time=2026-03-20T21:17:45.878Z level=INFO msg="successfully loaded default package from filesystem" id=cert-manager-debian-bookworm-20230311+deb12u1.0-a3413a37a8e09cc2 path=/packages/cert-manager-package-debian.json time=2026-03-20T21:17:45.878Z level=INFO msg="registering webhook endpoints" time=2026-03-20T21:17:45.878Z level=INFO msg="Registering a validating webhook" logger=controller-runtime/builder GVK="trust.cert-manager.io/v1alpha1, Kind=Bundle" path=/validate-trust-cert-manager-io-v1alpha1-bundle time=2026-03-20T21:17:45.878Z level=INFO msg="Registering webhook" path=/validate-trust-cert-manager-io-v1alpha1-bundle logger=controller-runtime/webhook time=2026-03-20T21:17:45.878Z level=INFO msg="Starting metrics server" logger=controller-runtime/metrics time=2026-03-20T21:17:45.878Z level=INFO msg="starting server" name="health probe" addr=[::]:6060 time=2026-03-20T21:17:45.878Z level=INFO msg="Serving metrics server" logger=controller-runtime/metrics bindAddress=0.0.0.0:9402 secure=false time=2026-03-20T21:17:45.878Z level=INFO msg="Starting webhook server" logger=controller-runtime/webhook time=2026-03-20T21:17:45.879Z level=INFO msg="Attempting to acquire leader lease..." lock=cert-manager/trust-manager-leader-election time=2026-03-20T21:17:45.879Z level=INFO msg="Updated current TLS certificate" cert=/tls/tls.crt key=/tls/tls.key logger=controller-runtime/certwatcher time=2026-03-20T21:17:45.879Z level=INFO msg="Serving webhook server" logger=controller-runtime/webhook host=0.0.0.0 port=6443 time=2026-03-20T21:17:45.879Z level=INFO msg="Starting certificate poll+watcher" cert=/tls/tls.crt key=/tls/tls.key logger=controller-runtime/certwatcher interval=10s time=2026-03-20T21:17:45.885Z level=INFO msg="Successfully acquired lease" lock=cert-manager/trust-manager-leader-election time=2026-03-20T21:17:45.885Z level=DEBUG+3 msg="trust-manager-5d5c6867f9-27bxf_28f70ea3-8b80-4a59-bb2f-750f22f005e3 became leader" logger=events type=Normal object="{Kind:Lease Namespace:cert-manager Name:trust-manager-leader-election UID:3f06045c-04cf-4d56-8a8b-7e03bc7aaf20 APIVersion:coordination.k8s.io/v1 ResourceVersion:875 FieldPath:}" reason=LeaderElection time=2026-03-20T21:17:45.885Z level=INFO msg="Starting EventSource" controller=bundles source="kind source: *v1.PartialObjectMetadata" time=2026-03-20T21:17:45.885Z level=INFO msg="Starting EventSource" controller=bundles source="kind source: *v1.ConfigMap" time=2026-03-20T21:17:45.885Z level=INFO msg="Starting EventSource" controller=bundles source="kind source: *v1.Namespace" time=2026-03-20T21:17:45.886Z level=INFO msg="Starting EventSource" controller=bundles source="kind source: *v1.Secret" time=2026-03-20T21:17:45.886Z level=INFO msg="Starting EventSource" controller=bundles source="kind source: *v1alpha1.Bundle" time=2026-03-20T21:17:45.955Z level=ERROR msg="Server rejected event (will not retry!)" err="events is forbidden: User \"system:serviceaccount:cert-manager:trust-manager\" cannot create resource \"events\" in API group \"\" in the namespace \"cert-manager\"" event="&Event{ObjectMeta:{trust-manager-leader-election.189ea9505eeb5ec6 cert-manager 0 0001-01-01 00:00:00 +0000 UTC map[] map[] [] [] []},InvolvedObject:ObjectReference{Kind:Lease,Namespace:cert-manager,Name:trust-manager-leader-election,UID:3f06045c-04cf-4d56-8a8b-7e03bc7aaf20,APIVersion:coordination.k8s.io/v1,ResourceVersion:875,FieldPath:,},Reason:LeaderElection,Message:trust-manager-5d5c6867f9-27bxf_28f70ea3-8b80-4a59-bb2f-750f22f005e3 became leader,Source:EventSource{Component:trust-manager-5d5c6867f9-27bxf_28f70ea3-8b80-4a59-bb2f-750f22f005e3,Host:,},FirstTimestamp:2026-03-20 21:17:45.885515462 +0000 UTC m=+0.297326459,LastTimestamp:2026-03-20 21:17:45.885515462 +0000 UTC m=+0.297326459,Count:1,Type:Normal,EventTime:0001-01-01 00:00:00 +0000 UTC,Series:nil,Action:,Related:nil,ReportingController:trust-manager-5d5c6867f9-27bxf_28f70ea3-8b80-4a59-bb2f-750f22f005e3,ReportingInstance:,}" time=2026-03-20T21:17:47.086Z level=INFO msg="Starting Controller" controller=bundles time=2026-03-20T21:17:47.086Z level=INFO msg="Starting workers" controller=bundles "worker count"=1 time=2026-03-20T21:20:14.398Z level=DEBUG+3 msg="Successfully synced Bundle to all namespaces" logger=events type=Normal object=nil action=Synced reason=Synced time=2026-03-20T21:20:32.482Z level=DEBUG+3 msg="Successfully synced Bundle to all namespaces" logger=events type=Normal object=nil action=Synced reason=Synced time=2026-03-20T21:20:34.879Z level=DEBUG+3 msg="Successfully synced Bundle to all namespaces" logger=events type=Normal object=nil action=Synced reason=Synced time=2026-03-20T21:21:01.459Z level=DEBUG+3 msg="Successfully synced Bundle to all namespaces" logger=events type=Normal object=nil action=Synced reason=Synced time=2026-03-20T21:21:17.602Z level=DEBUG+3 msg="Successfully synced Bundle to all namespaces" logger=events type=Normal object=nil action=Synced reason=Synced time=2026-03-20T21:21:28.284Z level=DEBUG+3 msg="Successfully synced Bundle to all namespaces" logger=events type=Normal object=nil action=Synced reason=Synced time=2026-03-20T21:21:40.978Z level=DEBUG+3 msg="Successfully synced Bundle to all namespaces" logger=events type=Normal object=nil action=Synced reason=Synced time=2026-03-20T21:21:50.582Z level=DEBUG+3 msg="Successfully synced Bundle to all namespaces" logger=events type=Normal object=nil action=Synced reason=Synced time=2026-03-20T21:21:57.078Z level=DEBUG+3 msg="Successfully synced Bundle to all namespaces" logger=events type=Normal object=nil action=Synced reason=Synced time=2026-03-20T21:21:59.359Z level=DEBUG+3 msg="Successfully synced Bundle to all namespaces" logger=events type=Normal object=nil action=Synced reason=Synced time=2026-03-20T21:23:34.499Z level=DEBUG+3 msg="Successfully synced Bundle to all namespaces" logger=events type=Normal object=nil action=Synced reason=Synced time=2026-03-20T21:24:05.660Z level=DEBUG+3 msg="Successfully synced Bundle to all namespaces" logger=events type=Normal object=nil action=Synced reason=Synced time=2026-03-20T21:24:05.961Z level=DEBUG+3 msg="Successfully synced Bundle to all namespaces" logger=events type=Normal object=nil action=Synced reason=Synced time=2026-03-20T21:31:12.256Z level=DEBUG+3 msg="Successfully synced Bundle to all namespaces" logger=events type=Normal object=nil action=Synced reason=Synced time=2026-03-20T21:35:38.556Z level=ERROR msg="Failed to update lease optimistically, falling back to slow path" err="Put \"https://10.96.0.1:443/apis/coordination.k8s.io/v1/namespaces/cert-manager/leases/trust-manager-leader-election?timeout=5s\": net/http: request canceled (Client.Timeout exceeded while awaiting headers)" lock=cert-manager/trust-manager-leader-election time=2026-03-20T21:35:43.556Z level=ERROR msg="Error retrieving lease lock" err="Get \"https://10.96.0.1:443/apis/coordination.k8s.io/v1/namespaces/cert-manager/leases/trust-manager-leader-election?timeout=5s\": context deadline exceeded" lock=cert-manager/trust-manager-leader-election time=2026-03-20T21:35:43.556Z level=INFO msg="Failed to renew lease" lock=cert-manager/trust-manager-leader-election err="context deadline exceeded" Error: leader election lost time=2026-03-20T21:35:46.652Z level=DEBUG+3 msg="trust-manager-5d5c6867f9-27bxf_28f70ea3-8b80-4a59-bb2f-750f22f005e3 stopped leading" logger=events type=Normal object="{Kind:Lease Namespace:cert-manager Name:trust-manager-leader-election UID:3f06045c-04cf-4d56-8a8b-7e03bc7aaf20 APIVersion:coordination.k8s.io/v1 ResourceVersion:12743 FieldPath:}" reason=LeaderElection Usage: trust-manager [flags] App flags: --leader-elect If true, trust-manager will perform leader election between instances to ensure no more than one instance of trust-manager operates at a time (default true) --leader-election-lease-duration duration Lease duration for leader election (default 15s) --leader-election-renew-deadline duration Lease renew deadline for leader election. (default 10s) --metrics-port int Port to expose Prometheus metrics on 0.0.0.0 on path '/metrics'. (default 9402) --readiness-probe-path string HTTP path to expose the readiness probe server. (default "/readyz") --readiness-probe-port int Port to expose the readiness probe. (default 6060) Bundle flags: --default-package-location string Path to a JSON file containing the default certificate package. If set, must be a valid package. --filter-expired-certificates Filter expired certificates from the bundle. --filter-non-ca-certs Filter non-CA certificates, only CAs are used in the resulting Bundle --secret-targets-enabled Controls if secret targets are enabled in the Bundle API. --target-namespaces strings Comma-separated list of namespaces to limit both the manager and target caches. --trust-namespace string Namespace to source trust bundles from. (default "cert-manager") Logging flags: --log-format string Log format (text or json) (default "text") -v, --log-level int Log level (1-5). (default 1) Webhook flags: --webhook-certificate-dir string Directory where the Webhook certificate and private key are located. Certificate and private key must be named 'tls.crt' and 'tls.key' respectively. (default "/tls") --webhook-host string Host to serve webhook. (default "0.0.0.0") --webhook-port int Port to serve webhook. (default 6443) TLSConfig flags: --tls-cipher-suites strings Comma-separated list of cipher suites for the webhook server. If omitted, the default Go cipher suites will be used. Preferred values: TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384, TLS_CHACHA20_POLY1305_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256. Insecure values: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_3DES_EDE_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_RC4_128_SHA. --tls-min-version string Minimum TLS version supported. If omitted, the default Go minimum version will be used. Possible values: VersionTLS10,VersionTLS11,VersionTLS12,VersionTLS13 Kubernetes flags: --as string Username to impersonate for the operation. User could be a regular user or a service account in a namespace. --as-group stringArray Group to impersonate for the operation, this flag can be repeated to specify multiple groups. --as-uid string UID to impersonate for the operation. --as-user-extra stringArray User extras to impersonate for the operation, this flag can be repeated to specify multiple values for the same key. --cache-dir string Default cache directory (default "/home/nonroot/.kube/cache") --certificate-authority string Path to a cert file for the certificate authority --client-certificate string Path to a client certificate file for TLS --client-key string Path to a client key file for TLS --cluster string The name of the kubeconfig cluster to use --context string The name of the kubeconfig context to use --disable-compression If true, opt-out of response compression for all requests to the server --insecure-skip-tls-verify If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure --kubeconfig string Path to the kubeconfig file to use for CLI requests. -n, --namespace string If present, the namespace scope for this CLI request --request-timeout string The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. (default "0") -s, --server string The address and port of the Kubernetes API server --tls-server-name string Server name to use for server certificate validation. If it is not provided, the hostname used to contact the server is used --token string Bearer token for authentication to the API server --user string The name of the kubeconfig user to use error: leader election lost