INFO]  agent.http: Registered resource endpoint: endpoint=/catalog/v2beta1/failoverpolicy/
2024-01-09T15:12:58.935Z [INFO]  agent.http: Registered resource endpoint: endpoint=/demo/v1/executive/
2024-01-09T15:12:58.935Z [INFO]  agent.http: Registered resource endpoint: endpoint=/mesh/v2beta1/proxystatetemplate/
2024-01-09T15:12:58.935Z [INFO]  agent.http: Registered resource endpoint: endpoint=/mesh/v2beta1/tcproute/
2024-01-09T15:12:58.936Z [INFO]  agent.http: Registered resource endpoint: endpoint=/mesh/v2beta1/grpcroute/
2024-01-09T15:12:58.936Z [INFO]  agent.http: Registered resource endpoint: endpoint=/mesh/v2beta1/computedroutes/
2024-01-09T15:12:58.936Z [INFO]  agent.http: Registered resource endpoint: endpoint=/demo/v1/recordlabel/
2024-01-09T15:12:58.936Z [INFO]  agent.http: Registered resource endpoint: endpoint=/demo/v1/artist/
2024-01-09T15:12:58.936Z [INFO]  agent.http: Registered resource endpoint: endpoint=/mesh/v2beta1/computedproxyconfiguration/
2024-01-09T15:12:58.936Z [INFO]  agent.http: Registered resource endpoint: endpoint=/demo/v1/concept/
2024-01-09T15:12:58.936Z [INFO]  agent.http: Registered resource endpoint: endpoint=/demo/v2/artist/
2024-01-09T15:12:58.936Z [INFO]  agent.http: Registered resource endpoint: endpoint=/mesh/v2beta1/httproute/
2024-01-09T15:12:58.936Z [INFO]  agent.http: Registered resource endpoint: endpoint=/mesh/v2beta1/proxyconfiguration/
2024-01-09T15:12:58.936Z [INFO]  agent: Starting server: address=[::]:8500 network=tcp protocol=http
2024-01-09T15:12:58.936Z [INFO]  agent: Starting server: address=[::]:8501 network=tcp protocol=https
2024-01-09T15:12:58.937Z [INFO]  agent: Started gRPC listeners: port_name=grpc_tls address=[::]:8502 network=tcp
2024-01-09T15:12:58.937Z [INFO]  agent: Retry join is supported for the following discovery methods: cluster=LAN discovery_methods="aliyun aws azure digitalocean gce hcp k8s linode mdns os packet scaleway softlayer tencentcloud triton vsphere"
2024-01-09T15:12:58.937Z [INFO]  agent: Joining cluster...: cluster=LAN
2024-01-09T15:12:58.937Z [INFO]  agent: (LAN) joining: lan_addresses=["consul-server.consul-test.svc:8301"]
2024-01-09T15:12:58.938Z [INFO]  agent: started state syncer
2024-01-09T15:12:58.938Z [INFO]  agent: Consul agent running!
2024-01-09T15:12:59.135Z [INFO]  agent.server.serf.lan: serf: EventMemberJoin: consul-server-2 10.129.187.20
2024-01-09T15:12:59.135Z [INFO]  agent.server.serf.lan: serf: EventMemberJoin: consul-server-0 10.131.6.129
2024-01-09T15:12:59.136Z [INFO]  agent.server: Adding LAN server: server="consul-server-2 (Addr: tcp/10.129.187.20:8300) (DC: dc1)"
2024-01-09T15:12:59.333Z [INFO]  agent: (LAN) joined: number_of_nodes=3
2024-01-09T15:12:59.333Z [INFO]  agent: Join cluster completed. Synced with initial agents: cluster=LAN num_agents=3
2024-01-09T15:12:59.439Z [INFO]  agent.server.serf.wan: serf: EventMemberJoin: consul-server-0.dc1 10.131.6.129
2024-01-09T15:12:59.439Z [INFO]  agent.server.serf.wan: serf: EventMemberJoin: consul-server-2.dc1 10.129.187.20
2024-01-09T15:12:59.439Z [INFO]  agent.server: Handled event for server in area: event=member-join server=consul-server-0.dc1 area=wan
2024-01-09T15:12:59.439Z [INFO]  agent.server: Handled event for server in area: event=member-join server=consul-server-2.dc1 area=wan
2024-01-09T15:12:59.537Z [INFO]  agent.server: Found expected number of peers, attempting bootstrap: peers="10.131.60.169:8300,10.129.187.20:8300,10.131.6.129:8300"
2024-01-09T15:12:59.543Z [INFO]  agent.server: Adding LAN server: server="consul-server-0 (Addr: tcp/10.131.6.129:8300) (DC: dc1)"
2024-01-09T15:13:04.693Z [INFO]  agent.server: New leader elected: payload=consul-server-2
2024-01-09T15:13:04.994Z [ERROR] agent.http: Request error: method=POST url=/v1/acl/login?dc=dc1 from=10.131.6.170:39852 error="rpc error making call: ACL not found: auth method \"consul-k8s-component-auth-method\" not found"
2024-01-09T15:13:05.200Z [WARN]  agent.leaf-certs: handling error in Manager.Notify: error="rpc error making call: CA is uninitialized and unable to sign certificates yet: no root certificate" index=1
2024-01-09T15:13:05.200Z [ERROR] agent.server.cert-manager: failed to handle cache update event: error="leaf cert watch returned an error: rpc error making call: CA is uninitialized and unable to sign certificates yet: no root certificate"
2024-01-09T15:13:05.201Z [WARN]  agent.leaf-certs: handling error in Manager.Notify: error="rpc error making call: CA is uninitialized and unable to sign certificates yet: no root certificate" index=1
2024-01-09T15:13:05.294Z [WARN]  agent.leaf-certs: handling error in Manager.Notify: error="rpc error making call: CA is uninitialized and unable to sign certificates yet: no root certificate" index=1
2024-01-09T15:13:05.298Z [WARN]  agent.leaf-certs: handling error in Manager.Notify: error="rpc error making call: CA is uninitialized and unable to sign certificates yet: no root certificate" index=1
2024-01-09T15:13:06.007Z [ERROR] agent.http: Request error: method=POST url=/v1/acl/login?dc=dc1 from=10.131.6.170:39852 error="rpc error making call: ACL not found: auth method \"consul-k8s-component-auth-method\" not found"
2024-01-09T15:13:06.630Z [WARN]  agent: Node info update blocked by ACLs: node=ab434c1d-6642-6617-5c2f-f244f2bcb1bf accessorID="anonymous token"
2024-01-09T15:13:07.035Z [ERROR] agent.http: Request error: method=POST url=/v1/acl/login?dc=dc1 from=10.131.6.170:39852 error="rpc error making call: ACL not found: auth method \"consul-k8s-component-auth-method\" not found"
2024-01-09T15:13:07.794Z [WARN]  agent: Node info update blocked by ACLs: node=ab434c1d-6642-6617-5c2f-f244f2bcb1bf accessorID="anonymous token"
2024-01-09T15:13:08.046Z [ERROR] agent.http: Request error: method=POST url=/v1/acl/login?dc=dc1 from=10.131.6.170:39852 error="rpc error making call: ACL not found: auth method \"consul-k8s-component-auth-method\" not found"
2024-01-09T15:13:08.167Z [INFO]  agent.http: Request cancelled: method=POST url=/v1/acl/login?dc=dc1 from=10.131.6.170:39592 error="rpc error making call: ACL not found: auth method \"consul-k8s-component-auth-method\" not found"
2024-01-09T15:13:09.050Z [ERROR] agent.http: Request error: method=POST url=/v1/acl/login?dc=dc1 from=10.131.6.170:39852 error="rpc error making call: ACL not found: auth method \"consul-k8s-component-auth-method\" not found"
2024-01-09T15:13:10.136Z [ERROR] agent.http: Request error: method=POST url=/v1/acl/login?dc=dc1 from=10.131.6.170:39852 error="rpc error making call: ACL not found: auth method \"consul-k8s-component-auth-method\" not found"
2024-01-09T15:13:11.300Z [ERROR] agent.http: Request error: method=GET url="/v1/acl/token/self?dc=dc1&stale=" from=10.131.6.170:39852 error="token does not exist: ACL not found"
2024-01-09T15:13:22.031Z [INFO]  agent.server.serf.lan: serf: EventMemberJoin: paas-qa-master-1 10.129.187.39
2024-01-09T15:13:23.649Z [INFO]  agent.server.serf.lan: serf: EventMemberJoin: paas-qa-master-2 10.131.6.170
2024-01-09T15:13:23.945Z [INFO]  agent.server.serf.lan: serf: EventMemberJoin: paas-qa-master-3 10.131.60.170
2024-01-09T15:13:28.132Z [WARN]  agent: Coordinate update blocked by ACLs: accessorID="anonymous token"
2024-01-09T15:13:31.150Z [ERROR] agent: Failed to check for updates: error="Get \"https://checkpoint-api.hashicorp.com/v1/check/consul?arch=amd64&os=linux&signature=4650b142-f9c0-34ae-a7de-0a3e9899024e&version=1.17.1\": context deadline exceeded (Client.Timeout exceeded while awaiting headers)"
2024-01-09T15:13:55.892Z [WARN]  agent: Coordinate update blocked by ACLs: accessorID="anonymous token"
2024-01-09T15:14:15.332Z [WARN]  agent: Coordinate update blocked by ACLs: accessorID="anonymous token"
2024-01-09T15:14:28.232Z [WARN]  agent: Node info update blocked by ACLs: node=ab434c1d-6642-6617-5c2f-f244f2bcb1bf accessorID="anonymous token"
2024-01-09T15:14:39.830Z [WARN]  agent: Coordinate update blocked by ACLs: accessorID="anonymous token"
2024-01-09T15:14:56.939Z [WARN]  agent: Coordinate update blocked by ACLs: accessorID="anonymous token"
2024-01-09T15:14:58.638Z [WARN]  agent: [core][Channel #1 SubChannel #24] grpc: addrConn.createTransport failed to connect to {Addr: "dc1-10.129.187.20:8300", ServerName: "consul-server-2", }. Err: connection error: desc = "transport: Error while dialing: dial tcp <nil>->10.129.187.20:8300: operation was canceled"
2024-01-09T15:15:26.261Z [WARN]  agent: Coordinate update blocked by ACLs: accessorID="anonymous token"
2024-01-09T15:15:45.643Z [WARN]  agent: Coordinate update blocked by ACLs: accessorID="anonymous token"
2024-01-09T15:16:01.218Z [WARN]  agent: Node info update blocked by ACLs: node=ab434c1d-6642-6617-5c2f-f244f2bcb1bf accessorID="anonymous token"
2024-01-09T15:16:07.993Z [WARN]  agent: Coordinate update blocked by ACLs: accessorID="anonymous token"
2024-01-09T15:16:24.331Z [WARN]  agent: Coordinate update blocked by ACLs: accessorID="anonymous token"
2024-01-09T15:16:48.732Z [WARN]  agent: Coordinate update blocked by ACLs: accessorID="anonymous token"
2024-01-09T15:17:04.804Z [WARN]  agent: Node info update blocked by ACLs: node=ab434c1d-6642-6617-5c2f-f244f2bcb1bf accessorID="anonymous token"
2024-01-09T15:17:08.354Z [WARN]  agent: Coordinate update blocked by ACLs: accessorID="anonymous token"
2024-01-09T15:17:38.284Z [WARN]  agent: Coordinate update blocked by ACLs: accessorID="anonymous token"
2024-01-09T15:18:05.453Z [WARN]  agent: Coordinate update blocked by ACLs: accessorID="anonymous token"
2024-01-09T15:18:28.541Z [WARN]  agent: Node info update blocked by ACLs: node=ab434c1d-6642-6617-5c2f-f244f2bcb1bf accessorID="anonymous token"
2024-01-09T15:18:35.102Z [WARN]  agent: Coordinate update blocked by ACLs: accessorID="anonymous token"
2024-01-09T15:19:01.265Z [WARN]  agent: Coordinate update blocked by ACLs: accessorID="anonymous token"
2024-01-09T15:19:30.074Z [WARN]  agent: Coordinate update blocked by ACLs: accessorID="anonymous token"
2024-01-09T15:19:35.439Z [WARN]  agent: Node info update blocked by ACLs: node=ab434c1d-6642-6617-5c2f-f244f2bcb1bf accessorID="anonymous token"
2024-01-09T15:19:54.334Z [WARN]  agent: Coordinate update blocked by ACLs: accessorID="anonymous token"
2024-01-09T15:20:21.732Z [WARN]  agent: Coordinate update blocked by ACLs: accessorID="anonymous token"
2024-01-09T15:20:42.155Z [WARN]  agent: Coordinate update blocked by ACLs: accessorID="anonymous token"
2024-01-09T15:20:47.673Z [WARN]  agent: Node info update blocked by ACLs: node=ab434c1d-6642-6617-5c2f-f244f2bcb1bf accessorID="anonymous token"
2024-01-09T15:21:09.227Z [WARN]  agent: Coordinate update blocked by ACLs: accessorID="anonymous token"
2024-01-09T15:21:28.032Z [WARN]  agent: Coordinate update blocked by ACLs: accessorID="anonymous token"
2024-01-09T15:21:51.290Z [WARN]  agent: Coordinate update blocked by ACLs: accessorID="anonymous token"
2024-01-09T15:22:12.608Z [WARN]  agent: Coordinate update blocked by ACLs: accessorID="anonymous token"
2024-01-09T15:22:30.296Z [WARN]  agent: Coordinate update blocked by ACLs: accessorID="anonymous token"
2024-01-09T15:22:36.730Z [WARN]  agent: Node info update blocked by ACLs: node=ab434c1d-6642-6617-5c2f-f244f2bcb1bf accessorID="anonymous token"
2024-01-09T15:22:47.241Z [WARN]  agent: Coordinate update blocked by ACLs: accessorID="anonymous token"
2024-01-09T15:23:15.639Z [WARN]  agent: Coordinate update blocked by ACLs: accessorID="anonymous token"
2024-01-09T15:23:36.917Z [WARN]  agent: Coordinate update blocked by ACLs: accessorID="anonymous token"
2024-01-09T15:24:01.997Z [WARN]  agent: Coordinate update blocked by ACLs: accessorID="anonymous token"
2024-01-09T15:24:10.801Z [WARN]  agent: Node info update blocked by ACLs: node=ab434c1d-6642-6617-5c2f-f244f2bcb1bf accessorID="anonymous token"
2024-01-09T15:24:26.382Z [WARN]  agent: Coordinate update blocked by ACLs: accessorID="anonymous token"
2024-01-09T15:24:51.331Z [WARN]  agent: Coordinate update blocked by ACLs: accessorID="anonymous token"
2024-01-09T15:25:08.277Z [WARN]  agent: Coordinate update blocked by ACLs: accessorID="anonymous token"
2024-01-09T15:25:32.811Z [WARN]  agent: Coordinate update blocked by ACLs: accessorID="anonymous token"
2024-01-09T15:25:52.496Z [WARN]  agent: Coordinate update blocked by ACLs: accessorID="anonymous token"
2024-01-09T15:26:01.893Z [WARN]  agent: Node info update blocked by ACLs: node=ab434c1d-6642-6617-5c2f-f244f2bcb1bf accessorID="anonymous token"
2024-01-09T15:26:13.493Z [WARN]  agent: Coordinate update blocked by ACLs: accessorID="anonymous token"
2024-01-09T15:26:34.160Z [WARN]  agent: Coordinate update blocked by ACLs: accessorID="anonymous token"
2024-01-09T15:26:53.351Z [WARN]  agent: Coordinate update blocked by ACLs: accessorID="anonymous token"
2024-01-09T15:27:15.070Z [WARN]  agent: Coordinate update blocked by ACLs: accessorID="anonymous token"
2024-01-09T15:27:33.160Z [WARN]  agent: Coordinate update blocked by ACLs: accessorID="anonymous token"
2024-01-09T15:27:48.432Z [WARN]  agent: Node info update blocked by ACLs: node=ab434c1d-6642-6617-5c2f-f244f2bcb1bf accessorID="anonymous token"
2024-01-09T15:27:53.901Z [WARN]  agent: Coordinate update blocked by ACLs: accessorID="anonymous token"
2024-01-09T15:28:22.225Z [WARN]  agent: Coordinate update blocked by ACLs: accessorID="anonymous token"
2024-01-09T15:28:40.793Z [WARN]  agent: Coordinate update blocked by ACLs: accessorID="anonymous token"
2024-01-09T15:29:08.967Z [WARN]  agent: Node info update blocked by ACLs: node=ab434c1d-6642-6617-5c2f-f244f2bcb1bf accessorID="anonymous token"
2024-01-09T15:29:10.037Z [WARN]  agent: Coordinate update blocked by ACLs: accessorID="anonymous token"
2024-01-09T15:29:30.435Z [WARN]  agent: Coordinate update blocked by ACLs: accessorID="anonymous token"
2024-01-09T15:29:50.132Z [WARN]  agent: Coordinate update blocked by ACLs: accessorID="anonymous token"
2024-01-09T15:30:15.931Z [WARN]  agent: Coordinate update blocked by ACLs: accessorID="anonymous token"
2024-01-09T15:30:31.257Z [WARN]  agent: Node info update blocked by ACLs: node=ab434c1d-6642-6617-5c2f-f244f2bcb1bf accessorID="anonymous token"
2024-01-09T15:30:41.534Z [WARN]  agent: Coordinate update blocked by ACLs: accessorID="anonymous token"
2024-01-09T15:31:09.931Z [WARN]  agent: Coordinate update blocked by ACLs: accessorID="anonymous token"
2024-01-09T15:31:30.732Z [WARN]  agent: Coordinate update blocked by ACLs: accessorID="anonymous token"
2024-01-09T15:31:48.631Z [WARN]  agent: Coordinate update blocked by ACLs: accessorID="anonymous token"
2024-01-09T15:32:16.529Z [WARN]  agent: Node info update blocked by ACLs: node=ab434c1d-6642-6617-5c2f-f244f2bcb1bf accessorID="anonymous token"
2024-01-09T15:32:17.099Z [WARN]  agent: Coordinate update blocked by ACLs: accessorID="anonymous token"
2024-01-09T15:32:43.336Z [WARN]  agent: Coordinate update blocked by ACLs: accessorID="anonymous token"
2024-01-09T15:33:00.280Z [WARN]  agent: Coordinate update blocked by ACLs: accessorID="anonymous token"

Expected behavior

There should be no warnings.

Environment details

We use 1.2.2 consul-k8s version, but with 1.3.1 problem is still actual.

Kubernetes version: v1.25.x

Additional Context

I have noticed that Consul contains only one token for Consul servers:

image

Also I have logs from consul-acl-init job on first installation:

2024-01-09T15:12:48.946Z [ERROR] Error resolving IP Address: err="failed to resolve DNS name: consul-server.consul-test.svc: lookup consul-server.consul-test.svc on 172.30.0.10:53: no such host"
2024-01-09T15:12:49.485Z [ERROR] Error resolving IP Address: err="failed to resolve DNS name: consul-server.consul-test.svc: lookup consul-server.consul-test.svc on 172.30.0.10:53: no such host"
2024-01-09T15:12:50.430Z [ERROR] Error resolving IP Address: err="failed to resolve DNS name: consul-server.consul-test.svc: lookup consul-server.consul-test.svc on 172.30.0.10:53: no such host"
2024-01-09T15:12:51.156Z [ERROR] Error resolving IP Address: err="failed to resolve DNS name: consul-server.consul-test.svc: lookup consul-server.consul-test.svc on 172.30.0.10:53: no such host"
2024-01-09T15:12:53.522Z [INFO]  Refreshing server IP addresses: addresses=["{10.131.6.129 }"]
2024-01-09T15:12:53.650Z [INFO]  No bootstrap token found in secrets backend, continuing to ACL bootstrapping: secret=consul-bootstrap-acl-token
2024-01-09T15:12:53.651Z [ERROR] Failure: bootstrapping ACLs - PUT /v1/acl/bootstrap: err="Put \"https://10.131.6.129:8501/v1/acl/bootstrap?dc=dc1\": dial tcp 10.131.6.129:8501: connect: connection refused"
2024-01-09T15:12:53.651Z [INFO]  Retrying in 1s
2024-01-09T15:12:54.652Z [ERROR] Failure: bootstrapping ACLs - PUT /v1/acl/bootstrap: err="Put \"https://10.131.6.129:8501/v1/acl/bootstrap?dc=dc1\": dial tcp 10.131.6.129:8501: connect: connection refused"
2024-01-09T15:12:54.652Z [INFO]  Retrying in 1s
2024-01-09T15:12:55.653Z [ERROR] Failure: bootstrapping ACLs - PUT /v1/acl/bootstrap: err="Put \"https://10.131.6.129:8501/v1/acl/bootstrap?dc=dc1\": dial tcp 10.131.6.129:8501: connect: connection refused"
2024-01-09T15:12:55.653Z [INFO]  Retrying in 1s
2024-01-09T15:12:56.658Z [ERROR] Failure: bootstrapping ACLs - PUT /v1/acl/bootstrap: err="Put \"https://10.131.6.129:8501/v1/acl/bootstrap?dc=dc1\": dial tcp 10.131.6.129:8501: connect: connection refused"
2024-01-09T15:12:56.658Z [INFO]  Retrying in 1s
2024-01-09T15:12:57.659Z [ERROR] Failure: bootstrapping ACLs - PUT /v1/acl/bootstrap: err="Put \"https://10.131.6.129:8501/v1/acl/bootstrap?dc=dc1\": dial tcp 10.131.6.129:8501: connect: connection refused"
2024-01-09T15:12:57.659Z [INFO]  Retrying in 1s
2024-01-09T15:13:09.552Z [INFO]  Success: bootstrapping ACLs - PUT /v1/acl/bootstrap
2024-01-09T15:13:09.565Z [INFO]  Success: writing bootstrap Secret "consul-bootstrap-acl-token"
2024-01-09T15:13:09.565Z [INFO]  Setting Consul server tokens
2024-01-09T15:13:09.614Z [INFO]  Success: creating agent policy - PUT /v1/acl/policy
2024-01-09T15:13:09.651Z [INFO]  Success: creating server token for {10.131.6.129 } - PUT /v1/acl/token
2024-01-09T15:13:09.665Z [INFO]  Success: updating server token for {10.131.6.129 } - PUT /v1/agent/token/agent
2024-01-09T15:13:09.666Z [INFO]  consul-server-connection-manager: trying to connect to a Consul server
2024-01-09T15:13:09.751Z [INFO]  consul-server-connection-manager: discovered Consul servers: addresses=[10.129.187.20:8502, 10.131.60.169:8502, 10.131.6.129:8502]
2024-01-09T15:13:09.751Z [INFO]  consul-server-connection-manager: current prioritized list of known Consul servers: addresses=[10.129.187.20:8502, 10.131.60.169:8502, 10.131.6.129:8502]
2024-01-09T15:13:09.841Z [INFO]  consul-server-connection-manager: connected to Consul server: address=10.129.187.20:8502
2024-01-09T15:13:09.844Z [INFO]  consul-server-connection-manager: updated known Consul servers from watch stream: addresses=[10.131.60.169:8502, 10.131.6.129:8502, 10.129.187.20:8502]
2024-01-09T15:13:09.896Z [INFO]  Success: calling /agent/self to get datacenter
2024-01-09T15:13:09.896Z [INFO]  Current datacenter: datacenter=dc1 primaryDC=dc1
2024-01-09T15:13:09.941Z [INFO]  Success: getting consul-auth-method ServiceAccount
2024-01-09T15:13:10.038Z [INFO]  Success: getting consul-auth-method Secret
2024-01-09T15:13:10.494Z [INFO]  Success: creating auth method consul-k8s-component-auth-method
2024-01-09T15:13:10.593Z [INFO]  Success: creating client-policy policy
2024-01-09T15:13:10.793Z [INFO]  Success: update or create acl role for consul-client-acl-role
2024-01-09T15:13:10.794Z [INFO]  Success: listing binding rules for auth method consul-k8s-component-auth-method
2024-01-09T15:13:10.993Z [INFO]  Success: creating acl binding rule for consul-k8s-component-auth-method
2024-01-09T15:13:11.295Z [INFO]  Success: creating anonymous token policy - PUT /v1/acl/policy
2024-01-09T15:13:11.508Z [INFO]  Success: updating anonymous token with policy
2024-01-09T15:13:11.508Z [INFO]  server-acl-init completed successfully
2024-01-09T15:13:11.508Z [INFO]  consul-server-connection-manager: stopping

and on update:

2023-12-27T11:32:31.434Z [INFO]  Refreshing server IP addresses: addresses=["{10.129.187.10 }", "{10.131.6.191 }", "{10.131.60.177 }"]
2023-12-27T11:32:31.638Z [INFO]  Found bootstrap token in secrets backend: secret=consul-bootstrap-acl-token
2023-12-27T11:32:31.638Z [INFO]  Setting Consul server tokens
2023-12-27T11:32:31.833Z [INFO]  Policy "agent-token" already exists, updating
2023-12-27T11:32:31.846Z [INFO]  Success: creating agent policy - PUT /v1/acl/policy
2023-12-27T11:32:32.039Z [INFO]  Success: creating server token for {10.129.187.10 } - PUT /v1/acl/token
2023-12-27T11:32:32.042Z [INFO]  Success: updating server token for {10.129.187.10 } - PUT /v1/agent/token/agent
2023-12-27T11:32:32.141Z [INFO]  Success: creating server token for {10.131.6.191 } - PUT /v1/acl/token
2023-12-27T11:32:32.159Z [INFO]  Success: updating server token for {10.131.6.191 } - PUT /v1/agent/token/agent
2023-12-27T11:32:32.284Z [INFO]  Success: updating server token for {10.131.60.177 } - PUT /v1/agent/token/agent
2023-12-27T11:32:32.284Z [INFO]  consul-server-connection-manager: trying to connect to a Consul server
2023-12-27T11:32:32.290Z [INFO]  consul-server-connection-manager: discovered Consul servers: addresses=[10.129.187.10:8502, 10.131.6.191:8502, 10.131.60.177:8502]
2023-12-27T11:32:32.290Z [INFO]  consul-server-connection-manager: current prioritized list of known Consul servers: addresses=[10.129.187.10:8502, 10.131.6.191:8502, 10.131.60.177:8502]
2023-12-27T11:32:32.337Z [INFO]  consul-server-connection-manager: connected to Consul server: address=10.129.187.10:8502
2023-12-27T11:32:32.431Z [INFO]  consul-server-connection-manager: updated known Consul servers from watch stream: addresses=[10.131.6.191:8502, 10.131.60.177:8502, 10.129.187.10:8502]
2023-12-27T11:32:32.615Z [INFO]  Success: calling /agent/self to get datacenter
2023-12-27T11:32:32.615Z [INFO]  Current datacenter: datacenter=dc1 primaryDC=dc1
2023-12-27T11:32:32.620Z [INFO]  Success: getting consul-auth-method ServiceAccount
2023-12-27T11:32:32.625Z [INFO]  Success: getting consul-auth-method Secret
2023-12-27T11:32:32.936Z [INFO]  Success: creating auth method consul-k8s-component-auth-method
2023-12-27T11:32:33.032Z [INFO]  Policy "client-policy" already exists, updating
2023-12-27T11:32:33.042Z [INFO]  Success: creating client-policy policy
2023-12-27T11:32:33.234Z [INFO]  Success: update or create acl role for consul-client-acl-role
2023-12-27T11:32:33.238Z [INFO]  Success: listing binding rules for auth method consul-k8s-component-auth-method
2023-12-27T11:32:33.246Z [INFO]  Success: updating acl binding rule for consul-k8s-component-auth-method
2023-12-27T11:32:33.334Z [INFO]  skipping creating anonymous token since it already exists
2023-12-27T11:32:33.334Z [INFO]  server-acl-init completed successfully
2023-12-27T11:32:33.334Z [INFO]  consul-server-connection-manager: stopping

After update procedure tokens for all servers appear and warning disappears.
@defesteban defesteban added the type/bug Something isn't working label Jan 9, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
type/bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@defesteban