time=2026-02-12T11:46:48.869Z level=INFO msg="successfully loaded default package from filesystem" id=cert-manager-debian-bookworm-20230311+deb12u1.0-a3413a37a8e09cc2 path=/packages/cert-manager-package-debian.json time=2026-02-12T11:46:48.869Z level=INFO msg="registering webhook endpoints" time=2026-02-12T11:46:48.869Z level=INFO msg="Registering a validating webhook" logger=controller-runtime/builder GVK="trust.cert-manager.io/v1alpha1, Kind=Bundle" path=/validate-trust-cert-manager-io-v1alpha1-bundle time=2026-02-12T11:46:48.869Z level=INFO msg="Registering webhook" path=/validate-trust-cert-manager-io-v1alpha1-bundle logger=controller-runtime/webhook time=2026-02-12T11:46:48.870Z level=INFO msg="Starting metrics server" logger=controller-runtime/metrics time=2026-02-12T11:46:48.870Z level=INFO msg="starting server" name="health probe" addr=[::]:6060 time=2026-02-12T11:46:48.870Z level=INFO msg="Serving metrics server" logger=controller-runtime/metrics bindAddress=0.0.0.0:9402 secure=false time=2026-02-12T11:46:48.870Z level=INFO msg="Starting webhook server" logger=controller-runtime/webhook time=2026-02-12T11:46:48.870Z level=INFO msg="attempting to acquire leader lease cert-manager/trust-manager-leader-election..." time=2026-02-12T11:46:48.870Z level=INFO msg="Updated current TLS certificate" cert=/tls/tls.crt key=/tls/tls.key logger=controller-runtime/certwatcher time=2026-02-12T11:46:48.870Z level=INFO msg="Serving webhook server" logger=controller-runtime/webhook host=0.0.0.0 port=6443 time=2026-02-12T11:46:48.870Z level=INFO msg="Starting certificate poll+watcher" cert=/tls/tls.crt key=/tls/tls.key logger=controller-runtime/certwatcher interval=10s time=2026-02-12T11:46:48.993Z level=INFO msg="successfully acquired lease cert-manager/trust-manager-leader-election" time=2026-02-12T11:46:48.994Z level=DEBUG+3 msg="trust-manager-865b9c84ff-2rjth_ec901c55-8231-4f52-b7e5-368cff8915d9 became leader" logger=events type=Normal object="{Kind:Lease Namespace:cert-manager Name:trust-manager-leader-election UID:fa5c26c7-ccf0-4f9c-a277-c3869324fafa APIVersion:coordination.k8s.io/v1 ResourceVersion:31898 FieldPath:}" reason=LeaderElection time=2026-02-12T11:46:48.994Z level=INFO msg="Starting EventSource" controller=bundles source="kind source: *v1.ConfigMap" time=2026-02-12T11:46:48.994Z level=INFO msg="Starting EventSource" controller=bundles source="kind source: *v1alpha1.Bundle" time=2026-02-12T11:46:48.994Z level=INFO msg="Starting EventSource" controller=bundles source="kind source: *v1.Namespace" time=2026-02-12T11:46:48.994Z level=INFO msg="Starting EventSource" controller=bundles source="kind source: *v1.Secret" time=2026-02-12T11:46:48.995Z level=INFO msg="Starting EventSource" controller=bundles source="kind source: *v1.PartialObjectMetadata" time=2026-02-12T11:46:49.096Z level=INFO msg="Starting Controller" controller=bundles time=2026-02-12T11:46:49.096Z level=INFO msg="Starting workers" controller=bundles "worker count"=1 time=2026-02-12T11:52:26.683Z level=ERROR msg="Failed to update lock optimistically: Put \"https://10.96.0.1:443/apis/coordination.k8s.io/v1/namespaces/cert-manager/leases/trust-manager-leader-election?timeout=5s\": context deadline exceeded, falling back to slow path" time=2026-02-12T11:52:31.683Z level=ERROR msg="error retrieving resource lock cert-manager/trust-manager-leader-election: Get \"https://10.96.0.1:443/apis/coordination.k8s.io/v1/namespaces/cert-manager/leases/trust-manager-leader-election?timeout=5s\": context deadline exceeded" time=2026-02-12T11:52:31.683Z level=INFO msg="failed to renew lease cert-manager/trust-manager-leader-election: context deadline exceeded" time=2026-02-12T11:52:36.683Z level=ERROR msg="error retrieving resource lock cert-manager/trust-manager-leader-election: Get \"https://10.96.0.1:443/apis/coordination.k8s.io/v1/namespaces/cert-manager/leases/trust-manager-leader-election?timeout=5s\": net/http: request canceled (Client.Timeout exceeded while awaiting headers)" time=2026-02-12T11:52:36.683Z level=DEBUG+3 msg="trust-manager-865b9c84ff-2rjth_ec901c55-8231-4f52-b7e5-368cff8915d9 stopped leading" logger=events type=Normal object="{Kind:Lease Namespace:cert-manager Name:trust-manager-leader-election UID:fa5c26c7-ccf0-4f9c-a277-c3869324fafa APIVersion:coordination.k8s.io/v1 ResourceVersion:39993 FieldPath:}" reason=LeaderElection Error: leader election lost time=2026-02-12T11:52:36.683Z level=INFO msg="Stopping and waiting for non leader election runnables" time=2026-02-12T11:52:36.683Z level=INFO msg="Stopping and waiting for leader election runnables" Usage: trust-manager [flags] App flags: --leader-elect If true, trust-manager will perform leader election between instances to ensure no more than one instance of trust-manager operates at a time (default true) --leader-election-lease-duration duration Lease duration for leader election (default 15s) --leader-election-renew-deadline duration Lease renew deadline for leader election. (default 10s) --metrics-port int Port to expose Prometheus metrics on 0.0.0.0 on path '/metrics'. (default 9402) --readiness-probe-path string HTTP path to expose the readiness probe server. (default "/readyz") --readiness-probe-port int Port to expose the readiness probe. (default 6060) Bundle flags: --default-package-location string Path to a JSON file containing the default certificate package. If set, must be a valid package. --filter-expired-certificates Filter expired certificates from the bundle. --secret-targets-enabled Controls if secret targets are enabled in the Bundle API. --target-namespaces strings Comma-separated list of namespaces to limit both the manager and target caches. time=2026-02-12T11:52:36.683Z level=INFO msg="Stopping and waiting for caches" time=2026-02-12T11:52:36.683Z level=INFO msg="Stopping and waiting for webhooks" time=2026-02-12T11:52:36.683Z level=INFO msg="Stopping and waiting for HTTP servers" time=2026-02-12T11:52:36.683Z level=INFO msg="Wait completed, proceeding to shutdown the manager" time=2026-02-12T11:52:36.683Z level=INFO msg="Stopping and waiting for warmup runnables" time=2026-02-12T11:52:36.683Z level=INFO msg="Shutdown signal received, waiting for all workers to finish" controller=bundles time=2026-02-12T11:52:36.683Z level=INFO msg="Shutting down webhook server with timeout of 1 minute" logger=controller-runtime/webhook time=2026-02-12T11:52:36.684Z level=INFO msg="shutting down server" name="health probe" addr=[::]:6060 --trust-namespace string Namespace to source trust bundles from. (default "cert-manager") Logging flags: --log-format string Log format (text or json) (default "text") -v, --log-level int Log level (1-5). (default 1) Webhook flags: --webhook-certificate-dir string Directory where the Webhook certificate and private key are located. Certificate and private key must be named 'tls.crt' and 'tls.key' respectively. (default "/tls") --webhook-host string Host to serve webhook. (default "0.0.0.0") --webhook-port int Port to serve webhook. (default 6443) TLSConfig flags: --tls-cipher-suites strings Comma-separated list of cipher suites for the webhook server. If omitted, the default Go cipher suites will be used. Preferred values: TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384, TLS_CHACHA20_POLY1305_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256. Insecure values: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_3DES_EDE_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_RC4_128_SHA. --tls-min-version string Minimum TLS version supported. If omitted, the default Go minimum version will be used. Possible values: VersionTLS10,VersionTLS11,VersionTLS12,VersionTLS13 Kubernetes flags: --as string Username to impersonate for the operation. User could be a regular user or a service account in a namespace. --as-group stringArray Group to impersonate for the operation, this flag can be repeated to specify multiple groups. --as-uid string UID to impersonate for the operation. --cache-dir string Default cache directory (default "/home/nonroot/.kube/cache") --certificate-authority string Path to a cert file for the certificate authority --client-certificate string Path to a client certificate file for TLS --client-key string Path to a client key file for TLS --cluster string The name of the kubeconfig cluster to use --context string The name of the kubeconfig context to use --disable-compression If true, opt-out of response compression for all requests to the server --insecure-skip-tls-verify If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure --kubeconfig string Path to the kubeconfig file to use for CLI requests. -n, --namespace string If present, the namespace scope for this CLI request --request-timeout string The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. (default "0") -s, --server string The address and port of the Kubernetes API server --tls-server-name string Server name to use for server certificate validation. If it is not provided, the hostname used to contact the server is used --token string Bearer token for authentication to the API server --user string The name of the kubeconfig user to use error: leader election lost