kurator-dev / kurator

Unified resource orchestration, unified scheduling, unified traffic management and unified telemetry for distributed cloud
https://kurator.dev
Apache License 2.0
242 stars 39 forks source link

Unable to use MutatingWebhookConfiguration #664

Closed Gidi233 closed 2 months ago

Gidi233 commented 2 months ago

Please provide an in-depth description of the question you have: When I was developing, I planned to add a definition of MutatingWebhookConfiguration to the application resource in fleet to provide default values. When I apply the application, the following error was reported:

Error from server (InternalError): error when creating "STDIN": Internal error occurred: failed calling webhook "mutation.application.apps.kurator.dev": failed to call webhook: Post "https://kurator-webhook-service-fleet.kurator-system.svc:443/mutate-apps-kurator-dev-v1alpha1-application?timeout=10s": EOF

The log shows that the webhook is successfully registered in the controller

I0803 07:28:31.308410       1 webhook.go:158] controller-runtime/builder "msg"="Registering a mutating webhook" "GVK"={"Group":"apps.kurator.dev","Version":"v1alpha1","Kind":"Application"} "path"="/mutate-apps-kurator-dev-v1alpha1-application"
I0803 07:28:31.308791       1 server.go:187] controller-runtime/webhook "msg"="Registering webhook" "path"="/mutate-apps-kurator-dev-v1alpha1-application"
I0803 07:28:31.308833       1 webhook.go:188] controller-runtime/builder "msg"="Registering a validating webhook" "GVK"={"Group":"apps.kurator.dev","Version":"v1alpha1","Kind":"Application"} "path"="/validate-apps-kurator-dev-v1alpha1-application"
I0803 07:28:31.308888       1 server.go:187] controller-runtime/webhook "msg"="Registering webhook" "path"="/validate-apps-kurator-dev-v1alpha1-application"

The following is the newly added MutatingWebhookConfiguration:

---
apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
metadata:
  annotations:
    cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/kurator-serving-cert
  creationTimestamp: null
  name: fleet-manager-mutating-webhook-configuration
webhooks:
  - admissionReviewVersions:
      - v1
      - v1beta1
    clientConfig:
      service:
        name: kurator-webhook-service-fleet
        namespace: {{ .Release.Namespace }}
        path: /mutate-apps-kurator-dev-v1alpha1-application # do not change this
    failurePolicy: Fail
    matchPolicy: Equivalent
    name: mutation.application.apps.kurator.dev
    rules:
      - apiGroups:
          - apps.kurator.dev
        apiVersions:
          - v1alpha1
        operations:
          - CREATE
          - UPDATE
        resources:
          - applications
    sideEffects: None

The complete changes are in the dev branch of my repository

LiZhenCheng9527 commented 2 months ago

@hzxuzhonghu Do you have time to look at it?

hzxuzhonghu commented 2 months ago

sure will take a look later

hzxuzhonghu commented 2 months ago

It seems the request is being sent to kurator webhook, do you have logs of kurator?

Gidi233 commented 2 months ago

When there is only ValidatingWebhookConfiguration, there is a log showing that webhook is running normally. When there is MutatingWebhookConfiguration, MutatingWebhook will be called first. According to the error of EOF, I think it did not call the service, and there is no err in Default in the log.

Gidi233 commented 2 months ago

I looked at the log again and found a segment error. my bad