Log: /mnt/jenkins/workspace/cloud-pxc-operator_PR-2476/e2e-tests/logs/tls-issue-cert-manager-8-0.log Warning: version difference between client (1.36) and server (1.33) exceeds the supported minor version skew of +/-1 Warning: version difference between client (1.36) and server (1.33) exceeds the supported minor version skew of +/-1 No resources found + kubectl patch pxc -n sh --type=merge -p '{"metadata":{"finalizers":[]}}' error: resource(s) were provided, but no name was specified No resources found No resources found No resources found error: resource(s) were provided, but no name was specified error: resource(s) were provided, but no name was specified error: resource(s) were provided, but no name was specified error: resource(s) were provided, but no name was specified error: resource(s) were provided, but no name was specified error: resource(s) were provided, but no name was specified ----------------------------------------------------------------------------------- cleaned up all old namespaces ----------------------------------------------------------------------------------- ----------------------------------------------------------------------------------- cleaned up old namespaces pxc-operator ----------------------------------------------------------------------------------- Error from server (NotFound): namespaces "pxc-operator" not found waiting for namespace/pxc-operator to be deletederror: resource(s) were provided, but no name was specified Error from server (NotFound): namespaces "pxc-operator" not found ----------------------------------------------------------------------------------- create namespace pxc-operator ----------------------------------------------------------------------------------- namespace/pxc-operator created Context "gke_cloud-dev-112233_us-central1-a_jen-pxc-2476-a8b01a39-5-cluster9" modified. ----------------------------------------------------------------------------------- start PXC operator ----------------------------------------------------------------------------------- customresourcedefinition.apiextensions.k8s.io/perconaxtradbclusterbackups.pxc.percona.com serverside-applied customresourcedefinition.apiextensions.k8s.io/perconaxtradbclusterrestores.pxc.percona.com serverside-applied customresourcedefinition.apiextensions.k8s.io/perconaxtradbclusters.pxc.percona.com serverside-applied clusterrole.rbac.authorization.k8s.io/percona-xtradb-cluster-operator unchanged serviceaccount/percona-xtradb-cluster-operator created clusterrolebinding.rbac.authorization.k8s.io/service-account-percona-xtradb-cluster-operator unchanged deployment.apps/percona-xtradb-cluster-operator created service/percona-xtradb-cluster-operator created pod/percona-xtradb-cluster-operator-8548fd5788-zq89r condition met E0516 21:23:00.411864 28953 reflector.go:227] "Failed to watch" err="Get \"https://34.173.106.112/api/v1/namespaces/pxc-operator/pods?allowWatchBookmarks=true&fieldSelector=metadata.name%3Dpercona-xtradb-cluster-operator-8548fd5788-zq89r&resourceVersion=1778966580052482000&timeoutSeconds=561&watch=true\": context canceled" reflector="k8s.io/client-go/tools/watch/informerwatcher.go:162" type="*unstructured.Unstructured" pod/percona-xtradb-cluster-operator-8548fd5788-zq89r condition met E0516 21:23:05.091981 29823 reflector.go:227] "Failed to watch" err="Get \"https://34.173.106.112/api/v1/namespaces/pxc-operator/pods?allowWatchBookmarks=true&fieldSelector=metadata.name%3Dpercona-xtradb-cluster-operator-8548fd5788-zq89r&resourceVersion=1778966584091415000&timeoutSeconds=510&watch=true\": context canceled" reflector="k8s.io/client-go/tools/watch/informerwatcher.go:162" type="*unstructured.Unstructured" waiting for pod/percona-xtradb-cluster-operator-8548fd5788-zq89r to become Ready.Ok error: resource(s) were provided, but no name was specified error: resource(s) were provided, but no name was specified error: resource(s) were provided, but no name was specified error: resource(s) were provided, but no name was specified error: resource(s) were provided, but no name was specified error: resource(s) were provided, but no name was specified ----------------------------------------------------------------------------------- cleaned up all old namespaces ----------------------------------------------------------------------------------- ----------------------------------------------------------------------------------- cleaned up old namespaces tls-issue-cert-manager-317 ----------------------------------------------------------------------------------- Error from server (NotFound): namespaces "tls-issue-cert-manager-317" not found waiting for namespace/tls-issue-cert-manager-317 to be deletederror: resource(s) were provided, but no name was specified Error from server (NotFound): namespaces "tls-issue-cert-manager-317" not found ----------------------------------------------------------------------------------- create namespace tls-issue-cert-manager-317 ----------------------------------------------------------------------------------- namespace/tls-issue-cert-manager-317 created Context "gke_cloud-dev-112233_us-central1-a_jen-pxc-2476-a8b01a39-5-cluster9" modified. ----------------------------------------------------------------------------------- create secrets for cloud storages ----------------------------------------------------------------------------------- secret/minio-secret created secret/aws-s3-secret created secret/do-spaces-secret created secret/gcp-cs-secret created secret/azure-secret created ----------------------------------------------------------------------------------- deploy cert manager ----------------------------------------------------------------------------------- namespace/cert-manager created namespace/cert-manager labeled namespace/cert-manager configured customresourcedefinition.apiextensions.k8s.io/challenges.acme.cert-manager.io created customresourcedefinition.apiextensions.k8s.io/orders.acme.cert-manager.io created customresourcedefinition.apiextensions.k8s.io/certificaterequests.cert-manager.io created customresourcedefinition.apiextensions.k8s.io/certificates.cert-manager.io created customresourcedefinition.apiextensions.k8s.io/clusterissuers.cert-manager.io created customresourcedefinition.apiextensions.k8s.io/issuers.cert-manager.io created serviceaccount/cert-manager-cainjector created serviceaccount/cert-manager created serviceaccount/cert-manager-webhook created clusterrole.rbac.authorization.k8s.io/cert-manager-cainjector created clusterrole.rbac.authorization.k8s.io/cert-manager-controller-issuers created clusterrole.rbac.authorization.k8s.io/cert-manager-controller-clusterissuers created clusterrole.rbac.authorization.k8s.io/cert-manager-controller-certificates created clusterrole.rbac.authorization.k8s.io/cert-manager-controller-orders created clusterrole.rbac.authorization.k8s.io/cert-manager-controller-challenges created clusterrole.rbac.authorization.k8s.io/cert-manager-controller-ingress-shim created clusterrole.rbac.authorization.k8s.io/cert-manager-cluster-view created clusterrole.rbac.authorization.k8s.io/cert-manager-view created clusterrole.rbac.authorization.k8s.io/cert-manager-edit created clusterrole.rbac.authorization.k8s.io/cert-manager-controller-approve:cert-manager-io created clusterrole.rbac.authorization.k8s.io/cert-manager-controller-certificatesigningrequests created clusterrole.rbac.authorization.k8s.io/cert-manager-webhook:subjectaccessreviews created clusterrolebinding.rbac.authorization.k8s.io/cert-manager-cainjector created clusterrolebinding.rbac.authorization.k8s.io/cert-manager-controller-issuers created clusterrolebinding.rbac.authorization.k8s.io/cert-manager-controller-clusterissuers created clusterrolebinding.rbac.authorization.k8s.io/cert-manager-controller-certificates created clusterrolebinding.rbac.authorization.k8s.io/cert-manager-controller-orders created clusterrolebinding.rbac.authorization.k8s.io/cert-manager-controller-challenges created clusterrolebinding.rbac.authorization.k8s.io/cert-manager-controller-ingress-shim created clusterrolebinding.rbac.authorization.k8s.io/cert-manager-controller-approve:cert-manager-io created clusterrolebinding.rbac.authorization.k8s.io/cert-manager-controller-certificatesigningrequests created clusterrolebinding.rbac.authorization.k8s.io/cert-manager-webhook:subjectaccessreviews created role.rbac.authorization.k8s.io/cert-manager-cainjector:leaderelection created role.rbac.authorization.k8s.io/cert-manager:leaderelection created role.rbac.authorization.k8s.io/cert-manager-tokenrequest created role.rbac.authorization.k8s.io/cert-manager-webhook:dynamic-serving created rolebinding.rbac.authorization.k8s.io/cert-manager-cainjector:leaderelection created rolebinding.rbac.authorization.k8s.io/cert-manager:leaderelection created rolebinding.rbac.authorization.k8s.io/cert-manager-tokenrequest created rolebinding.rbac.authorization.k8s.io/cert-manager-webhook:dynamic-serving created service/cert-manager-cainjector created service/cert-manager created service/cert-manager-webhook created deployment.apps/cert-manager-cainjector created deployment.apps/cert-manager created deployment.apps/cert-manager-webhook created mutatingwebhookconfiguration.admissionregistration.k8s.io/cert-manager-webhook created validatingwebhookconfiguration.admissionregistration.k8s.io/cert-manager-webhook created Warning: resource namespaces/cert-manager is missing the kubectl.kubernetes.io/last-applied-configuration annotation which is required by kubectl apply. kubectl apply should only be used on resources created declaratively by either kubectl create --save-config or kubectl apply. The missing annotation will be patched automatically. ----------------------------------------------------------------------------------- wait for cert-manager to be ready ----------------------------------------------------------------------------------- deployment.apps/cert-manager condition met E0516 21:25:12.659527 16580 reflector.go:227] "Failed to watch" err="Get \"https://34.173.106.112/apis/apps/v1/namespaces/cert-manager/deployments?allowWatchBookmarks=true&fieldSelector=metadata.name%3Dcert-manager&resourceVersion=1778966708841234000&timeoutSeconds=461&watch=true\": context canceled" reflector="k8s.io/client-go/tools/watch/informerwatcher.go:162" type="*unstructured.Unstructured" deployment.apps/cert-manager-cainjector condition met E0516 21:25:14.792790 17013 reflector.go:227] "Failed to watch" err="Get \"https://34.173.106.112/apis/apps/v1/namespaces/cert-manager/deployments?allowWatchBookmarks=true&fieldSelector=metadata.name%3Dcert-manager-cainjector&resourceVersion=1778966712727894000&timeoutSeconds=591&watch=true\": context canceled" reflector="k8s.io/client-go/tools/watch/informerwatcher.go:162" type="*unstructured.Unstructured" deployment.apps/cert-manager-webhook condition met E0516 21:25:16.827535 17317 reflector.go:227] "Failed to watch" err="Get \"https://34.173.106.112/apis/apps/v1/namespaces/cert-manager/deployments?allowWatchBookmarks=true&fieldSelector=metadata.name%3Dcert-manager-webhook&resourceVersion=1778966712727894000&timeoutSeconds=410&watch=true\": context canceled" reflector="k8s.io/client-go/tools/watch/informerwatcher.go:162" type="*unstructured.Unstructured" issuer.cert-manager.io/cert-manager-readiness-check created issuer.cert-manager.io "cert-manager-readiness-check" deleted from tls-issue-cert-manager-317 namespace ----------------------------------------------------------------------------------- create pxc cluster ----------------------------------------------------------------------------------- secret/my-cluster-secrets created deployment.apps/pxc-client created perconaxtradbcluster.pxc.percona.com/some-name-tls-issue created ----------------------------------------------------------------------------------- wait for cluster to be ready ----------------------------------------------------------------------------------- ----------------------------------------------------------------------------------- wait for running cluster ----------------------------------------------------------------------------------- Error from server (NotFound): pods "some-name-tls-issue-haproxy-0" not found waiting for pod/some-name-tls-issue-haproxy-0 to become Ready.................Ok ----------------------------------------------------------------------------------- wait for running cluster ----------------------------------------------------------------------------------- pod/some-name-tls-issue-pxc-0 condition met E0516 21:26:39.031710 29577 reflector.go:227] "Failed to watch" err="Get \"https://34.173.106.112/api/v1/namespaces/tls-issue-cert-manager-317/pods?allowWatchBookmarks=true&fieldSelector=metadata.name%3Dsome-name-tls-issue-pxc-0&resourceVersion=1778966795231711011&timeoutSeconds=429&watch=true\": context canceled" reflector="k8s.io/client-go/tools/watch/informerwatcher.go:162" type="*unstructured.Unstructured" waiting for pod/some-name-tls-issue-pxc-0 to become Ready.Ok pod/some-name-tls-issue-pxc-1 condition met waiting for pod/some-name-tls-issue-pxc-1 to become Ready.Ok pod/some-name-tls-issue-pxc-2 condition met waiting for pod/some-name-tls-issue-pxc-2 to become Ready.Ok ----------------------------------------------------------------------------------- wait cluster consistency ----------------------------------------------------------------------------------- waiting for pxc/some-name-tls-issue to be ready ----------------------------------------------------------------------------------- check if certificates issued with certmanager ----------------------------------------------------------------------------------- ----------------------------------------------------------------------------------- check if CA issuer created ----------------------------------------------------------------------------------- ----------------------------------------------------------------------------------- compare issuer/some-name-tls-issue-pxc-ca-issuer- ----------------------------------------------------------------------------------- [2026-05-16T21:29:35+0000] compare_kubectl: issuer/some-name-tls-issue-pxc-ca-issuer OK ----------------------------------------------------------------------------------- check if issuer created ----------------------------------------------------------------------------------- ----------------------------------------------------------------------------------- compare issuer/some-name-tls-issue-pxc-issuer- ----------------------------------------------------------------------------------- [2026-05-16T21:29:38+0000] compare_kubectl: issuer/some-name-tls-issue-pxc-issuer OK ----------------------------------------------------------------------------------- check if certificate issued ----------------------------------------------------------------------------------- ----------------------------------------------------------------------------------- compare certificate/some-name-tls-issue-ssl- ----------------------------------------------------------------------------------- [2026-05-16T21:29:39+0000] compare_kubectl: certificate/some-name-tls-issue-ssl OK ----------------------------------------------------------------------------------- check ssl-internal certificate using PXC ----------------------------------------------------------------------------------- mysql: [Warning] Using a password on the command line interface can be insecure. ----------------------------------------------------------------------------------- check ssl-internal certificate using HAProxy ----------------------------------------------------------------------------------- mysql: [Warning] Using a password on the command line interface can be insecure. ----------------------------------------------------------------------------------- trigger CA rotation and verify leaf cert re-issuance ----------------------------------------------------------------------------------- ----------------------------------------------------------------------------------- set rotationPolicy=Always on CA certificate ----------------------------------------------------------------------------------- certificate.cert-manager.io/some-name-tls-issue-ca-cert patched ----------------------------------------------------------------------------------- capture current CA fingerprint ----------------------------------------------------------------------------------- old CA: SHA256 Fingerprint=EC:00:23:CE:A5:9D:28:23:70:5F:AE:96:7D:1C:11:2B:C9:87:36:A2:E7:82:4D:12:43:9F:5F:94:7C:FF:94:D9 ----------------------------------------------------------------------------------- trigger CA renewal via status condition patch ----------------------------------------------------------------------------------- certificate.cert-manager.io/some-name-tls-issue-ca-cert replaced ----------------------------------------------------------------------------------- wait for cert-manager to issue new CA ----------------------------------------------------------------------------------- new CA: SHA256 Fingerprint=38:9E:4B:22:A9:8B:53:4B:8D:89:67:54:DA:04:BA:7A:73:6F:25:4E:69:E3:20:82:12:46:FB:18:64:24:79:25 ----------------------------------------------------------------------------------- trigger operator reconcile to detect CA mismatch ----------------------------------------------------------------------------------- perconaxtradbcluster.pxc.percona.com/some-name-tls-issue annotated ----------------------------------------------------------------------------------- wait for operator to re-issue leaf certs with new CA ----------------------------------------------------------------------------------- ----------------------------------------------------------------------------------- verify leaf secrets have new CA ----------------------------------------------------------------------------------- leaf certs re-issued with new CA ----------------------------------------------------------------------------------- restart all PXC and HAProxy pods to pick up new certs simultaneously ----------------------------------------------------------------------------------- pod "some-name-tls-issue-haproxy-0" force deleted from tls-issue-cert-manager-317 namespace pod "some-name-tls-issue-haproxy-1" force deleted from tls-issue-cert-manager-317 namespace pod "some-name-tls-issue-pxc-0" force deleted from tls-issue-cert-manager-317 namespace pod "some-name-tls-issue-pxc-1" force deleted from tls-issue-cert-manager-317 namespace pod "some-name-tls-issue-pxc-2" force deleted from tls-issue-cert-manager-317 namespace Warning: Immediate deletion does not wait for confirmation that the running resource has been terminated. The resource may continue to run on the cluster indefinitely. ----------------------------------------------------------------------------------- wait for cluster to recover after full restart ----------------------------------------------------------------------------------- ----------------------------------------------------------------------------------- wait for running cluster ----------------------------------------------------------------------------------- pod/some-name-tls-issue-haproxy-0 condition met waiting for pod/some-name-tls-issue-haproxy-0 to become Ready.Ok ----------------------------------------------------------------------------------- wait for running cluster ----------------------------------------------------------------------------------- pod/some-name-tls-issue-pxc-0 condition met E0516 21:35:17.465302 371 reflector.go:227] "Failed to watch" err="Get \"https://34.173.106.112/api/v1/namespaces/tls-issue-cert-manager-317/pods?allowWatchBookmarks=true&fieldSelector=metadata.name%3Dsome-name-tls-issue-pxc-0&resourceVersion=1778967313885311011&timeoutSeconds=515&watch=true\": context canceled" reflector="k8s.io/client-go/tools/watch/informerwatcher.go:162" type="*unstructured.Unstructured" waiting for pod/some-name-tls-issue-pxc-0 to become Ready.Ok pod/some-name-tls-issue-pxc-1 condition met waiting for pod/some-name-tls-issue-pxc-1 to become Ready.Ok pod/some-name-tls-issue-pxc-2 condition met waiting for pod/some-name-tls-issue-pxc-2 to become Ready.Ok ----------------------------------------------------------------------------------- wait cluster consistency ----------------------------------------------------------------------------------- waiting for pxc/some-name-tls-issue to be ready ----------------------------------------------------------------------------------- check ssl-internal certificate using PXC after CA rotation ----------------------------------------------------------------------------------- mysql: [Warning] Using a password on the command line interface can be insecure. ----------------------------------------------------------------------------------- check ssl-internal certificate using HAProxy after CA rotation ----------------------------------------------------------------------------------- mysql: [Warning] Using a password on the command line interface can be insecure. ----------------------------------------------------------------------------------- destroy cluster/operator and all other resources ----------------------------------------------------------------------------------- + kubectl patch pxc -n tls-issue-cert-manager-317 some-name-tls-issue --type=merge -p '{"metadata":{"finalizers":[]}}' perconaxtradbcluster.pxc.percona.com/some-name-tls-issue patched perconaxtradbcluster.pxc.percona.com "some-name-tls-issue" deleted from tls-issue-cert-manager-317 namespace No resources found No resources found validatingwebhookconfiguration.admissionregistration.k8s.io "percona-xtradbcluster-webhook" deleted namespace "cert-manager" deleted customresourcedefinition.apiextensions.k8s.io "challenges.acme.cert-manager.io" deleted customresourcedefinition.apiextensions.k8s.io "orders.acme.cert-manager.io" deleted customresourcedefinition.apiextensions.k8s.io "certificaterequests.cert-manager.io" deleted customresourcedefinition.apiextensions.k8s.io "certificates.cert-manager.io" deleted customresourcedefinition.apiextensions.k8s.io "clusterissuers.cert-manager.io" deleted customresourcedefinition.apiextensions.k8s.io "issuers.cert-manager.io" deleted serviceaccount "cert-manager-cainjector" deleted from cert-manager namespace serviceaccount "cert-manager" deleted from cert-manager namespace serviceaccount "cert-manager-webhook" deleted from cert-manager namespace clusterrole.rbac.authorization.k8s.io "cert-manager-cainjector" deleted clusterrole.rbac.authorization.k8s.io "cert-manager-controller-issuers" deleted clusterrole.rbac.authorization.k8s.io "cert-manager-controller-clusterissuers" deleted clusterrole.rbac.authorization.k8s.io "cert-manager-controller-certificates" deleted clusterrole.rbac.authorization.k8s.io "cert-manager-controller-orders" deleted clusterrole.rbac.authorization.k8s.io "cert-manager-controller-challenges" deleted clusterrole.rbac.authorization.k8s.io "cert-manager-controller-ingress-shim" deleted clusterrole.rbac.authorization.k8s.io "cert-manager-cluster-view" deleted clusterrole.rbac.authorization.k8s.io "cert-manager-view" deleted clusterrole.rbac.authorization.k8s.io "cert-manager-edit" deleted clusterrole.rbac.authorization.k8s.io "cert-manager-controller-approve:cert-manager-io" deleted clusterrole.rbac.authorization.k8s.io "cert-manager-controller-certificatesigningrequests" deleted clusterrole.rbac.authorization.k8s.io "cert-manager-webhook:subjectaccessreviews" deleted clusterrolebinding.rbac.authorization.k8s.io "cert-manager-cainjector" deleted clusterrolebinding.rbac.authorization.k8s.io "cert-manager-controller-issuers" deleted clusterrolebinding.rbac.authorization.k8s.io "cert-manager-controller-clusterissuers" deleted clusterrolebinding.rbac.authorization.k8s.io "cert-manager-controller-certificates" deleted clusterrolebinding.rbac.authorization.k8s.io "cert-manager-controller-orders" deleted clusterrolebinding.rbac.authorization.k8s.io "cert-manager-controller-challenges" deleted clusterrolebinding.rbac.authorization.k8s.io "cert-manager-controller-ingress-shim" deleted clusterrolebinding.rbac.authorization.k8s.io "cert-manager-controller-approve:cert-manager-io" deleted clusterrolebinding.rbac.authorization.k8s.io "cert-manager-controller-certificatesigningrequests" deleted clusterrolebinding.rbac.authorization.k8s.io "cert-manager-webhook:subjectaccessreviews" deleted role.rbac.authorization.k8s.io "cert-manager-cainjector:leaderelection" deleted from kube-system namespace role.rbac.authorization.k8s.io "cert-manager:leaderelection" deleted from kube-system namespace role.rbac.authorization.k8s.io "cert-manager-tokenrequest" deleted from cert-manager namespace role.rbac.authorization.k8s.io "cert-manager-webhook:dynamic-serving" deleted from cert-manager namespace rolebinding.rbac.authorization.k8s.io "cert-manager-cainjector:leaderelection" deleted from kube-system namespace rolebinding.rbac.authorization.k8s.io "cert-manager:leaderelection" deleted from kube-system namespace rolebinding.rbac.authorization.k8s.io "cert-manager-tokenrequest" deleted from cert-manager namespace rolebinding.rbac.authorization.k8s.io "cert-manager-webhook:dynamic-serving" deleted from cert-manager namespace service "cert-manager-cainjector" deleted from cert-manager namespace service "cert-manager" deleted from cert-manager namespace service "cert-manager-webhook" deleted from cert-manager namespace deployment.apps "cert-manager-cainjector" deleted from cert-manager namespace deployment.apps "cert-manager" deleted from cert-manager namespace deployment.apps "cert-manager-webhook" deleted from cert-manager namespace mutatingwebhookconfiguration.admissionregistration.k8s.io "cert-manager-webhook" deleted validatingwebhookconfiguration.admissionregistration.k8s.io "cert-manager-webhook" deleted ----------------------------------------------------------------------------------- test passed -----------------------------------------------------------------------------------