redis-operator not reachable webhook

OT-CONTAINER-KIT / helm-charts

A repository which that will contain helm charts with best and security practices.

https://ot-container-kit.github.io/helm-charts

46 stars 79 forks source link

redis-operator not reachable webhook #137

Open dntosas opened 9 months ago

dntosas commented 9 months ago

Does this issue reproduce with the latest release? Yes What operating system and processor architecture are you using (kubectl version)?

kubectl version Output

$ kubectl version

What did you do?

Error from server: conversion webhook for redis.redis.opstreelabs.in/v1beta1, Kind=RedisCluster failed: Post "https://XXX.svc:443/convert?timeout=30s": dial tcp XXX:443: connect: connection refused

checked that there are healthy endpoints on this service

What did you expect to see?

What did you see instead?

jwitko commented 9 months ago

It appears that the operator is forcing the service lookup to a hard-coded hostname as best I can tell. Can't exactly tell where thats happening

jwitko commented 9 months ago

I see it now, its in the CRD: https://github.com/OT-CONTAINER-KIT/helm-charts/blob/main/charts/redis-operator/crds/redis-replication.yaml#L7719C1-L7727C25

shubham-cmyk commented 9 months ago

@jwitko

Do you mean CA injection?

jwitko commented 9 months ago

@jwitko

Do you mean CA injection?

No, The namespace for the webhook service is directly hard-coded into the CRDs. Linked above.

jwitko commented 9 months ago

For example: When I deploy redis-replication CRD I get:

conversion webhook for redis.redis.opstreelabs.in/v1beta1, Kind=RedisReplication failed: Post "https://webhook-service.redis-operator.svc:443/convert?timeout=30s": service "webhook-service" not found

If I remove the following section from the CRD:

  conversion:
    strategy: Webhook
    webhook:
      clientConfig:
        service:
          name: webhook-service
          namespace: redis-operator
          path: /convert
          port: 443
      conversionReviewVersions:
        - v1beta1
        - v1beta2

It works without issue.

praveenperera commented 8 months ago

I'm having the same issue, fixed by downgrading to 0.15.3

Routhinator commented 7 months ago

Confirming that 0.15.3 is the last working version of the chart, but also a note to others: You must delete the CRDs before downgrade for it to be successful.

enigma-kazbek commented 6 months ago

Downgrade works for me:

kubectl delete crd $(kubectl get crd | grep redis.opstreelabs.in | awk '{print $1}')
helm -n redis-operator un redis-operator
helm upgrade --install redis-operator ot-helm/redis-operator -n redis-operator --version 0.15.3

---
apiVersion: redis.redis.opstreelabs.in/v1beta1
kind: Redis
metadata:
  name: redis-standalone
  namespace: bcs-dev
spec:
  kubernetesConfig:
    image: quay.io/opstree/redis:v7.0.5
    imagePullPolicy: IfNotPresent
  storage:
    volumeClaimTemplate:
      spec:
        # storageClassName: standard
        accessModes: ["ReadWriteOnce"]
        resources:
          requests:
            storage: 1Gi
  securityContext:
    runAsUser: 1001

borg286 commented 4 months ago

I fixed this by hard-coding the namespace where I deploy the redis-operator into so the namespace is "redis-operator" Then the hard-coded url it uses ends up finding it at the right place.

The issue I'm facing after that is that the pod that is the operator itself doesn't allocate port 9443. Thus I end up getting http error code 503 when trying to hit it.

safehome-jdev commented 2 months ago

I see it now, its in the CRD: https://github.com/OT-CONTAINER-KIT/helm-charts/blob/main/charts/redis-operator/crds/redis-replication.yaml#L7719C1-L7727C25

As @jwitko states, the namespace is hard-coded into the CRD, so if you move the operator anywhere besides a namespace of redis-operator, it breaks the deployment. This definitely needs a fix.