Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

failed to mount volume for mtls cert for target allocator #3563

Open
travisghansen opened this issue Dec 20, 2024 · 3 comments
Open

failed to mount volume for mtls cert for target allocator #3563

travisghansen opened this issue Dec 20, 2024 · 3 comments
Labels
bug Something isn't working needs triage

Comments

@travisghansen
Copy link

Component(s)

collector, target allocator

What happened?

Description

When mtls support is enabled in the operator deployments that do not have target allocator enabled are failing because the secret does not exist:

MountVolume.SetUp failed for volume "default-ta-client-cert" : secret "default-ta-client-cert" not found

The secret isn't being created (presumably) because target allocator isn't enabled on the CR but the deployment is still requiring the mount.

Steps to Reproduce

Enable mtls for TA. Deploy a collector without TA enabled.

Expected Result

No mtls secrets are created, no secrets are required to start the collector.

Actual Result

TLS secrets are not created (as expected when TA is disabled), secret is required by the collector pod to start.

Kubernetes Version

1.31

Operator version

ghcr.io/open-telemetry/opentelemetry-operator/opentelemetry-operator:0.114.1

Collector version

otel/opentelemetry-collector-k8s:0.114.0

Environment information

No response

Log output

No response

Additional context

open-telemetry/opentelemetry-helm-charts#1469

@travisghansen travisghansen added bug Something isn't working needs triage labels Dec 20, 2024
@mtthwcmpbll
Copy link

mtthwcmpbll commented Jan 7, 2025

I've run into this too. I have a Collector resource deployed that explictly sets:

spec:
  targetAllocator:
    enabled: false

The Collector's pod fails to initialize because the expected secret volume mount doesn't exist, and describing the OtelCollector resource I see the following:

spec
  targetAllocator:
    allocationStrategy: consistent-hashing
    filterStrategy: relabel-config
    observability:
      metrics: {}
    prometheusCR:
      scrapeInterval: 30s
    resources: {}

I've tried explicitly enabling the targetAllocator and disabling the prometheusCR or setting the labels to something that shouldn't match anything to get around this, but this doesn't help for collectors that don't have any prometheus configuration at all (as it fails to validate).

@supergillis
Copy link

Running into the same issue too. All is good when the target allocator is enabled, but when it's disabled it adds a volume mount for the *-ta-client-cert secret which does not exist.

@supergillis
Copy link

supergillis commented Jan 9, 2025

After redeployment of my collector this issue does not occur anymore. Perhaps this is a reconciliation issue in the operator? This is the order in which I enabled the operator.targetallocator.mtls flag.

  1. First the operator was deployed without the operator.targetallocator.mtls feature flag;
  2. Then the OpenTelemetryCollector instance was created and deployed successfully;
  3. Then the operator.targetallocator.mtls was enabled on the operator.
  4. Now the OpenTelemetryCollector was restarted but it seems the *-ta-client-cert secret was not updated.
  5. After recreation of the OpenTelemetryCollector the secret is now up-to-date.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working needs triage
Projects
None yet
Development

No branches or pull requests

3 participants