New VKS workload cluster deployment fails and is immediately paused
search cancel

New VKS workload cluster deployment fails and is immediately paused

book

Article ID: 429382

calendar_today

Updated On:

Products

Tanzu Kubernetes Runtime

Issue/Introduction

  • No VMs or machines are deployed for the cluster
  • Similar errors to those detailed below are present in the TKG Controller logs of the Supervisor.
    • Log location - /var/log/pod/svc-tkg-domain-c#_vmware-system-tkg-controller-manager-##########-#####_########-####-####-####-############
    • Pod vmware-system-tkg-controller-manager-##########-##### under namespace svc-tkg-domain-c#
YYYY-MM-DDTHH:MM:SS stderr F E### HH:MM:SS       1 controller.go:347] "Reconciler error" err="reconcile cluster variables failed: failed to get ssh authorized key when assign it to the Cluster Variable 'user'. ssh: this private key is passphrase protected" controller="###########-##########" controllerGroup="cluster.#-###.io" controllerKind="Cluster" Cluster="##-####/####-##########" namespace="##-####" name="####-##########" reconcileID="########-####-####-####-############"


Important: Avoid unpausing clusters that were paused during the deployment. Doing so could lead to further deployment errors and issues within the Supervisor.

Environment

vSphere with Tanzu 8.X

Cause

The cluster deployment failed because the private key, which is used for the user variable, is either incorrectly configured or protected by a password.

Resolution

How to Determine if a Private Key is Password Protected (Encrypted)

Follow these steps to check if a private key is protected by a passphrase:

  1. Save the Key: Retrieve the private key and save it to a local file (e.g., private_key)
  2. Set Permissions: Update the file permissions using the command: chmod 600 ./private_key
  3. Run Check: Execute the following command against the file: ssh-keygen -y -f ./private_key


Interpretation of Results:

  • Encrypted Key: If step 3 prompts you for a passphrase, the key is encrypted.
  • Unencrypted or Invalid Key: If no passphrase prompt appears, the key is either not password protected or there may be issues with its formatting or generation that require investigation.

Additional Information

For further troubleshooting, information detailing why a deployment was paused can be reviewed in the TKG Controller logs mentioned in the Issue/Introduction field above. 

Powered by Wolken Software