Skip to content

docs(hail): troubleshoot dev deploy "Unauthorized" failures#182

Open
violetbrina wants to merge 3 commits into
mainfrom
docs/hail-dev-deploy-unauthorized
Open

docs(hail): troubleshoot dev deploy "Unauthorized" failures#182
violetbrina wants to merge 3 commits into
mainfrom
docs/hail-dev-deploy-unauthorized

Conversation

@violetbrina

Copy link
Copy Markdown
Contributor

What

Adds a Troubleshooting: dev deploy fails with Unauthorized subsection to the Developer deploy section of hail.md.

Why

Dev deploys can fail with:

error: You must be logged in to the server (Unauthorized)

This surfaces first in the create_test_database_server_config job (the earliest step to run kubectl) and recurs in later kubectl steps such as create_ssl_config_hail_root (error: failed to create secret Unauthorized). The failing step is a red herring — the real cause is that GKE has invalidated the legacy admin-token service-account token in the developer's namespace, so every kubectl call in the deploy gets a 401. Re-running doesn't help because default_ns's kubectl apply won't regenerate an existing secret's token.

Contents of the new section

  • The exact errors and which jobs they appear in
  • Root cause (legacy SA-token invalidation via LegacyServiceAccountTokenCleanUp)
  • Read-only local diagnosis steps (kubectl auth whoami --token=... against the stored token)
  • The fix: delete + recreate the admin-token secret so the token controller mints a fresh token

Verified end-to-end against a live namespace: the diagnosis reproduces the 401, and the fix restores system:serviceaccount:<ns>:admin auth.

🤖 Generated with Claude Code

violetbrina and others added 3 commits July 13, 2026 16:05
Add a troubleshooting subsection to the Developer deploy section explaining
that a 401 "You must be logged in to the server (Unauthorized)" in dev deploy
jobs (first seen in create_test_database_server_config, recurring in
create_ssl_config_hail_root) is caused by GKE invalidating the legacy
admin-token service-account token. Includes local read-only diagnosis steps
and the fix (delete + recreate the admin-token secret).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Collapse the duplicated error blocks, merge the root-cause explanation
into a single paragraph, and drop the redundant read-only diagnostic
checks so the section leads straight to the confirm-and-fix steps.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
MD040 requires fenced code blocks to declare a language.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant