Webhook Certificate not generated during OLM installation

[stringang]

Description

I encountered an issue while installing using OLM: not generate the Webhook server certificate.

DevWorkspace Operator: v0.26.0

CatalogSource:

apiVersion: operators.coreos.com/v1alpha1
kind: CatalogSource
metadata:
  name: devworkspace-operator-catalog
  namespace: olm
spec:
  displayName: DevWorkspace Operator Catalog
  image: 'quay.io/devfile/devworkspace-operator-index:release'
  publisher: Red Hat
  sourceType: grpc
  updateStrategy:
    registryPoll:
      interval: 5m

update: the generated certificate file name does not correspond to the file configured in the environment variable. The generated secret name is devworkspace-controller-manager-service-cert, while the environment variable is devworkspace-webhookserver-tls.

[AObuchow]

@stringang thank you for reporting this issue. Do you recall which version of OpenShift this occurred for you on?

[AObuchow]

Is there a reason why the catalog source you provided is in the olm namespace instead of openshift-operators? I wasn't actually able to install DWO with your catalog source, it resulted in an error about not being able to find the catalog source (and I had to manually create the olm namespace):

This operator cannot be updated. The health of CatalogSource "devworkspace-operator-catalog" is unknown. It may have been disabled or removed from the cluster.

I would suggest trying to see if things work as expected for you when adding the CatalogSource to the openshift-operators namespce instead:

apiVersion: operators.coreos.com/v1alpha1
kind: CatalogSource
metadata:
  name: devworkspace-operator-catalog
  namespace: openshift-operators
spec:
  displayName: DevWorkspace Operator Catalog
  image: 'quay.io/devfile/devworkspace-operator-index:release'
  publisher: Red Hat
  sourceType: grpc
  updateStrategy:
    registryPoll:
      interval: 5m

When installing DWO from this CatalogSource, I saw that the devworkspace-webhookserver-tls secret was created and owned by the devworkspace-webhookserver service. Note that there is also a devworkspace-controller-manager-service-cert that is owned by the devworkspace-operator.v0.26.0 ClusterServiceVersion.

[stringang]

@AObuchow I'm using native Kubernetes. Installing it in the openshift-operators namespace still presents the same issue.

install info:

kind: OperatorGroup
apiVersion: operators.coreos.com/v1
metadata:
  name: og-test
  namespace: openshift-operators
spec: {}

---
apiVersion: operators.coreos.com/v1alpha1
kind: Subscription
metadata:
  name: devworkspace-operator
  namespace: openshift-operators
spec:
  channel: fast
  installPlanApproval: Automatic
  name: devworkspace-operator
  source: devworkspace-operator-catalog
  sourceNamespace: openshift-operators
  startingCSV: devworkspace-operator.v0.26.0

[stringang]

The webhook certificate should be automatically injected by cert-manager or service-ca.

After manually creating cert-manager configurations to generate certificates and successfully deploying them, I expect automation.

apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  labels:
    app.kubernetes.io/name: devworkspace-controller
    app.kubernetes.io/part-of: devworkspace-operator
  name: devworkspace-controller-selfsigned-issuer
  namespace: openshift-operators
spec:
  selfSigned: {}

---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  labels:
    app.kubernetes.io/name: devworkspace-controller
    app.kubernetes.io/part-of: devworkspace-operator
  name: devworkspace-controller-serving-cert
  namespace: openshift-operators
spec:
  dnsNames:
  - devworkspace-webhookserver.openshift-operators.svc
  - devworkspace-webhookserver.openshift-operators.svc.cluster.local
  - devworkspace-controller-manager-service.openshift-operators.svc
  - devworkspace-controller-manager-service.openshift-operators.svc.cluster.local
  issuerRef:
    kind: Issuer
    name: devworkspace-controller-selfsigned-issuer
  secretName: devworkspace-webhookserver-tls