search

cert-manager / cert-manager-olm

Definitions for the cert-manager operator published via Red Hat's Operator Lifecycle Manager (OLM)
Apache License 2.0
14 stars 13 forks source link

Incorrect webhook certificate with 1.10.0 #83

Closed sdrik closed 2 years ago

sdrik commented 2 years ago

Although no 1.10.0 release have been tagged in this repository yet, an 1.10.0 bundle has been somehow pushed to the stable catalog. Since then, I get these errors which prevent me from issuing any new certificate:

E1103 06:58:41.826596 1 controller.go:167] cert-manager/ingress-shim "msg"="re-queuing item due to error processing" "error"="Internal error occurred: failed calling webhook \"mutate.webhooks.cert-manager.io\": failed to call webhook: Post \"https://cert-manager-webhook-service.cert-manager.svc:443/mutate?timeout=10s\": x509: certificate is valid for cert-manager-webhook, cert-manager-webhook.cert-manager, cert-manager-webhook.cert-manager.svc, not cert-manager-webhook-service.cert-manager.svc" "key"="default/kube-api-http"

Here is my Subscription:

apiVersion: v1
items:
- apiVersion: operators.coreos.com/v1alpha1
  kind: Subscription
  metadata:
    annotations:
      kubectl.kubernetes.io/last-applied-configuration: |
        {"apiVersion":"operators.coreos.com/v1alpha1","kind":"Subscription","metadata":{"annotations":{},"name":"cert-manager","namespace":"cert-manager"},"spec":{"channel":"stable","name":"cert-manager","source":"operatorhubio-catalog","sourceNamespace":"olm"}}
    creationTimestamp: "2022-05-22T11:58:52Z"
    generation: 1
    labels:
      operators.coreos.com/cert-manager.cert-manager: ""
    name: cert-manager
    namespace: cert-manager
    resourceVersion: "104670926"
    uid: 83fcd705-111f-4b63-a311-40bb593aeb37
  spec:
    channel: stable
    name: cert-manager
    source: operatorhubio-catalog
    sourceNamespace: olm
  status:
    catalogHealth:
    - catalogSourceRef:
        apiVersion: operators.coreos.com/v1alpha1
        kind: CatalogSource
        name: operatorhubio-catalog
        namespace: olm
        resourceVersion: "91086571"
        uid: 8a8bda4f-3bc8-4a0e-a4af-db1985fdaefc
      healthy: true
      lastUpdated: "2022-10-08T09:23:29Z"
    conditions:
    - lastTransitionTime: "2022-10-08T09:23:29Z"
      message: all available catalogsources are healthy
      reason: AllCatalogSourcesHealthy
      status: "False"
      type: CatalogSourcesUnhealthy
    currentCSV: cert-manager.v1.10.0
    installPlanGeneration: 4
    installPlanRef:
      apiVersion: operators.coreos.com/v1alpha1
      kind: InstallPlan
      name: install-4k2hq
      namespace: cert-manager
      resourceVersion: "104669768"
      uid: 34521345-5ec1-4f5f-817b-f457a30cc4f2
    installedCSV: cert-manager.v1.10.0
    installplan:
      apiVersion: operators.coreos.com/v1alpha1
      kind: InstallPlan
      name: install-4k2hq
      uuid: 34521345-5ec1-4f5f-817b-f457a30cc4f2
    lastUpdated: "2022-11-02T15:46:18Z"
    state: AtLatestKnown
kind: List
metadata:
  resourceVersion: ""
sdrik commented 2 years ago

As a workaround, I appied the following patch to my CSV:

[
  {
    "op": "replace",
    "path": "/spec/install/spec/deployments/2/spec/template/spec/containers/0/args",
    "value": [
      "--v=2",
      "--secure-port=10250",
      "--tls-cert-file=/tmp/k8s-webhook-server/serving-certs/tls.crt",
      "--tls-private-key-file=/tmp/k8s-webhook-server/serving-certs/tls.key"
    ]
  }
]
wallrj commented 2 years ago

Thanks for the bug report, this is also being discussed in