Post https://captain.captain.svc:443/mutate?timeout=30s: x509: certificate signed by unknown authority

[aland-zhang]

kubernetes 1.16.2 captain docker: docker.io/alaudapublic/captain:v0.9.4 cert-manager-cainjector:v0.11.0 captain install with the chart https://github.com/alauda/captain/tree/master/charts/captain than kubectl create -f /captain/helmrequest.yaml

apiVersion: app.alauda.io/v1alpha1
kind: HelmRequest
metadata:
  name: mysql
 namespace: default
spec:
  chart: stable/mysql
  namespace: default
  releaseName: mysql
  clusterName: ""
  installToAllClusters: false
  values:
    mysqlRootPassword: root
    mysqlUser: mysql
    mysqlPassword: mysql
    mysqlDatabase: mydb

Show Error from server (InternalError): error when creating "/captain/helmrequest.yaml": Internal error occurred: failed calling webhook "mutate-helmrequest.app.alauda.io": Post https://captain.captain.svc:443/mutate?timeout=30s: x509: certificate signed by unknown authority

apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
  creationTimestamp: "2019-11-27T03:32:10Z"
  generation: 23
  name: captain
  resourceVersion: "27431066"
  selfLink: /apis/admissionregistration.k8s.io/v1/validatingwebhookconfigurations/captain
  uid: 127aa15d-a7a4-45f6-a9c9-6461e2915fd8
webhooks:
- admissionReviewVersions:
  - v1beta1
  clientConfig:
    caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURjVENDQWxtZ0F3SUJBZ0lRZWs4bDNSZHlQVk9aK2RUUlFRZ1VtakFOQmdrcWhraUc5dzBCQVFzRkFEQTEKTVJVd0V3WURWUVFLRXd4alpYSjBMVzFoYm1GblpYSXhIREFhQmdOVkJBTVRFMk5oY0hSaGFXNHVZMkZ3ZEdGcApiaTV6ZG1Nd0hoY05NVGt4TVRJNE1UVXlNak14V2hjTk1qQXdNakkyTVRVeU1qTXhXakExTVJVd0V3WURWUVFLCkV3eGpaWEowTFcxaGJtRm5aWEl4SERBYUJnTlZCQU1URTJOaGNIUmhhVzR1WTJGd2RHRnBiaTV6ZG1Nd2dnRWkKTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElCRHdBd2dnRUtBb0lCQVFEWThOa2sycXo2bnpFQkhJcTQ5ZDFGTUhJSwp1c0hBbWJGellXTVptM0syd3FreXFRMVptRHhlM1QyVmlYSDVIMm5FQnBwc1FxUW83OVpWMzNTcmxNVkJ3OUFuCm5kZityN3VabW1kSjJFY1VrZy9lU0ZWck0wbkgwQXJOZmN3SnMwd2FBa2pST1FDZjFKQ2NROGkrajJYVFA1ZVMKVkx5TU4wTFZVZ1lZTzhudE41YndJcVdUZXJHUmRWNnIwVUpVNkFieTNpWkNtTEpYZ2lzZHNYY3ZyM2tkbU1TNgpvellMSWY2ZmprckxEbU0wdlNhRkV2Sm9jV0NhWEdqTU1NUWlRajRTM1BPUHN2UjFYMjkyM21pSnl3amdOd2h6CktLSEVwbXRDamdCOWl6Z1VQdGZJVkc3L2xhZXNOMkhJZDJ3M1FabUFSb2h3M2Z0TnhPdHEyMUU2TW1rNUFnTUIKQUFHamZUQjdNQTRHQTFVZER3RUIvd1FFQXdJRm9EQU1CZ05WSFJNQkFmOEVBakFBTUZzR0ExVWRFUVJVTUZLQwpFMk5oY0hSaGFXNHVZMkZ3ZEdGcGJpNXpkbU9DSVdOaGNIUmhhVzR1WTJGd2RHRnBiaTV6ZG1NdVkyeDFjM1JsCmNpNXNiMk5oYklJUFkyRndkR0ZwYmk1allYQjBZV2x1Z2dkallYQjBZV2x1TUEwR0NTcUdTSWIzRFFFQkN3VUEKQTRJQkFRQzJJbG5ybktRdXJJeWNFdmhDb004SlRkU3VOL052OFRLRGhRR3pjSWxZY0Y3SXNtQk5KQ29SOU1mcQprY1MrVlU1S2d6RWZnZVdxZi9vZUEvWUVEbWozb1Z0REdOK0JlQUE1SzBwd0tKWENGbWJ0VHdBcEdtbUc5Z0ttCnZrbU9SM0JkMVhZRUl5QkJLU1RFMHliUWhkaGdEc3NERFl5bVUzVnVnRlZmSi81VXR4Tmd0WVQ5WVVkbkZuUGYKWlQ1ODhkNGdRWVdCUHArQk5xbTU5ZThHcUt3c2FldDRnUzFlamhydjRrcDZzaVprSFYrNE1sM0ZmVzJTTCs3NwpMekgxMVl6SGpGSjgxM0trd3picXRrSU90dFJMN1NGK1NPekpaaHVXZ3RSYzQ3dllhaG5kUDNucWovUUV0VDB1CkpGQm1WenVYbzgza0ZhWFlydFdGeW04UzlUTUcKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
    service:
      name: captain
      namespace: captain
      path: /mutate
      port: 443
  failurePolicy: Fail
  matchPolicy: Exact
  name: validate-helmrequest.app.alauda.io
  namespaceSelector: {}
  objectSelector: {}
  rules:
  - apiGroups:
    - app.alauda.io
    apiVersions:
    - v1alpha1
    operations:
    - CREATE
    - UPDATE
    resources:
    - helmrequests
    scope: '*'
  sideEffects: Unknown
  timeoutSeconds: 30

apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
  creationTimestamp: '2019-11-28T15:19:57Z'
  generation: 3
  labels:
    app: captain
  name: captain-serving-cert
  namespace: captain
  resourceVersion: '27430216'
  selfLink: >-
    /apis/cert-manager.io/v1alpha2/namespaces/captain/certificates/captain-serving-cert
  uid: c9db34eb-7955-421b-8111-3d426b136653
spec:
  commonName: captain.captain.svc
  dnsNames:
    - captain.captain.svc
    - captain.captain.svc.cluster.local
    - captain.captain
    - captain
  issuerRef:
    kind: Issuer
    name: captain-selfsigned-issuer
  secretName: captain-webhook-cert
status:
  conditions:
    - lastTransitionTime: '2019-11-28T15:22:31Z'
      message: Certificate is up to date and has not expired
      reason: Ready
      status: 'True'
      type: Ready
  notAfter: '2020-02-26T15:22:31Z'

apiVersion: cert-manager.io/v1alpha2
kind: Issuer
metadata:
  creationTimestamp: '2019-11-28T15:18:58Z'
  generation: 1
  labels:
    app: captain
  name: captain-selfsigned-issuer
  namespace: captain
  resourceVersion: '27427658'
  selfLink: >-
    /apis/cert-manager.io/v1alpha2/namespaces/captain/issuers/captain-selfsigned-issuer
  uid: 26b91cb6-64ea-4649-be46-a43a4cced2c9
spec:
  selfSigned: {}
status:
  conditions:
    - lastTransitionTime: '2019-11-28T15:18:58Z'
      reason: IsReady
      status: 'True'
      type: Ready

kind: Secret
apiVersion: v1
metadata:
  name: captain-webhook-cert
  namespace: captain
  selfLink: /api/v1/namespaces/captain/secrets/captain-webhook-cert
  uid: b833003f-a6c4-41c9-b722-38c5ae66c6ec
  resourceVersion: '27430214'
  creationTimestamp: '2019-11-28T15:22:31Z'
  annotations:
    cert-manager.io/alt-names: >-
      captain.captain.svc,captain.captain.svc.cluster.local,captain.captain,captain
    cert-manager.io/certificate-name: captain-serving-cert
    cert-manager.io/common-name: captain.captain.svc
    cert-manager.io/ip-sans: ''
    cert-manager.io/issuer-kind: Issuer
    cert-manager.io/issuer-name: captain-selfsigned-issuer
    cert-manager.io/uri-sans: ''
data:
  ca.crt: >-
    LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURjVENDQWxtZ0F3SUJBZ0lRZWs4bDNSZHlQVk9aK2RUUlFRZ1VtakFOQmdrcWhraUc5dzBCQVFzRkFEQTEKTVJVd0V3WURWUVFLRXd4alpYSjBMVzFoYm1GblpYSXhIREFhQmdOVkJBTVRFMk5oY0hSaGFXNHVZMkZ3ZEdGcApiaTV6ZG1Nd0hoY05NVGt4TVRJNE1UVXlNak14V2hjTk1qQXdNakkyTVRVeU1qTXhXakExTVJVd0V3WURWUVFLCkV3eGpaWEowTFcxaGJtRm5aWEl4SERBYUJnTlZCQU1URTJOaGNIUmhhVzR1WTJGd2RHRnBiaTV6ZG1Nd2dnRWkKTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElCRHdBd2dnRUtBb0lCQVFEWThOa2sycXo2bnpFQkhJcTQ5ZDFGTUhJSwp1c0hBbWJGellXTVptM0syd3FreXFRMVptRHhlM1QyVmlYSDVIMm5FQnBwc1FxUW83OVpWMzNTcmxNVkJ3OUFuCm5kZityN3VabW1kSjJFY1VrZy9lU0ZWck0wbkgwQXJOZmN3SnMwd2FBa2pST1FDZjFKQ2NROGkrajJYVFA1ZVMKVkx5TU4wTFZVZ1lZTzhudE41YndJcVdUZXJHUmRWNnIwVUpVNkFieTNpWkNtTEpYZ2lzZHNYY3ZyM2tkbU1TNgpvellMSWY2ZmprckxEbU0wdlNhRkV2Sm9jV0NhWEdqTU1NUWlRajRTM1BPUHN2UjFYMjkyM21pSnl3amdOd2h6CktLSEVwbXRDamdCOWl6Z1VQdGZJVkc3L2xhZXNOMkhJZDJ3M1FabUFSb2h3M2Z0TnhPdHEyMUU2TW1rNUFnTUIKQUFHamZUQjdNQTRHQTFVZER3RUIvd1FFQXdJRm9EQU1CZ05WSFJNQkFmOEVBakFBTUZzR0ExVWRFUVJVTUZLQwpFMk5oY0hSaGFXNHVZMkZ3ZEdGcGJpNXpkbU9DSVdOaGNIUmhhVzR1WTJGd2RHRnBiaTV6ZG1NdVkyeDFjM1JsCmNpNXNiMk5oYklJUFkyRndkR0ZwYmk1allYQjBZV2x1Z2dkallYQjBZV2x1TUEwR0NTcUdTSWIzRFFFQkN3VUEKQTRJQkFRQzJJbG5ybktRdXJJeWNFdmhDb004SlRkU3VOL052OFRLRGhRR3pjSWxZY0Y3SXNtQk5KQ29SOU1mcQprY1MrVlU1S2d6RWZnZVdxZi9vZUEvWUVEbWozb1Z0REdOK0JlQUE1SzBwd0tKWENGbWJ0VHdBcEdtbUc5Z0ttCnZrbU9SM0JkMVhZRUl5QkJLU1RFMHliUWhkaGdEc3NERFl5bVUzVnVnRlZmSi81VXR4Tmd0WVQ5WVVkbkZuUGYKWlQ1ODhkNGdRWVdCUHArQk5xbTU5ZThHcUt3c2FldDRnUzFlamhydjRrcDZzaVprSFYrNE1sM0ZmVzJTTCs3NwpMekgxMVl6SGpGSjgxM0trd3picXRrSU90dFJMN1NGK1NPekpaaHVXZ3RSYzQ3dllhaG5kUDNucWovUUV0VDB1CkpGQm1WenVYbzgza0ZhWFlydFdGeW04UzlUTUcKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
  tls.crt: >-
    LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURjVENDQWxtZ0F3SUJBZ0lRZWs4bDNSZHlQVk9aK2RUUlFRZ1VtakFOQmdrcWhraUc5dzBCQVFzRkFEQTEKTVJVd0V3WURWUVFLRXd4alpYSjBMVzFoYm1GblpYSXhIREFhQmdOVkJBTVRFMk5oY0hSaGFXNHVZMkZ3ZEdGcApiaTV6ZG1Nd0hoY05NVGt4TVRJNE1UVXlNak14V2hjTk1qQXdNakkyTVRVeU1qTXhXakExTVJVd0V3WURWUVFLCkV3eGpaWEowTFcxaGJtRm5aWEl4SERBYUJnTlZCQU1URTJOaGNIUmhhVzR1WTJGd2RHRnBiaTV6ZG1Nd2dnRWkKTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElCRHdBd2dnRUtBb0lCQVFEWThOa2sycXo2bnpFQkhJcTQ5ZDFGTUhJSwp1c0hBbWJGellXTVptM0syd3FreXFRMVptRHhlM1QyVmlYSDVIMm5FQnBwc1FxUW83OVpWMzNTcmxNVkJ3OUFuCm5kZityN3VabW1kSjJFY1VrZy9lU0ZWck0wbkgwQXJOZmN3SnMwd2FBa2pST1FDZjFKQ2NROGkrajJYVFA1ZVMKVkx5TU4wTFZVZ1lZTzhudE41YndJcVdUZXJHUmRWNnIwVUpVNkFieTNpWkNtTEpYZ2lzZHNYY3ZyM2tkbU1TNgpvellMSWY2ZmprckxEbU0wdlNhRkV2Sm9jV0NhWEdqTU1NUWlRajRTM1BPUHN2UjFYMjkyM21pSnl3amdOd2h6CktLSEVwbXRDamdCOWl6Z1VQdGZJVkc3L2xhZXNOMkhJZDJ3M1FabUFSb2h3M2Z0TnhPdHEyMUU2TW1rNUFnTUIKQUFHamZUQjdNQTRHQTFVZER3RUIvd1FFQXdJRm9EQU1CZ05WSFJNQkFmOEVBakFBTUZzR0ExVWRFUVJVTUZLQwpFMk5oY0hSaGFXNHVZMkZ3ZEdGcGJpNXpkbU9DSVdOaGNIUmhhVzR1WTJGd2RHRnBiaTV6ZG1NdVkyeDFjM1JsCmNpNXNiMk5oYklJUFkyRndkR0ZwYmk1allYQjBZV2x1Z2dkallYQjBZV2x1TUEwR0NTcUdTSWIzRFFFQkN3VUEKQTRJQkFRQzJJbG5ybktRdXJJeWNFdmhDb004SlRkU3VOL052OFRLRGhRR3pjSWxZY0Y3SXNtQk5KQ29SOU1mcQprY1MrVlU1S2d6RWZnZVdxZi9vZUEvWUVEbWozb1Z0REdOK0JlQUE1SzBwd0tKWENGbWJ0VHdBcEdtbUc5Z0ttCnZrbU9SM0JkMVhZRUl5QkJLU1RFMHliUWhkaGdEc3NERFl5bVUzVnVnRlZmSi81VXR4Tmd0WVQ5WVVkbkZuUGYKWlQ1ODhkNGdRWVdCUHArQk5xbTU5ZThHcUt3c2FldDRnUzFlamhydjRrcDZzaVprSFYrNE1sM0ZmVzJTTCs3NwpMekgxMVl6SGpGSjgxM0trd3picXRrSU90dFJMN1NGK1NPekpaaHVXZ3RSYzQ3dllhaG5kUDNucWovUUV0VDB1CkpGQm1WenVYbzgza0ZhWFlydFdGeW04UzlUTUcKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
  tls.key: >-
    LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBMlBEWkpOcXMrcDh4QVJ5S3VQWGRSVEJ5Q3JyQndKbXhjMkZqR1p0eXRzS3BNcWtOCldaZzhYdDA5bFlseCtSOXB4QWFhYkVLa0tPL1dWZDkwcTVURlFjUFFKNTNYL3ErN21acG5TZGhIRkpJUDNraFYKYXpOSng5QUt6WDNNQ2JOTUdnSkkwVGtBbjlTUW5FUEl2bzlsMHorWGtsUzhqRGRDMVZJR0dEdko3VGVXOENLbAprM3F4a1hWZXE5RkNWT2dHOHQ0bVFwaXlWNElySGJGM0w2OTVIWmpFdXFNMkN5SCtuNDVLeXc1ak5MMG1oUkx5CmFIRmdtbHhvekRERUlrSStFdHp6ajdMMGRWOXZkdDVvaWNzSTREY0ljeWloeEtaclFvNEFmWXM0RkQ3WHlGUnUKLzVXbnJEZGh5SGRzTjBHWmdFYUljTjM3VGNUcmF0dFJPakpwT1FJREFRQUJBb0lCQVFDR1M0S0F1QVpCRjI4RQpteUNkSTBhWTRFYVlzY2ZqYk1GWEJjQ05SNWVaMzZOU1F5aUtnQjFQTkhJOU1kcW1OM1lIN1hhRzhqSWhUV2RICnZZN0I4TlN6dzM0R0tFWmYyWFd1dnRDVi9CYjBldjdyd2Fkdk4wN0RMTnlqSE83RVNvUWZ6YTQ2SnFsbVIvWkYKWmdqTlBvUHdZL3Qya0pJdjByM0N4SVlWVmwzSVJHOWZaRFZCbUcvbENqYlNUM01uOGdvcGdZc2tNVkxYWVFRLwpKZzRzdjlsdVd2c2ZSR3RaMy9xU2hyVnlacjQrR1Z2VjBSYlRta1hYUVlGYlZIaEJ4Z2FJbXgvT25TVWRjUkxiCnAzeFpYRDQvMUUzejNwaEJhRFVrRGxCT1hVRittWmkxZExJTVJ3ZzVhYjZ3Q3hLTnZjc0laZS9zK2VldnNSaTgKREttRGJ1Q3BBb0dCQVBWVGZHTFgrb2ozOXlxamNDaUF2K1NpTnVKYUxRUk1UU2Zhcm1TYkRQM0kwNXYzQ0NJaApvV2JYazh5eWVMQUd1b0lNVGZZNExtTjNCN2h2TEdFS29OeStSREU1K0lFRnF6QndEdTlnc0xLZlZoQmJscVJKCk1CcGZ4bEpvZytaMEdIWWNyc3pBTEczdlJEMmltYk9JWnk0T0VrTHd3MURVRlNiTUUvbTRkZWRMQW9HQkFPSmgKTXRIb3p4YWJSWkNaS3pEZ2dSNDkyZWZvbUNqTzYrVFZZUFZQTXNyTWk2Y0crWi9IanUwME1EUkMxZnVqcnVoNQpjZlAzNnhmSU91QjNWTTRzUC8wTDhkRW5FTW1EeUJWTXZKRjVhZktIU0g1aDB1aFJlTkxzSDFNakVLSW4zM1hvCkZyYXNjVUxzT1ovSit1N3VsVFN5MmVWK09ZNVBSeVRxM3BRTGk4c0xBb0dBTkZ5UlcvZUZQZDdQSG9hcjFibEYKTytOem0zUnJ6MU1KMU12VUZSMFM5TWY4Z25tRGZ1VjJzYUNwcHpNZ2wxR1lWVkdUQWs2VGVCOWJ3bjNZRnc1UgpyMHZjK2pUSldhQ0FIV0tOallJeHRLNVZqRUJBTXVoOEgrVDVTM1dMVVpETjk4ZS9kMnc5RDJuV1F1R0Z0TkFVClZid2pJYTZKd2FMQ3NQazEra0xveDJrQ2dZRUF2b25qRld5bmlUYU5tY1JoNXhTL2VLM0VqLzVrdTh4V0hsZysKOEpxRmZNNG5LU0drejRoTzAzWWVzSTRrdjFXbzdVRHkyYzZzMEdxV3E4R2szcGUrRUFXU3RtRDBMemk5R3Jobwo2dVRQZVBQRzM2RUV2TWQrTThITUo5U1d0blZyRHptV2pKQ2VFQjcxN1hrNnZRcVJDVGNVVWFZcFdZOStxU01LCnpuN2RYYnNDZ1lCL2dVU0ZjZjZDa3dWRFlZL3FHbGlxNHUwNnl2dFYwZU8wSENHMjdkcnpWb0ZPL0crcDBFVTgKUVRTRW40azdCbit2WVlrbXZ4TVQ0VmpMQjI0TTZmMlBGMVl4TlJCaEhpeXdlcnZmSnlNYlRJd1V3SzBaOHRyRgo1V0VITXl2dmVlV0Q2TmNTU0wvQVJTdUZEMDQvbTgyRG50bE9qaGpkd1NsRkhQc01vaFdYT0E9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=
type: kubernetes.io/tls

[hangyan]

That's wired, the cert was signed by cert-manager, i will look into it.

[hangyan]

https://github.com/alauda/captain/blob/master/docs/install.md Are you install captain using the instrucitons from this doc?

[aland-zhang]

Installed according to this document, but the version I chose is cert-manager v0.11.0 ,captain-webhook-cert secret has been automatically generated

[hangyan]

I don't known cert-manager that much, but i have encounted other issues when use other versions of cert-manager. Can you try the version specificed in the install doc?