secret "ssp-webhook-server-cert" not found

[cmoulliard]

Issue

What happened:

The following secret ssp-webhook-server-cert is not created and by conbsequence the ssp-operator pod cannot be started

k describe pod/ssp-operator-6dd7c769c4-v9qpp -n kubevirt
Name:                 ssp-operator-6dd7c769c4-v9qpp
Namespace:            kubevirt
Priority:             2000000000
Priority Class Name:  system-cluster-critical
Service Account:      ssp-operator
Node:                 kind-control-plane/172.18.0.2
Start Time:           Tue, 31 Oct 2023 15:31:24 +0100
Labels:               control-plane=ssp-operator
                      name=ssp-operator
                      pod-template-hash=6dd7c769c4
                      prometheus.ssp.kubevirt.io=true
Annotations:          kubectl.kubernetes.io/default-container: manager
Status:               Pending
SeccompProfile:       RuntimeDefault
IP:
IPs:                  <none>
Controlled By:        ReplicaSet/ssp-operator-6dd7c769c4
Containers:
  manager:
    Container ID:
    Image:         quay.io/kubevirt/ssp-operator:v0.18.3
    Image ID:
    Ports:         9443/TCP, 8443/TCP
    Host Ports:    0/TCP, 0/TCP
    Command:
      /manager
    Args:
      --leader-elect
    State:          Waiting
      Reason:       ContainerCreating
    Ready:          False
    Restart Count:  0
    Requests:
      cpu:      200m
      memory:   150Mi
    Liveness:   http-get http://:8081/healthz delay=15s timeout=1s period=20s #success=1 #failure=3
    Readiness:  http-get http://:8081/readyz delay=5s timeout=1s period=10s #success=1 #failure=3
    Environment:
      VALIDATOR_IMAGE:               quay.io/kubevirt/kubevirt-template-validator:v0.18.3
      VIRTIO_IMG:
      OPERATOR_VERSION:
      TEKTON_TASKS_IMAGE:
      TEKTON_TASKS_DISK_VIRT_IMAGE:
      VM_CONSOLE_PROXY_IMAGE:
    Mounts:
      /tmp/k8s-webhook-server/serving-certs from cert (ro)
      /var/run/secrets/kubernetes.io/serviceaccount from kube-api-access-vxh5j (ro)
Conditions:
  Type              Status
  Initialized       True
  Ready             False
  ContainersReady   False
  PodScheduled      True
Volumes:
  cert:
    Type:        Secret (a volume populated by a Secret)
    SecretName:  ssp-webhook-server-cert
    Optional:    false
  kube-api-access-vxh5j:
    Type:                    Projected (a volume that contains injected data from multiple sources)
    TokenExpirationSeconds:  3607
    ConfigMapName:           kube-root-ca.crt
    ConfigMapOptional:       <nil>
    DownwardAPI:             true
QoS Class:                   Burstable
Node-Selectors:              <none>
Tolerations:                 node.kubernetes.io/not-ready:NoExecute op=Exists for 300s
                             node.kubernetes.io/unreachable:NoExecute op=Exists for 300s
Events:
  Type     Reason       Age                   From               Message
  ----     ------       ----                  ----               -------
  Normal   Scheduled    10m                   default-scheduler  Successfully assigned kubevirt/ssp-operator-6dd7c769c4-v9qpp to kind-control-plane
  Warning  FailedMount  112s (x4 over 8m35s)  kubelet            Unable to attach or mount volumes: unmounted volumes=[cert], unattached volumes=[], failed to process volumes=[]: timed out waiting for the condition
  Warning  FailedMount  22s (x13 over 10m)    kubelet            MountVolume.SetUp failed for volume "cert" : secret "ssp-webhook-server-cert" not found

What you expected to happen: That the SSP pod will be created

How to reproduce it:

curl -s -L "https://raw.githubusercontent.com/snowdrop/k8s-infra/main/kind/kind.sh" | bash -s install --delete-kind-cluster

# Tekton
kubectl apply --filename https://storage.googleapis.com/tekton-releases/pipeline/latest/release.yaml

# Kubevirt
export VERSION=$(curl -s https://api.github.com/repos/kubevirt/kubevirt/releases | grep tag_name | grep -v -- '-rc' | sort -r | head -1 | awk -F': ' '{print $2}' | sed 's/,//' | xargs)
echo $VERSION
kubectl create -f "https://github.com/kubevirt/kubevirt/releases/download/${VERSION}/kubevirt-operator.yaml"
kubectl create -f "https://github.com/kubevirt/kubevirt/releases/download/${VERSION}/kubevirt-cr.yaml"

# CDI
export VERSION=$(curl -s https://api.github.com/repos/kubevirt/containerized-data-importer/releases/latest | grep '"tag_name":' | sed -E 's/.*"([^"]+)".*/\1/')
kubectl create -f "https://github.com/kubevirt/containerized-data-importer/releases/download/$VERSION/cdi-operator.yaml"
kubectl create -f "https://github.com/kubevirt/containerized-data-importer/releases/download/$VERSION/cdi-cr.yaml"

# SSP
https://github.com/kubevirt/ssp-operator/blob/main/docs/installation.md

export SSP_VERSION=$(curl -v https://api.github.com/repos/kubevirt/ssp-operator/releases/latest | jq '.name' | tr -d '"')
kubectl apply -f "https://github.com/kubevirt/ssp-operator/releases/download/${SSP_VERSION}/ssp-operator.yaml"

[0xFelix]

AFAIK the ssp-operator.yaml in the Release section only works on OCP because it relies on OCP's certificate injection for generating certificates. Deployment on plain Kubernetes might work though if you run make deploy from the tree instead.

[cmoulliard]

AFAIK the ssp-operator.yaml in the Release section only works on OCP because it relies on OCP's certificate injection for generating certificate

Can we then use cert manager with a self signed certificate ? @0xFelix

[0xFelix]

It should be possible when deploying from the tree and enabling cert-manager in the config manifests, but it is not possible with the manifests in the current release. In general SSP's support for plain Kubernetes is not the best. We might improve it in the future.

[kubevirt-bot]

Issues go stale after 90d of inactivity. Mark the issue as fresh with /remove-lifecycle stale. Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

/lifecycle stale

[kubevirt-bot]

Stale issues rot after 30d of inactivity. Mark the issue as fresh with /remove-lifecycle rotten. Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

/lifecycle rotten

[kubevirt-bot]

Rotten issues close after 30d of inactivity. Reopen the issue with /reopen. Mark the issue as fresh with /remove-lifecycle rotten.

/close

[kubevirt-bot]

@kubevirt-bot: Closing this issue.

In response to [this](https://github.com/kubevirt/ssp-operator/issues/718#issuecomment-2042256505): >Rotten issues close after 30d of inactivity. >Reopen the issue with `/reopen`. >Mark the issue as fresh with `/remove-lifecycle rotten`. > >/close Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes/test-infra](https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:) repository.