Log: /mnt/jenkins/workspace/cloud-pxc-operator_PR-2467/e2e-tests/logs/tls-issue-cert-manager-8-0.log Warning: version difference between client (1.36) and server (1.33) exceeds the supported minor version skew of +/-1 Warning: version difference between client (1.36) and server (1.33) exceeds the supported minor version skew of +/-1 No resources found + kubectl patch pxc -n sh --type=merge -p '{"metadata":{"finalizers":[]}}' error: resource(s) were provided, but no name was specified No resources found No resources found No resources found error: resource(s) were provided, but no name was specified error: resource(s) were provided, but no name was specified error: resource(s) were provided, but no name was specified error: resource(s) were provided, but no name was specified error: resource(s) were provided, but no name was specified error: resource(s) were provided, but no name was specified ----------------------------------------------------------------------------------- cleaned up all old namespaces ----------------------------------------------------------------------------------- ----------------------------------------------------------------------------------- cleaned up old namespaces pxc-operator ----------------------------------------------------------------------------------- Error from server (NotFound): namespaces "pxc-operator" not found waiting for namespace/pxc-operator to be deletederror: resource(s) were provided, but no name was specified Error from server (NotFound): namespaces "pxc-operator" not found ----------------------------------------------------------------------------------- create namespace pxc-operator ----------------------------------------------------------------------------------- namespace/pxc-operator created Context "gke_cloud-dev-112233_us-central1-a_jen-pxc-2467-3dc7f023-16-cluster1" modified. ----------------------------------------------------------------------------------- start PXC operator ----------------------------------------------------------------------------------- customresourcedefinition.apiextensions.k8s.io/perconaxtradbclusterbackups.pxc.percona.com serverside-applied customresourcedefinition.apiextensions.k8s.io/perconaxtradbclusterrestores.pxc.percona.com serverside-applied customresourcedefinition.apiextensions.k8s.io/perconaxtradbclusters.pxc.percona.com serverside-applied clusterrole.rbac.authorization.k8s.io/percona-xtradb-cluster-operator unchanged serviceaccount/percona-xtradb-cluster-operator created clusterrolebinding.rbac.authorization.k8s.io/service-account-percona-xtradb-cluster-operator unchanged deployment.apps/percona-xtradb-cluster-operator created service/percona-xtradb-cluster-operator created pod/percona-xtradb-cluster-operator-9d9fbdb5-jgh82 condition met E0516 21:27:40.937589 23824 reflector.go:227] "Failed to watch" err="Get \"https://34.28.179.30/api/v1/namespaces/pxc-operator/pods?allowWatchBookmarks=true&fieldSelector=metadata.name%3Dpercona-xtradb-cluster-operator-9d9fbdb5-jgh82&resourceVersion=1778966860577059000&timeoutSeconds=434&watch=true\": context canceled" reflector="k8s.io/client-go/tools/watch/informerwatcher.go:162" type="*unstructured.Unstructured" pod/percona-xtradb-cluster-operator-9d9fbdb5-jgh82 condition met E0516 21:27:46.777853 24840 reflector.go:227] "Failed to watch" err="Get \"https://34.28.179.30/api/v1/namespaces/pxc-operator/pods?allowWatchBookmarks=true&fieldSelector=metadata.name%3Dpercona-xtradb-cluster-operator-9d9fbdb5-jgh82&resourceVersion=1778966864703582000&timeoutSeconds=428&watch=true\": context canceled" reflector="k8s.io/client-go/tools/watch/informerwatcher.go:162" type="*unstructured.Unstructured" waiting for pod/percona-xtradb-cluster-operator-9d9fbdb5-jgh82 to become Ready.Ok error: resource(s) were provided, but no name was specified error: resource(s) were provided, but no name was specified error: resource(s) were provided, but no name was specified error: resource(s) were provided, but no name was specified error: resource(s) were provided, but no name was specified error: resource(s) were provided, but no name was specified ----------------------------------------------------------------------------------- cleaned up all old namespaces ----------------------------------------------------------------------------------- ----------------------------------------------------------------------------------- cleaned up old namespaces tls-issue-cert-manager-26795 ----------------------------------------------------------------------------------- Error from server (NotFound): namespaces "tls-issue-cert-manager-26795" not found waiting for namespace/tls-issue-cert-manager-26795 to be deletederror: resource(s) were provided, but no name was specified Error from server (NotFound): namespaces "tls-issue-cert-manager-26795" not found ----------------------------------------------------------------------------------- create namespace tls-issue-cert-manager-26795 ----------------------------------------------------------------------------------- namespace/tls-issue-cert-manager-26795 created Context "gke_cloud-dev-112233_us-central1-a_jen-pxc-2467-3dc7f023-16-cluster1" modified. ----------------------------------------------------------------------------------- create secrets for cloud storages ----------------------------------------------------------------------------------- secret/minio-secret created secret/aws-s3-secret created secret/do-spaces-secret created secret/gcp-cs-secret created secret/azure-secret created ----------------------------------------------------------------------------------- deploy cert manager ----------------------------------------------------------------------------------- namespace/cert-manager created namespace/cert-manager labeled namespace/cert-manager configured customresourcedefinition.apiextensions.k8s.io/challenges.acme.cert-manager.io created customresourcedefinition.apiextensions.k8s.io/orders.acme.cert-manager.io created customresourcedefinition.apiextensions.k8s.io/certificaterequests.cert-manager.io created customresourcedefinition.apiextensions.k8s.io/certificates.cert-manager.io created customresourcedefinition.apiextensions.k8s.io/clusterissuers.cert-manager.io created customresourcedefinition.apiextensions.k8s.io/issuers.cert-manager.io created serviceaccount/cert-manager-cainjector created serviceaccount/cert-manager created serviceaccount/cert-manager-webhook created clusterrole.rbac.authorization.k8s.io/cert-manager-cainjector created clusterrole.rbac.authorization.k8s.io/cert-manager-controller-issuers created clusterrole.rbac.authorization.k8s.io/cert-manager-controller-clusterissuers created clusterrole.rbac.authorization.k8s.io/cert-manager-controller-certificates created clusterrole.rbac.authorization.k8s.io/cert-manager-controller-orders created clusterrole.rbac.authorization.k8s.io/cert-manager-controller-challenges created clusterrole.rbac.authorization.k8s.io/cert-manager-controller-ingress-shim created clusterrole.rbac.authorization.k8s.io/cert-manager-cluster-view created clusterrole.rbac.authorization.k8s.io/cert-manager-view created clusterrole.rbac.authorization.k8s.io/cert-manager-edit created clusterrole.rbac.authorization.k8s.io/cert-manager-controller-approve:cert-manager-io created clusterrole.rbac.authorization.k8s.io/cert-manager-controller-certificatesigningrequests created clusterrole.rbac.authorization.k8s.io/cert-manager-webhook:subjectaccessreviews created clusterrolebinding.rbac.authorization.k8s.io/cert-manager-cainjector created clusterrolebinding.rbac.authorization.k8s.io/cert-manager-controller-issuers created clusterrolebinding.rbac.authorization.k8s.io/cert-manager-controller-clusterissuers created clusterrolebinding.rbac.authorization.k8s.io/cert-manager-controller-certificates created clusterrolebinding.rbac.authorization.k8s.io/cert-manager-controller-orders created clusterrolebinding.rbac.authorization.k8s.io/cert-manager-controller-challenges created clusterrolebinding.rbac.authorization.k8s.io/cert-manager-controller-ingress-shim created clusterrolebinding.rbac.authorization.k8s.io/cert-manager-controller-approve:cert-manager-io created clusterrolebinding.rbac.authorization.k8s.io/cert-manager-controller-certificatesigningrequests created clusterrolebinding.rbac.authorization.k8s.io/cert-manager-webhook:subjectaccessreviews created role.rbac.authorization.k8s.io/cert-manager-cainjector:leaderelection created role.rbac.authorization.k8s.io/cert-manager:leaderelection created role.rbac.authorization.k8s.io/cert-manager-tokenrequest created role.rbac.authorization.k8s.io/cert-manager-webhook:dynamic-serving created rolebinding.rbac.authorization.k8s.io/cert-manager-cainjector:leaderelection created rolebinding.rbac.authorization.k8s.io/cert-manager:leaderelection created rolebinding.rbac.authorization.k8s.io/cert-manager-tokenrequest created rolebinding.rbac.authorization.k8s.io/cert-manager-webhook:dynamic-serving created service/cert-manager-cainjector created service/cert-manager created service/cert-manager-webhook created deployment.apps/cert-manager-cainjector created deployment.apps/cert-manager created deployment.apps/cert-manager-webhook created mutatingwebhookconfiguration.admissionregistration.k8s.io/cert-manager-webhook created validatingwebhookconfiguration.admissionregistration.k8s.io/cert-manager-webhook created Warning: resource namespaces/cert-manager is missing the kubectl.kubernetes.io/last-applied-configuration annotation which is required by kubectl apply. kubectl apply should only be used on resources created declaratively by either kubectl create --save-config or kubectl apply. The missing annotation will be patched automatically. ----------------------------------------------------------------------------------- wait for cert-manager to be ready ----------------------------------------------------------------------------------- deployment.apps/cert-manager condition met E0516 21:29:43.177854 8576 reflector.go:227] "Failed to watch" err="Get \"https://34.28.179.30/apis/apps/v1/namespaces/cert-manager/deployments?allowWatchBookmarks=true&fieldSelector=metadata.name%3Dcert-manager&resourceVersion=1778966979205852000&timeoutSeconds=316&watch=true\": context canceled" reflector="k8s.io/client-go/tools/watch/informerwatcher.go:162" type="*unstructured.Unstructured" deployment.apps/cert-manager-cainjector condition met E0516 21:29:45.597009 8956 reflector.go:227] "Failed to watch" err="Get \"https://34.28.179.30/apis/apps/v1/namespaces/cert-manager/deployments?allowWatchBookmarks=true&fieldSelector=metadata.name%3Dcert-manager-cainjector&resourceVersion=1778966984205891000&timeoutSeconds=392&watch=true\": context canceled" reflector="k8s.io/client-go/tools/watch/informerwatcher.go:162" type="*unstructured.Unstructured" deployment.apps/cert-manager-webhook condition met E0516 21:29:47.752851 9279 reflector.go:227] "Failed to watch" err="Get \"https://34.28.179.30/apis/apps/v1/namespaces/cert-manager/deployments?allowWatchBookmarks=true&fieldSelector=metadata.name%3Dcert-manager-webhook&resourceVersion=1778966984205891000&timeoutSeconds=426&watch=true\": context canceled" reflector="k8s.io/client-go/tools/watch/informerwatcher.go:162" type="*unstructured.Unstructured" issuer.cert-manager.io/cert-manager-readiness-check created issuer.cert-manager.io "cert-manager-readiness-check" deleted from tls-issue-cert-manager-26795 namespace ----------------------------------------------------------------------------------- create pxc cluster ----------------------------------------------------------------------------------- secret/my-cluster-secrets created deployment.apps/pxc-client created perconaxtradbcluster.pxc.percona.com/some-name-tls-issue created ----------------------------------------------------------------------------------- wait for cluster to be ready ----------------------------------------------------------------------------------- ----------------------------------------------------------------------------------- wait for running cluster ----------------------------------------------------------------------------------- Error from server (NotFound): pods "some-name-tls-issue-haproxy-0" not found waiting for pod/some-name-tls-issue-haproxy-0 to become Ready..........................................................................Ok ----------------------------------------------------------------------------------- wait for running cluster ----------------------------------------------------------------------------------- pod/some-name-tls-issue-pxc-0 condition met E0516 21:33:38.729321 9005 reflector.go:227] "Failed to watch" err="Get \"https://34.28.179.30/api/v1/namespaces/tls-issue-cert-manager-26795/pods?allowWatchBookmarks=true&fieldSelector=metadata.name%3Dsome-name-tls-issue-pxc-0&resourceVersion=1778967218216879017&timeoutSeconds=459&watch=true\": context canceled" reflector="k8s.io/client-go/tools/watch/informerwatcher.go:162" type="*unstructured.Unstructured" waiting for pod/some-name-tls-issue-pxc-0 to become Ready.Ok pod/some-name-tls-issue-pxc-1 condition met waiting for pod/some-name-tls-issue-pxc-1 to become Ready.Ok pod/some-name-tls-issue-pxc-2 condition met waiting for pod/some-name-tls-issue-pxc-2 to become Ready.Ok ----------------------------------------------------------------------------------- wait cluster consistency ----------------------------------------------------------------------------------- waiting for pxc/some-name-tls-issue to be ready ----------------------------------------------------------------------------------- check if certificates issued with certmanager ----------------------------------------------------------------------------------- ----------------------------------------------------------------------------------- check if CA issuer created ----------------------------------------------------------------------------------- ----------------------------------------------------------------------------------- compare issuer/some-name-tls-issue-pxc-ca-issuer- ----------------------------------------------------------------------------------- [2026-05-16T21:36:33+0000] compare_kubectl: issuer/some-name-tls-issue-pxc-ca-issuer OK ----------------------------------------------------------------------------------- check if issuer created ----------------------------------------------------------------------------------- ----------------------------------------------------------------------------------- compare issuer/some-name-tls-issue-pxc-issuer- ----------------------------------------------------------------------------------- [2026-05-16T21:36:35+0000] compare_kubectl: issuer/some-name-tls-issue-pxc-issuer OK ----------------------------------------------------------------------------------- check if certificate issued ----------------------------------------------------------------------------------- ----------------------------------------------------------------------------------- compare certificate/some-name-tls-issue-ssl- ----------------------------------------------------------------------------------- [2026-05-16T21:36:37+0000] compare_kubectl: certificate/some-name-tls-issue-ssl OK ----------------------------------------------------------------------------------- check ssl-internal certificate using PXC ----------------------------------------------------------------------------------- mysql: [Warning] Using a password on the command line interface can be insecure. ----------------------------------------------------------------------------------- check ssl-internal certificate using HAProxy ----------------------------------------------------------------------------------- mysql: [Warning] Using a password on the command line interface can be insecure. ----------------------------------------------------------------------------------- trigger CA rotation and verify leaf cert re-issuance ----------------------------------------------------------------------------------- ----------------------------------------------------------------------------------- set rotationPolicy=Always on CA certificate ----------------------------------------------------------------------------------- certificate.cert-manager.io/some-name-tls-issue-ca-cert patched ----------------------------------------------------------------------------------- capture current CA fingerprint ----------------------------------------------------------------------------------- old CA: SHA256 Fingerprint=6A:8A:57:6F:ED:8B:FC:8D:5A:FF:F3:9B:01:47:BE:00:86:17:5A:8B:BF:E9:16:5E:15:E5:4D:D5:DD:39:3B:CB ----------------------------------------------------------------------------------- trigger CA renewal via status condition patch ----------------------------------------------------------------------------------- certificate.cert-manager.io/some-name-tls-issue-ca-cert replaced ----------------------------------------------------------------------------------- wait for cert-manager to issue new CA ----------------------------------------------------------------------------------- new CA: SHA256 Fingerprint=6F:87:A5:3F:F9:59:BA:07:46:9D:F2:18:55:6B:2D:BF:D0:C8:D0:3F:2A:7C:39:46:77:B2:7A:EB:F2:73:13:B0 ----------------------------------------------------------------------------------- trigger operator reconcile to detect CA mismatch ----------------------------------------------------------------------------------- perconaxtradbcluster.pxc.percona.com/some-name-tls-issue annotated ----------------------------------------------------------------------------------- wait for operator to re-issue leaf certs with new CA ----------------------------------------------------------------------------------- ----------------------------------------------------------------------------------- verify leaf secrets have new CA ----------------------------------------------------------------------------------- leaf certs re-issued with new CA ----------------------------------------------------------------------------------- restart all PXC and HAProxy pods to pick up new certs simultaneously ----------------------------------------------------------------------------------- pod "some-name-tls-issue-haproxy-0" force deleted from tls-issue-cert-manager-26795 namespace pod "some-name-tls-issue-haproxy-1" force deleted from tls-issue-cert-manager-26795 namespace pod "some-name-tls-issue-pxc-0" force deleted from tls-issue-cert-manager-26795 namespace pod "some-name-tls-issue-pxc-1" force deleted from tls-issue-cert-manager-26795 namespace pod "some-name-tls-issue-pxc-2" force deleted from tls-issue-cert-manager-26795 namespace Warning: Immediate deletion does not wait for confirmation that the running resource has been terminated. The resource may continue to run on the cluster indefinitely. ----------------------------------------------------------------------------------- wait for cluster to recover after full restart ----------------------------------------------------------------------------------- ----------------------------------------------------------------------------------- wait cluster consistency ----------------------------------------------------------------------------------- waiting for pxc/some-name-tls-issue to be ready.................................................. ----------------------------------------------------------------------------------- check ssl-internal certificate using PXC after CA rotation ----------------------------------------------------------------------------------- mysql: [Warning] Using a password on the command line interface can be insecure. ----------------------------------------------------------------------------------- check ssl-internal certificate using HAProxy after CA rotation ----------------------------------------------------------------------------------- mysql: [Warning] Using a password on the command line interface can be insecure. ----------------------------------------------------------------------------------- destroy cluster/operator and all other resources ----------------------------------------------------------------------------------- + kubectl patch pxc -n tls-issue-cert-manager-26795 some-name-tls-issue --type=merge -p '{"metadata":{"finalizers":[]}}' perconaxtradbcluster.pxc.percona.com/some-name-tls-issue patched perconaxtradbcluster.pxc.percona.com "some-name-tls-issue" deleted from tls-issue-cert-manager-26795 namespace No resources found No resources found validatingwebhookconfiguration.admissionregistration.k8s.io "percona-xtradbcluster-webhook" deleted namespace "cert-manager" deleted customresourcedefinition.apiextensions.k8s.io "challenges.acme.cert-manager.io" deleted customresourcedefinition.apiextensions.k8s.io "orders.acme.cert-manager.io" deleted customresourcedefinition.apiextensions.k8s.io "certificaterequests.cert-manager.io" deleted customresourcedefinition.apiextensions.k8s.io "certificates.cert-manager.io" deleted customresourcedefinition.apiextensions.k8s.io "clusterissuers.cert-manager.io" deleted customresourcedefinition.apiextensions.k8s.io "issuers.cert-manager.io" deleted serviceaccount "cert-manager-cainjector" deleted from cert-manager namespace serviceaccount "cert-manager" deleted from cert-manager namespace serviceaccount "cert-manager-webhook" deleted from cert-manager namespace clusterrole.rbac.authorization.k8s.io "cert-manager-cainjector" deleted clusterrole.rbac.authorization.k8s.io "cert-manager-controller-issuers" deleted clusterrole.rbac.authorization.k8s.io "cert-manager-controller-clusterissuers" deleted clusterrole.rbac.authorization.k8s.io "cert-manager-controller-certificates" deleted clusterrole.rbac.authorization.k8s.io "cert-manager-controller-orders" deleted clusterrole.rbac.authorization.k8s.io "cert-manager-controller-challenges" deleted clusterrole.rbac.authorization.k8s.io "cert-manager-controller-ingress-shim" deleted clusterrole.rbac.authorization.k8s.io "cert-manager-cluster-view" deleted clusterrole.rbac.authorization.k8s.io "cert-manager-view" deleted clusterrole.rbac.authorization.k8s.io "cert-manager-edit" deleted clusterrole.rbac.authorization.k8s.io "cert-manager-controller-approve:cert-manager-io" deleted clusterrole.rbac.authorization.k8s.io "cert-manager-controller-certificatesigningrequests" deleted clusterrole.rbac.authorization.k8s.io "cert-manager-webhook:subjectaccessreviews" deleted clusterrolebinding.rbac.authorization.k8s.io "cert-manager-cainjector" deleted clusterrolebinding.rbac.authorization.k8s.io "cert-manager-controller-issuers" deleted clusterrolebinding.rbac.authorization.k8s.io "cert-manager-controller-clusterissuers" deleted clusterrolebinding.rbac.authorization.k8s.io "cert-manager-controller-certificates" deleted clusterrolebinding.rbac.authorization.k8s.io "cert-manager-controller-orders" deleted clusterrolebinding.rbac.authorization.k8s.io "cert-manager-controller-challenges" deleted clusterrolebinding.rbac.authorization.k8s.io "cert-manager-controller-ingress-shim" deleted clusterrolebinding.rbac.authorization.k8s.io "cert-manager-controller-approve:cert-manager-io" deleted clusterrolebinding.rbac.authorization.k8s.io "cert-manager-controller-certificatesigningrequests" deleted clusterrolebinding.rbac.authorization.k8s.io "cert-manager-webhook:subjectaccessreviews" deleted role.rbac.authorization.k8s.io "cert-manager-cainjector:leaderelection" deleted from kube-system namespace role.rbac.authorization.k8s.io "cert-manager:leaderelection" deleted from kube-system namespace role.rbac.authorization.k8s.io "cert-manager-tokenrequest" deleted from cert-manager namespace role.rbac.authorization.k8s.io "cert-manager-webhook:dynamic-serving" deleted from cert-manager namespace rolebinding.rbac.authorization.k8s.io "cert-manager-cainjector:leaderelection" deleted from kube-system namespace rolebinding.rbac.authorization.k8s.io "cert-manager:leaderelection" deleted from kube-system namespace rolebinding.rbac.authorization.k8s.io "cert-manager-tokenrequest" deleted from cert-manager namespace rolebinding.rbac.authorization.k8s.io "cert-manager-webhook:dynamic-serving" deleted from cert-manager namespace service "cert-manager-cainjector" deleted from cert-manager namespace service "cert-manager" deleted from cert-manager namespace service "cert-manager-webhook" deleted from cert-manager namespace deployment.apps "cert-manager-cainjector" deleted from cert-manager namespace deployment.apps "cert-manager" deleted from cert-manager namespace deployment.apps "cert-manager-webhook" deleted from cert-manager namespace mutatingwebhookconfiguration.admissionregistration.k8s.io "cert-manager-webhook" deleted validatingwebhookconfiguration.admissionregistration.k8s.io "cert-manager-webhook" deleted ----------------------------------------------------------------------------------- test passed -----------------------------------------------------------------------------------