Closed elanv closed 3 years ago
Can you provide more information about certificate expiration issue? Like how long did you see it expires and what's the behavior after in your test?
A potential fix is to refresh certificate at certain interval but let's make sure we are solving the problem in a correct way.
Sorry to interrupt in between. Yes it is expired after every 30 days.
https://flink-operator-webhook-service.importer.svc:443/mutate-flinkoperator-k8s-io-v1beta1-flinkcluster?timeout=30s: x509: certificate has expired or is not yet valid
And I believe it is due to openssl default expiration is set to 30 days.
i referred to here
I couldn't create new FlinkCluster CR or update already created CR because default or validate webhook doesn't work when the certificate expires.
One of the way to update the webhook certificate: kubectl get job cert-job -n flink-operator-system -oyaml > cert-job.yaml kubectl delete job cert-job -n flink-operator-system kubectl apply -f cert-job.yaml (delete the controller-id labels in the cert-job.yaml if needed)
One of the way to change the default expires days(30): https://github.com/GoogleCloudPlatform/flink-on-k8s-operator/blob/4f421e7e7b289973b2e50b123c62436abb2c0109/helm-chart/flink-operator/templates/generate-cert.yaml#L38
| openssl x509 -req -CA ca.crt -CAkey ca.key -CAcreateserial -out ${tmpdir}/server-cert.pem
> change to:
| openssl x509 -days 3650 -req -CA ca.crt -CAkey ca.key -CAcreateserial -out ${tmpdir}/server-cert.pem
+1 to make the expire days longer.
For those who don't use Helm Chart to install the operator, we solved this by deleting the webhook-server-cert
secret:
$ kubectl delete secret webhook-server-cert -n flink-operator-system
And running a re-deploy:
$ make deploy
We've tried to run just the make webhook-cert
, but the following error happens when deploying a job:
x509: certificate signed by unknown authority
Currently, cert-manager is not supported, so if the certificate expires, you need to manually update the webhook certificate. It would be helpful if a guide for updating the certificate was presented.