Troubleshooting Cassandra credential rotation

You're viewing Apigee and Apigee hybrid documentation.
There is no equivalent Apigee Edge documentation for this topic.

Symptom

During multi-region Cassandra credential rotation in Apigee hybrid, after the first region is rotated, rotations in subsequent regions fail and errors are logged in the secret rotation pod logs.

Error message

You see the following in the logs:

failed to run secret rotation: failed to create new users: failed to create new users

Workaround for Known Issue 397693324

Diagnosis

The SecretRotation resource indicates a failure in the Status field:

Status:
  Message:  initiated automated rollback
  State:    error

The secret rotation job pod logs contain the following error:

failed to run secret rotation: failed to create new users: failed to create new users

The create-new-users-job pod logs contain the following error:

Error creating clients with updated password: gocql: unable to create session: unable to discover protocol version: Provided username cassandra and/or password are incorrect

Resolution

Perform the following steps.

  1. In every region except the first, update the default Cassandra user (cassandra) password to the new rotated value in the old Secret.

    apiVersion: v1
        kind: Secret
        metadata:
          name: OLD_SECRET_NAME   # oldSecretRef
          namespace: APIGEE_NAMESPACE
        type: Opaque
        data:
          default.password: NEW_DEFAULT_PASSWORD   #base64-encoded string
          admin.user: OLD_ADMIN_USERNAME   #base64-encoded string
          admin.password: OLD_ADMIN_PASSWORD   #base64-encoded string
          dml.user: OLD_DML_USERNAME   #base64-encoded string
          dml.password: OLD_DML_PASSWORD   #base64-encoded string
          ddl.user: OLD_DDL_USERNAME   #base64-encoded string
          ddl.password: OLD_DDL_PASSWORD   #base64-encoded string
          jmx.user: OLD_JMX_USERNAME   #base64-encoded string
          jmx.password: OLD_JMX_PASSWORD   #base64-encoded string
          jolokia.user: OLD_JOLOKIA_USERNAME   #base64-encoded string
          jolokia.password: OLD_JOLOKIA_PASSWORD   #base64-encoded string
          
  2. Apply the updated Secret:

    kubectl apply -f OLD_SECRET_FILE
  3. Continue with the normal rotation process and it should succeed.

Must gather diagnostic information

If the problem persists even after following the above instructions, gather the following diagnostic information and then contact Google Cloud Customer Care:

  • In addition to the usual data you might be asked to provide, collect the logs from all the secret rotation pods.