"error execution phase control-plane-join/mark-control-plane: couldn't validate the identity of the API Server: could not find a JWS signature in the cluster-info ConfigMap for token ID"
VMware is aware of this issue as reported in TCA 2.1, current workaround is available as mentioned below to address the issue.
TKG 1.7 release will have a permanent fix ensuring TTL gets extended automatically until a node successfully joins.
Based the log message's timestamp, user can see how long the kubeadm join takes, then user need to perform the following:
1. ssh into tca-bootstrapper vm in cloud native if the cluster timeout is creating TCA cluster
or
ssh into tca-cp if cluster timeout is during CAAS workflow
2. change /opt/vmware/k8s-bootstrapper/kbs.conf to add
[AdvancedConf] CapbkBootstrapTokenTtl = xx
xx is an interger number larger than 15, the unit is in minute
3. Restart bootstrapper service using the following command:
systemctl restart bootstrapperd
NOTE: Post making the above changes ensure that you recreate the Control Plane Management Cluster.
Additionally in case if we need to Modify the existing Management Cluster without recreation follow the steps as mentioned below:
Step 1: Validate the configuration:
kubectl get pods capi-kubeadm-bootstrap-controller-manager-XXXXXXXXXX -n capi-kubeadm-bootstrap-system -o yaml spec: containers: - args: - --leader-elect - --metrics-bind-addr=localhost:8080 - --feature-gates=MachinePool=false - --bootstrap-token-ttl=90m
Step 2: Modify the existing Management Cluster (Live/Runtime) by updating the "bootstrap-token-ttl" using the following command:
kubectl edit deployment capi-kubeadm-bootstrap-controller-manager -n capi-kubeadm-bootstrap-system