Required Data: Sidecar Injector

Issue

  • I have deployed the sidecar-injector but certificates don’t seem to be injected

Quick check

Check the description of the pod impacted (replace $POD_NAME with the name of the pod to check the injection for, for example cjoc-0):

kubectl get pod $POD_NAME -o yaml

and check the volumes and volumeMounts to validate that the expected volumes are injected. You should see something like the following:

    volumeMounts:
    - mountPath: /etc/ssl/certs/ca-certificates.crt
      name: ca-bundles
      subPath: ca-certificates.crt
    [...]
  volumes:
  - configMap:
      defaultMode: 420
      name: ca-bundles
    name: ca-bundles
    [...]

If that is the case, then it can be assumed that injection is working as expected and what needs troubleshooting is the SSL. Please follow the guide SSL Certificates Troubleshooting.

Required Data for sidecar-injector

This article describes how to collect the minimum required information for sidecar-injector on a CloudBees Core on Core Modern installation so that it can be efficiently troubleshooted.

If the required data is bigger than 20 MB you will not be able to use ZenDesk to upload all the information. In this case, we would like to encourage you to use our upload service in order to attach all the required information.

Environment

Required Data check list

  •  Kubernetes sidecar-injector resources details
  •  Kubernetes Namespace labelled for injection
  •  Kubernetes sidecar-injector pod logs
  •  Kubernetes CloudBees Core resources details
  •  Kubernetes Impacted pod injection details
  •  Support bundle from impacted Instance

Pre-Requisites

To facilitate the retrieval of data, export the following variables:

CB_NAMESPACE=<cloudbees-core-namspace>
SIDECAR_NAMESPACE=<sidecar-namespace>

Replace:

  • by the namespace where CLoudBees Core is deployed
  • <sidecar-namespace> by the namespace where the sidecar-injector is deployed, usually sidecar-injector

Kubernetes sidecar-injector resources details

Resources of the sidecar-injector deployment:

kubectl get deployment,replicaset,cm,pod,svc,ep,mutatingWebhookConfigurations -n $SIDECAR_NAMESPACE -o yaml > sidecar-injector-details.yaml
kubectl get deployment,replicaset,cm,pod,svc,ep,mutatingWebhookConfigurations -n $SIDECAR_NAMESPACE -o yaml > sidecar-injector-details.txt

Kubernetes Namespace labelled for injection

The list of namespaces labelled for injection:

kubectl get namespaces -L sidecar-injector > sidecar-injector-labels.yaml

Kubernetes sidecar-injector pod logs

Get the logs of the sidecar-injector pod:

kubectl logs $(kubectl get pod -n $SIDECAR_NAMESPACE -o jsonpath='{.items[0].metadata.name}') > sidecar-injector-pod.log

Kubernetes CloudBees Core resources details

Details of the CloudBees Core resources:

kubectl get node,sts,pod,svc,ing,ep,cm,pvc,pv -o yaml -n $CB_NAMESPACE > cje2-details.yaml
kubectl get node,sts,pod,svc,ing,ep,cm,pvc,pv -o wide -n $CB_NAMESPACE > cje2-details.txt

Kubernetes Impacted pod injection details

Check the injection inside the pod. For example for Debian / Alpine / Ubuntu, certificates are injected at /etc/ssl/certs/ and /etc/ssl/certs/java/ (replace $POD_NAME with the name of the pod to check the injection for, for example cjoc-0):

kubectl exec -ti $POD_NAME -n $CB_NAMESPACE -- ls -lR /etc/ssl/certs/ > pod-injection.log

Support bundle from impacted Instance

A support bundle from the Instance where the issues are happening.

References

Have more questions?

0 Comments

Please sign in to leave a comment.