failed to create resource: admission webhook "webhook.cert-manager.io" denied

[grandeon]

Hello!

I'm trying to deploy nifi-registry with security and OIDC authnetication. This is my configuration values.yaml:

 cat charts/nifi-registry/values.yaml
# Default values for nifi-registry.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.

replicaCount: 1

image:
  repository: apache/nifi-registry
  pullPolicy: IfNotPresent
  tag: "0.8.0"

initContainers:
  git:
    image: alpine/git
    tag: v2.26.2
  alpine:
    image: alpine
    tag: 3.6
  # Additional environment variables to set for the initContainers
  extraEnvs: []
  # extraEnvs:
  #   - name: FOO
  #     value: bar

imagePullSecrets: []
nameOverride: ""
fullnameOverride: ""

serviceAccount:
  # Specifies whether a service account should be created
  create: true
  # Annotations to add to the service account
  annotations: {}
  # The name of the service account to use.
  # If not set and create is true, a name is generated using the fullname template
  name: ""

podAnnotations: {}

podSecurityContext: {}
  # fsGroup: 2000

securityContext: {}
  # capabilities:
  #   drop:
  #   - ALL
  # readOnlyRootFilesystem: true
  # runAsNonRoot: true
  # runAsUser: 1000

service:
  type: ClusterIP
  port: 18080

ingress:
####  enabled: false
####  annotations: {}
####    # kubernetes.io/ingress.class: nginx
####    # kubernetes.io/tls-acme: "true"
####  hosts:
####    - host: chart-example.local
####      paths: []
####  tls: []
####  #  - secretName: chart-example-tls
####  #    hosts:
####  #      - chart-example.local
  enabled: true
  annotations: {
    nginx.ingress.kubernetes.io/backend-protocol: "HTTP",
    nginx.ingress.kubernetes.io/ssl-redirect: "true" ,
    nginx.ingress.kubernetes.io/affinity: cookie
   }
  hosts:
    - host: registry-cetic.domain.net
      paths:
        - /
  tls:
     - hosts:
        - registry-cetic.domain.net

## Persist data to a persistent volume
persistence:
  enabled: true
  database:
    # storageClass: "-"
    accessMode: ReadWriteOnce
    size: 10Gi
  flowStorage:
    # storageClass: "-"
    accessMode: ReadWriteOnce
    size: 10Gi

resources: {}
  # We usually recommend not to specify default resources and to leave this as a conscious
  # choice for the user. This also increases chances charts run on environments with little
  # resources, such as Minikube. If you do want to specify resources, uncomment the following
  # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
  # limits:
  #   cpu: 100m
  #   memory: 128Mi
  # requests:
  #   cpu: 100m
  #   memory: 128Mi

nodeSelector: {}

tolerations: []

affinity: {}

flowProvider:
  git:
    enabled: false
    # Repository to be cloned at pod startup
    url:
    # Sets NIFI_REGISTRY_GIT_REMOTE for update_flow_provider.sh
    remote: origin
    # Sets NIFI_REGISTRY_GIT_USER for update_flow_provider.sh
    user:
    # Sets NIFI_REGISTRY_GIT_PASSWORD for update_flow_provider.sh
    password:
    # Global Git configuration See https://git-scm.com/docs/git-config for more details.
    config:
      enabled: false
      data: ""
      # data: |
      #   [credential "https://github.com"]
      #           username = foo
    ssh:
      # To use an SSH public/private keypair as a Kubernetes secret:
      # 1. Generate a SSH key named id_rsa:
      #      ssh-keygen -q -N "" -f ./id_rsa
      # 2. Create a Kubernetes secret:
      #      kubectl -n nifi-registry create secret generic nifi-registry-git-ssh --from-file=./id_rsa
      # 3. Don't check these key files into your Git repository! Once you've created
      #    the Kubernetes secret, Delete the private key:
      #      rm ./id_rsa
      # 4. Add ./id_rsa.pub as a deployment key with write access in your Git repo
      # 5. Set the secret name (e.g., nifi-registry-git-ssh) here:
      secretName:
      # 6. Provide the public key(s) of the SSH server(s) for $HOME/.ssh/known_hosts
      known_hosts:
      # 7. Set the GIT_SSH_COMMAND
      gitSshCommand: "ssh -v"
      # 8. specify the config which would go in $HOME/.ssh/config file, for e.g.
      # config: |
      #   Host github.com
      #   ProxyCommand socat STDIO PROXY:<proxyIP>:%h:%p,proxyport=<proxyPort>,proxyauth=<username:password>
      #   User git
      #   Hostname ssh.github.com
      #   Port 443
      #   IdentityFile /etc/fluxd/ssh/identity
      # or, if using an SSH public/private keypair:
      config: |
        StrictHostKeyChecking accept-new
  postgres:
    enabled: false
    driverURL: https://jdbc.postgresql.org/download/
    fileName: postgresql-42.2.6.jar
    driverClass: org.postgresql.Driver
    url: jdbc:postgresql://localhost/nifireg
    username: nifireg
    password: nifireg

# Additional environment variables to set
extraEnvs: []
# extraEnvs:
#   - name: FOO
#     value: bar

tests:
  images:
    busybox:
      image: busybox
      tag: 1.33.1

# Configuration to run NiFi Registry securely
# c.f. https://nifi.apache.org/docs/nifi-registry-docs/html/administration-guide.html#security_configuration
# TLS keystores and truststores must be configured to run secure;
# see (e.g.) certManager (below)

security:
  # Disabled by default (following the principle of least astonishment)
####  enabled: false
  enabled: true
####  needClientAuth: true
  needClientAuth: true
  httpsHost: "0.0.0.0"
  httpsPort: 18443
  admin: admin@example.com
  persistence:
  # storageClass: "-"
    accessMode: ReadWriteOnce
    size: 1Gi
  # ConfigMap with users.xml and authorizations.xml keys; note that these
  # settings will override the admin: key above if present
  authConf:

# cert-manager support
# Setting this true will have cert-manager create a private CA just for NiFi Registry,
# including certificates for each NiFi Registry node.
certManager:
  # If true, use cert-manager to create and rotate intra-NiFi-Registry-cluster
  # TLS keys (note that cert-manager is a Kubernetes cluster-wide resource, so
  # is not installed automatically by this chart); c.f. https://cert-manager.io
  enabled: true
  # TLS Common Name of a client, suitable for using as an initial administrator.
  # The client certificate (including private key) will be in a Kubernetes
  # TLS secret of the name {{ template "nifi-registry.fullname"}}-client
  clientCommonName: ""
  # Kubernetes cluster top level domain, to generate fully qualified domain names
  # for certificate Common Names
  clusterDomain: cluster.local
  # Java Key Store (JKS) password for NiFi Registry keystore
  keystorePasswd: XXXXXXXXXXXXXX
  # Java Key Store (JKS) password for NiFi Registry truststore
  truststorePasswd: XXXXXXXXXXXXXX
  # Additional DNS names to incorporate into TLS certificates (e.g. where users
  # point browsers to access the NiFi Registry UI)
  additionalDnsNames:
    - localhost
    - registry-cetic.domain.net

  # Names of Kubernetes secrets containing ca.crt keys to add to the
  # NiFi Registry truststore (e.g. CAs of NiFi Registry clients)
  caSecrets:
  # If your (e.g.) OIDC server is using TLS with a private CA, then set this
  # to true so that Java will use the cert-manager-derived TrustStore:
  replaceDefaultTrustStore: true
  # How often the sidecar refreshes the NiFi keystore and truststore from
  # the cert-manager Kubernetes secrets (and other caSecrets)
  refreshSeconds: 300
  # sidecar resources needed to populate and refresh those secrets
  resources:
    requests:
      cpu: 100m
      memory: 128Mi
    limits:
      cpu: 100m
      memory: 128Mi
  # cert-manager takes care of rotating the TLS certificates, so default
  # their lifetime to 90 days.  But when the CA expires you may need to
  # 'helm delete' the cluster, delete all the TLS certificates and secrets,
  # and then 'helm install' the NiFi Registry cluster again.  If a site-to-site trusted
  # CA or a NiFi Registry CA certificate expires, you'll need to restart all
  # pods to pick up the new version of the CA certificate.  So default the CA
  # lifetime to 10 years to avoid that happening very often.
  # c.f. https://github.com/cert-manager/cert-manager/issues/2478#issuecomment-1095545529
  certDuration: 2160h
  caDuration: 87660h

# oidc support
oidc:
  # If true, use OIDC for authentication.
  enabled: true
  # URL for NiFi to discover the OIDC provider
  discoveryURL: https://sso.example.com/realms/nifi-registry-sand/.well-known/openid-configuration
  # Client ID
  clientId: nifi-registry-sand
  # Client Secret
  clientSecret: XXXXXXXXXXXXXXXXXXXXXXX
  # OIDC Claim that identifies the user
  claimIdentifyingUser: email
  # OIDC Connection Timeout
  connectTimeout: "5 secs"
  # OIDC Read Timeout
  readTimeout: "5 secs"

And the result when I trying to upgrade helm release:

helm upgrade nifi -n oidc-nifi ./
coalesce.go:163: warning: skipped value for initContainers: Not a table.
W0915 13:03:43.029418    8302 warnings.go:70] networking.k8s.io/v1beta1 Ingress is deprecated in v1.19+, unavailable in v1.22+; use networking.k8s.io/v1 Ingress
W0915 13:03:43.033441    8302 warnings.go:70] networking.k8s.io/v1beta1 Ingress is deprecated in v1.19+, unavailable in v1.22+; use networking.k8s.io/v1 Ingress
W0915 13:03:43.041271    8302 warnings.go:70] networking.k8s.io/v1beta1 Ingress is deprecated in v1.19+, unavailable in v1.22+; use networking.k8s.io/v1 Ingress
Error: UPGRADE FAILED: failed to create resource: admission webhook "webhook.cert-manager.io" denied the request: spec.commonName: Too long: must have at most 64 bytes

I got the integration of a three nodes NiFi cluster with oidc authentication provided by keycloak, but I can't resolve this issue.

Can anybody help me?

Thank's so much!!!

[jrebmann]

Hi @grandeon,

I had exactly the same error!

However, the explanation is not particularly satisfactory.

Due to the use of the cert-manager, certificates are issued on the fully qualified internal Kubernetes service name.

This is composed as follows:

{{ fullname }}-{{ replicaCount }}.{{ fullname }}-headless.{{ namespace }}.svc.cluster.local.

Since the common name of a certificate may not exceed 64 bytes, this leads to the following name length restriction:

2 * length(fullname) + length(replicaCount) + length(namespace) < 35 characters.

[wrender]

I ended up getting this to work by setting: fullnameOverride: "nifi-registry". And it ended up shortening everything to be within 64 character length, and in tern cert-manager was ok with it.