We have a handful of bug reports like T176027#4988213 where an existing tool account has been partially setup for use with Kubernetes. The root causes for the provisioning failures are currently unknown, but the "easy" fix is to:
- Remove the $HOME/.kube of the tool
- Stop maintain-kubeusers on tools-k8s-master-01
- Edit /etc/kubernetes/tokenauth to remove any token already issued for the tool
- Start maintain-kubeusers on tools-k8s-master-01
- Monitor logs to see the tool's namespace and credentials created
It would be nice to have an automatic (or even manual honestly) verification command that would reconcile the issued tokens and created namespaces against the generated config files for each tool. This would involve a lot of filesystem reads across NFS so we don't want to do it really often, but once a week should be survivable. The implementation could apply some waits between file reads as well to be even more mindful of NFS server load.