[Bug] failed calling webhook "vcryostat.kb.io" due to TLS error

[ahus1]

Current Behavior

After successfully installing the Operator on OpenShift 4.15.x, when creating the first CR, I get the error message

Error "failed calling webhook "vcryostat.kb.io": failed to call webhook: Post "https://cryostat-operator-controller-manager-service.openshift-operators.svc:443/validate-operator-cryostat-io-v1beta2-cryostat?timeout=10s": tls: failed to verify certificate: x509: certificate is valid for infinispan-operator-controller-manager-service.openshift-operators, infinispan-operator-controller-manager-service.openshift-operators.svc, not cryostat-operator-controller-manager-service.openshift-operators.svc" for field "undefined".

The CR I'm trying to install is very minimal. As the name above suggests, also the Infinispan Operator is installed.

apiVersion: operator.cryostat.io/v1beta2
kind: Cryostat
metadata:
  name: cryostat
  namespace: {{ .Values.namespace }}
spec:
  enableCertManager: true

Expected Behavior

CR creation should succeed

Steps To Reproduce

2. Installed Operators RH build of Cryostat 3.0.0+6, Infinispan 2.4.3
3. When creating the CR, the error message above appears

Environment

- Environment: OpenShift 4.15.21
- Version:3.0.0+6

Anything else?

No response

[andrewazores]

@ebaron any idea what's happening here?

[ebaron]

Thanks for bringing this to our attention @ahus1! It looks like this is the problem:

$ oc get svc infinispan-operator-controller-manager-service -o jsonpath='{.spec.selector}' | yq -P
app.kubernetes.io/name: infinispan-operator
control-plane: controller-manager

$ oc get svc cryostat-operator-controller-manager-service -o jsonpath='{.spec.selector}' | yq -P
control-plane: controller-manager

Our operator's objects do not have an app.kubernetes.io/name label set. This is causing our webhook requests to sometimes be routes to Infinispan's webhook, which fails due to the TLS issue. This should be easily fixable by adding a similar label to our objects and selector.