• When a user creates a cluster with multiple replicas for the control plane node, the first control plane node is created successfully. However the remaining control plane fails to join the first control plane and cluster creation times out.
• On the second control plane node the /var/log/cloud-init-output.log, file contains errors similar to:

"error execution phase control-plane-join/mark-control-plane: couldn't validate the identity of the API Server: could not find a JWS signature in the cluster-info ConfigMap for token ID"
 

2.0, 2.0.1, 2.1, 2.2

Resolved in TCA 2.3

TKG 1.7 release will have a permanent fix ensuring TTL gets extended automatically until a node successfully joins.

Workaround:

• Based the log message's timestamp, user can see how long the kubeadm join takes, then user need to perform the following:
  
  ssh into tca-bootstrapper vm in cloud native if the cluster timeout is creating TCA cluster 
  or  
  ssh into tca-cp if cluster timeout is during CAAS workflow
• Edit /opt/vmware/k8s-bootstrapper/kbs.conf to add

[AdvancedConf]
CapbkBootstrapTokenTtl = ####

#### is an interger number larger than 15; the unit is in minutes

• Restart bootstrapper service using the following command:
   systemctl restart bootstrapperd

NOTE: Post making the above changes ensure that you recreate the Control Plane Management Cluster.

Additionally in case if we need to Modify the existing Management Cluster without recreation follow the steps as mentioned below:

Step 1: Validate the configuration: 

kubectl get pods capi-kubeadm-bootstrap-controller-manager-######## -n capi-kubeadm-bootstrap-system -o yaml 

spec:
  containers:
  - args:
    - --leader-elect
    - --metrics-bind-addr=localhost:8080
    - --feature-gates=MachinePool=false
    - --bootstrap-token-ttl=90m

Step 2: Modify the existing Management Cluster (Live/Runtime) by updating the "bootstrap-token-ttl" using the following command: 

kubectl edit deployment capi-kubeadm-bootstrap-controller-manager -n capi-kubeadm-bootstrap-system