time=2026-02-12T12:49:40.242Z level=INFO msg="successfully loaded default package from filesystem" id=cert-manager-debian-bookworm-20230311+deb12u1.0-a3413a37a8e09cc2 path=/packages/cert-manager-package-debian.json time=2026-02-12T12:49:40.242Z level=INFO msg="registering webhook endpoints" time=2026-02-12T12:49:40.242Z level=INFO msg="Registering a validating webhook" logger=controller-runtime/builder GVK="trust.cert-manager.io/v1alpha1, Kind=Bundle" path=/validate-trust-cert-manager-io-v1alpha1-bundle time=2026-02-12T12:49:40.243Z level=INFO msg="Registering webhook" path=/validate-trust-cert-manager-io-v1alpha1-bundle logger=controller-runtime/webhook time=2026-02-12T12:49:40.243Z level=INFO msg="Starting metrics server" logger=controller-runtime/metrics time=2026-02-12T12:49:40.243Z level=INFO msg="starting server" name="health probe" addr=[::]:6060 time=2026-02-12T12:49:40.243Z level=INFO msg="Serving metrics server" logger=controller-runtime/metrics bindAddress=0.0.0.0:9402 secure=false time=2026-02-12T12:49:40.243Z level=INFO msg="Starting webhook server" logger=controller-runtime/webhook time=2026-02-12T12:49:40.243Z level=INFO msg="attempting to acquire leader lease cert-manager/trust-manager-leader-election..." time=2026-02-12T12:49:40.243Z level=INFO msg="Updated current TLS certificate" cert=/tls/tls.crt key=/tls/tls.key logger=controller-runtime/certwatcher time=2026-02-12T12:49:40.243Z level=INFO msg="Serving webhook server" logger=controller-runtime/webhook host=0.0.0.0 port=6443 time=2026-02-12T12:49:40.243Z level=INFO msg="Starting certificate poll+watcher" cert=/tls/tls.crt key=/tls/tls.key logger=controller-runtime/certwatcher interval=10s time=2026-02-12T12:49:40.248Z level=INFO msg="successfully acquired lease cert-manager/trust-manager-leader-election" time=2026-02-12T12:49:40.248Z level=DEBUG+3 msg="trust-manager-865b9c84ff-jbhbp_e5832928-c11f-49aa-b7cd-71e7a0c81323 became leader" logger=events type=Normal object="{Kind:Lease Namespace:cert-manager Name:trust-manager-leader-election UID:62fe41a8-0278-4b3d-b5bb-b7c2b34cbb08 APIVersion:coordination.k8s.io/v1 ResourceVersion:1336 FieldPath:}" reason=LeaderElection time=2026-02-12T12:49:40.248Z level=INFO msg="Starting EventSource" controller=bundles source="kind source: *v1.Secret" time=2026-02-12T12:49:40.248Z level=INFO msg="Starting EventSource" controller=bundles source="kind source: *v1.PartialObjectMetadata" time=2026-02-12T12:49:40.248Z level=INFO msg="Starting EventSource" controller=bundles source="kind source: *v1alpha1.Bundle" time=2026-02-12T12:49:40.248Z level=INFO msg="Starting EventSource" controller=bundles source="kind source: *v1.ConfigMap" time=2026-02-12T12:49:40.248Z level=INFO msg="Starting EventSource" controller=bundles source="kind source: *v1.Namespace" time=2026-02-12T12:49:40.349Z level=INFO msg="Starting Controller" controller=bundles time=2026-02-12T12:49:40.349Z level=INFO msg="Starting workers" controller=bundles "worker count"=1 time=2026-02-12T12:51:51.243Z level=DEBUG+3 msg="Successfully synced Bundle to all namespaces" logger=events type=Normal object="{Kind:Bundle Namespace: Name:trusted-ca UID:e89f56f0-1b4c-40c9-9ec7-7e29aa2e9991 APIVersion:trust.cert-manager.io/v1alpha1 ResourceVersion:3310 FieldPath:}" reason=Synced time=2026-02-12T12:52:00.146Z level=DEBUG+3 msg="Successfully synced Bundle to all namespaces" logger=events type=Normal object="{Kind:Bundle Namespace: Name:trusted-ca UID:e89f56f0-1b4c-40c9-9ec7-7e29aa2e9991 APIVersion:trust.cert-manager.io/v1alpha1 ResourceVersion:3363 FieldPath:}" reason=Synced time=2026-02-12T12:52:02.530Z level=DEBUG+3 msg="Successfully synced Bundle to all namespaces" logger=events type=Normal object="{Kind:Bundle Namespace: Name:trusted-ca UID:e89f56f0-1b4c-40c9-9ec7-7e29aa2e9991 APIVersion:trust.cert-manager.io/v1alpha1 ResourceVersion:3363 FieldPath:}" reason=Synced time=2026-02-12T12:52:19.944Z level=DEBUG+3 msg="Successfully synced Bundle to all namespaces" logger=events type=Normal object="{Kind:Bundle Namespace: Name:trusted-ca UID:e89f56f0-1b4c-40c9-9ec7-7e29aa2e9991 APIVersion:trust.cert-manager.io/v1alpha1 ResourceVersion:3363 FieldPath:}" reason=Synced time=2026-02-12T12:52:45.245Z level=DEBUG+3 msg="Successfully synced Bundle to all namespaces" logger=events type=Normal object="{Kind:Bundle Namespace: Name:trusted-ca UID:e89f56f0-1b4c-40c9-9ec7-7e29aa2e9991 APIVersion:trust.cert-manager.io/v1alpha1 ResourceVersion:3363 FieldPath:}" reason=Synced time=2026-02-12T12:52:55.742Z level=DEBUG+3 msg="Successfully synced Bundle to all namespaces" logger=events type=Normal object="{Kind:Bundle Namespace: Name:trusted-ca UID:e89f56f0-1b4c-40c9-9ec7-7e29aa2e9991 APIVersion:trust.cert-manager.io/v1alpha1 ResourceVersion:3363 FieldPath:}" reason=Synced time=2026-02-12T12:53:07.130Z level=DEBUG+3 msg="Successfully synced Bundle to all namespaces" logger=events type=Normal object="{Kind:Bundle Namespace: Name:trusted-ca UID:e89f56f0-1b4c-40c9-9ec7-7e29aa2e9991 APIVersion:trust.cert-manager.io/v1alpha1 ResourceVersion:3363 FieldPath:}" reason=Synced time=2026-02-12T12:53:16.264Z level=DEBUG+3 msg="Successfully synced Bundle to all namespaces" logger=events type=Normal object="{Kind:Bundle Namespace: Name:trusted-ca UID:e89f56f0-1b4c-40c9-9ec7-7e29aa2e9991 APIVersion:trust.cert-manager.io/v1alpha1 ResourceVersion:3363 FieldPath:}" reason=Synced time=2026-02-12T12:53:21.949Z level=DEBUG+3 msg="Successfully synced Bundle to all namespaces" logger=events type=Normal object="{Kind:Bundle Namespace: Name:trusted-ca UID:e89f56f0-1b4c-40c9-9ec7-7e29aa2e9991 APIVersion:trust.cert-manager.io/v1alpha1 ResourceVersion:3363 FieldPath:}" reason=Synced time=2026-02-12T12:53:24.045Z level=DEBUG+3 msg="Successfully synced Bundle to all namespaces" logger=events type=Normal object="{Kind:Bundle Namespace: Name:trusted-ca UID:e89f56f0-1b4c-40c9-9ec7-7e29aa2e9991 APIVersion:trust.cert-manager.io/v1alpha1 ResourceVersion:3363 FieldPath:}" reason=Synced time=2026-02-12T12:55:00.331Z level=DEBUG+3 msg="Successfully synced Bundle to all namespaces" logger=events type=Normal object="{Kind:Bundle Namespace: Name:trusted-ca UID:e89f56f0-1b4c-40c9-9ec7-7e29aa2e9991 APIVersion:trust.cert-manager.io/v1alpha1 ResourceVersion:3363 FieldPath:}" reason=Synced time=2026-02-12T12:55:27.643Z level=DEBUG+3 msg="Successfully synced Bundle to all namespaces" logger=events type=Normal object="{Kind:Bundle Namespace: Name:trusted-ca UID:e89f56f0-1b4c-40c9-9ec7-7e29aa2e9991 APIVersion:trust.cert-manager.io/v1alpha1 ResourceVersion:3363 FieldPath:}" reason=Synced time=2026-02-12T12:55:28.144Z level=DEBUG+3 msg="Successfully synced Bundle to all namespaces" logger=events type=Normal object="{Kind:Bundle Namespace: Name:trusted-ca UID:e89f56f0-1b4c-40c9-9ec7-7e29aa2e9991 APIVersion:trust.cert-manager.io/v1alpha1 ResourceVersion:3363 FieldPath:}" reason=Synced time=2026-02-12T13:03:03.343Z level=DEBUG+3 msg="Successfully synced Bundle to all namespaces" logger=events type=Normal object="{Kind:Bundle Namespace: Name:trusted-ca UID:e89f56f0-1b4c-40c9-9ec7-7e29aa2e9991 APIVersion:trust.cert-manager.io/v1alpha1 ResourceVersion:3363 FieldPath:}" reason=Synced time=2026-02-12T13:03:03.942Z level=DEBUG+3 msg="Successfully synced Bundle to all namespaces" logger=events type=Normal object="{Kind:Bundle Namespace: Name:trusted-ca UID:e89f56f0-1b4c-40c9-9ec7-7e29aa2e9991 APIVersion:trust.cert-manager.io/v1alpha1 ResourceVersion:3363 FieldPath:}" reason=Synced time=2026-02-12T13:06:27.484Z level=ERROR msg="Failed to update lock optimistically: the server was unable to return a response in the time allotted, but may still be processing the request (put leases.coordination.k8s.io trust-manager-leader-election), falling back to slow path" time=2026-02-12T13:08:12.747Z level=ERROR msg="Failed to update lock optimistically: Put \"https://10.96.0.1:443/apis/coordination.k8s.io/v1/namespaces/cert-manager/leases/trust-manager-leader-election?timeout=5s\": context deadline exceeded (Client.Timeout exceeded while awaiting headers), falling back to slow path" time=2026-02-12T13:09:09.130Z level=ERROR msg="Failed to update lock optimistically: Put \"https://10.96.0.1:443/apis/coordination.k8s.io/v1/namespaces/cert-manager/leases/trust-manager-leader-election?timeout=5s\": context deadline exceeded, falling back to slow path" time=2026-02-12T13:10:21.094Z level=ERROR msg="Failed to update lock optimistically: Put \"https://10.96.0.1:443/apis/coordination.k8s.io/v1/namespaces/cert-manager/leases/trust-manager-leader-election?timeout=5s\": net/http: request canceled (Client.Timeout exceeded while awaiting headers), falling back to slow path" time=2026-02-12T13:22:30.345Z level=DEBUG+3 msg="Successfully synced Bundle to all namespaces" logger=events type=Normal object="{Kind:Bundle Namespace: Name:trusted-ca UID:e89f56f0-1b4c-40c9-9ec7-7e29aa2e9991 APIVersion:trust.cert-manager.io/v1alpha1 ResourceVersion:3363 FieldPath:}" reason=Synced time=2026-02-12T13:26:32.306Z level=ERROR msg="Failed to update lock optimistically: Put \"https://10.96.0.1:443/apis/coordination.k8s.io/v1/namespaces/cert-manager/leases/trust-manager-leader-election?timeout=5s\": context deadline exceeded, falling back to slow path" time=2026-02-12T13:30:59.747Z level=ERROR msg="Failed to update lock optimistically: Put \"https://10.96.0.1:443/apis/coordination.k8s.io/v1/namespaces/cert-manager/leases/trust-manager-leader-election?timeout=5s\": net/http: request canceled (Client.Timeout exceeded while awaiting headers), falling back to slow path" time=2026-02-12T13:31:04.747Z level=ERROR msg="error retrieving resource lock cert-manager/trust-manager-leader-election: Get \"https://10.96.0.1:443/apis/coordination.k8s.io/v1/namespaces/cert-manager/leases/trust-manager-leader-election?timeout=5s\": context deadline exceeded" time=2026-02-12T13:31:04.747Z level=INFO msg="failed to renew lease cert-manager/trust-manager-leader-election: context deadline exceeded" Error: leader election lost Usage: trust-manager [flags] App flags: --leader-elect If true, trust-manager will perform leader election between instances to ensure no more than one instance of trust-manager operates at a time (default true) --leader-election-lease-duration duration Lease duration for leader election (default 15s) --leader-election-renew-deadline duration Lease renew deadline for leader election. (default 10s) --metrics-port int Port to expose Prometheus metrics on 0.0.0.0 on path '/metrics'. (default 9402) --readiness-probe-path string HTTP path to expose the readiness probe server. (default "/readyz") --readiness-probe-port int Port to expose the readiness probe. (default 6060) Bundle flags: --default-package-location string Path to a JSON file containing the default certificate package. If set, must be a valid package. --filter-expired-certificates Filter expired certificates from the bundle. --secret-targets-enabled Controls if secret targets are enabled in the Bundle API. --target-namespaces strings Comma-separated list of namespaces to limit both the manager and target caches. --trust-namespace string Namespace to source trust bundles from. (default "cert-manager") Logging flags: --log-format string Log format (text or json) (default "text") -v, --log-level int Log level (1-5). (default 1) Webhook flags: --webhook-certificate-dir string Directory where the Webhook certificate and private key are located. Certificate and private key must be named 'tls.crt' and 'tls.key' respectively. (default "/tls") --webhook-host string Host to serve webhook. (default "0.0.0.0") --webhook-port int Port to serve webhook. (default 6443) TLSConfig flags: --tls-cipher-suites strings Comma-separated list of cipher suites for the webhook server. If omitted, the default Go cipher suites will be used. Preferred values: TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384, TLS_CHACHA20_POLY1305_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256. Insecure values: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_3DES_EDE_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_RC4_128_SHA. --tls-min-version string Minimum TLS version supported. If omitted, the default Go minimum version will be used. Possible values: VersionTLS10,VersionTLS11,VersionTLS12,VersionTLS13 Kubernetes flags: --as string Username to impersonate for the operation. User could be a regular user or a service account in a namespace. --as-group stringArray Group to impersonate for the operation, this flag can be repeated to specify multiple groups. --as-uid string UID to impersonate for the operation. --cache-dir string Default cache directory (default "/home/nonroot/.kube/cache") --certificate-authority string Path to a cert file for the certificate authority --client-certificate string Path to a client certificate file for TLS --client-key string Path to a client key file for TLS --cluster string The name of the kubeconfig cluster to use --context string The name of the kubeconfig context to use --disable-compression If true, opt-out of response compression for all requests to the server --insecure-skip-tls-verify If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure --kubeconfig string Path to the kubeconfig file to use for CLI requests. -n, --namespace string If present, the namespace scope for this CLI request --request-timeout string The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. (default "0") -s, --server string The address and port of the Kubernetes API server --tls-server-name string Server name to use for server certificate validation. If it is not provided, the hostname used to contact the server is used --token string Bearer token for authentication to the API server --user string The name of the kubeconfig user to use error: leader election lost