Search
Knowledge Base
2025.10
GENERIC
Networking
Storage
Compute
Designate
Orchestration
Self-Hosted
Install
UPGRADE
Monitoring
Add-Ons
Title
Message
Create new category
What is the title of your new category?
Edit page index title
What is the title of the page index?
Edit category
What is the new title of your category?
Edit link
What is the new title and URL of your link?
Vouch-Noauth And Vouch-Keystone Pods Are Not Ready Due To Token Expiry
Summarize Page
Copy Markdown
Open in ChatGPT
Open in Claude
Problem
The Vouch-Noauth and Vouch-Keystone pods are not in a ready state in both Infra and Workload regions. This situation is preventing the environments from being fully operational and has resulted in the upgrade being stalled.
Environment
- Self-Hosted Private Cloud Director Virtualization - v2025.2 to v2025.6
Cause
- Vouch token stored in consul has expired, and it weren't renewed automatically by the
vouch-renew-tokencronjob. - The issue has been reported as a bug, and the Platform Engineering team tracked it under the ID PCD-1468 and the fix has been released in July release.
Diagnostics
vouch-keystoneandvouch-noauthpods become not ready.
Sample Output
​x
$ kubectl get pods --all-namespaces | grep vouch  [INFRA_NS] vouch-keystone-POD 1/2 Running 0 3h[INFRA_NS] vouch-noauth-POD 2/3 Running 0 3h​[WORKLOAD_NS] vouch-keystone-POD 1/2 Running 0 3h[WORKLOAD_NS] vouch-noauth-POD 2/3 Running 0 3h- Perform the cURL Test
Steps:
- Exec in to vouch-keystone pod and get the vault token from keystone.conf
Command
$ kubectl exec -it -n <AFFECTED_NS> <vouch-keystone-POD> -- bash[vouch-keystone-POD>]$ grep vault_token /etc/vouch/vouch-keystone.conf | awk '{ print $2 }'- Run the cURL command after replacing the actual token from above output
Command
$ curl --header "X-Vault-Token: <TOKEN>" "http://decco-vault-active.default.svc.cluster.local:8200/v1/auth/token/lookup-self" -vSample Output
$ curl --header "X-Vault-Token: <TOKEN>" "http://decco-vault-active.default.svc.cluster.local:8200/v1/auth/token/lookup-self" -v​Host decco-vault-active.default.svc.cluster.local:8200 was resolved.......​{"errors":["permission denied"]}​* Connection #0 to host decco-vault-active.default.svc.cluster.local left intactIf the token has expired, the output will indicate "Permission denied." as shown above.
Resolution
- Upgrade to Self-hosted Private Cloud Director July release and above version.
Workaround
- Manually renew the expired token so that vouch pods can communicate with consul.
Steps:
- Get the
CONSUL_HTTP_TOKENfrom Airctl host [The host with airctl state file is present]
Bash
$ grep consulToken ${HOME}/.airctl/state.yaml | cut -d' ' -f2- Exec into
decco-consul-consul-serverpod in default namespace
Command
$ kubectl exec -it decco-consul-consul-server-0 -- sh -n default- Export the COSUL_HTTP_TOKEN from step 1 in
decco-consul-consul-serverpod
Command
[decco-consul-consul-server-0]$ export CONSUL_HTTP_TOKEN="<TOKEN>"The following commands generate a number of outputs that corresponds to the total number of regions present in the environment.
- Retrieve region UUIDs.
Command
[decco-consul-consul-server-0]$ consul kv get -recurse | grep region_uuid- The
<REGION_UUID>serves a crucial role in distinguishing between multiple regions. This unique identifier ensures that each region can be clearly identified and managed effectively within your environment.
Sample Output
region_fqdns/example-infra.platform9.localnet/region_uuid:<REGION_UUID>region_fqdns/example-workload.platform9.localnet/region_uuid:<REGION_UUID>- Retrieve existing tokens
Command
[decco-consul-consul-server-0]$ consul kv get -recurse | grep host_signing_tokenSample Output
customers/<CUSTOMER_ID>/regions/REGION_UUID/services/vouch/vault/host_signing_token:hvs.<TOKEN>- Delete the existing Token for the specified affected region(s).
Command
[decco-consul-consul-server-0]$ consul kv delete customers/<CUSTOMER_ID>/regions/REGION_UUID/services/vouch/vault/host_signing_tokenSample Output
Success! Deleted key: customers/<CUSTOMER_ID>/regions/REGION_UUID/services/vouch/vault/host_signing_tokenExit from the decco-consul-consul-server pod
- Manually run the
vouch-renew-tokenJob
Repeat this step for all affected regions by changing the <AFFECTED_NS>
Command
$ kubectl create job --from=cronjob/vouch-renew-token vouch-renew-token-manual -n <AFFECTED_NS>- Check if the
Vouch-keystone and Vouch-noauthback healthy
Command
$ kubectl get pods --all-namespaces | grep vouch- If these steps prove insufficient to resolve the issue, reach out to the Platform9 Support Team for additional assistance.
Type to search, ESC to discard
Type to search, ESC to discard
Type to search, ESC to discard
Last updated on
Was this page helpful?
Discard Changes
Do you want to discard your current changes and overwrite with the template?
Archive Synced Block
Message
Create new Template
What is this template's title?
Delete Template
Message