gabrielecastellano
commented
3 years ago Getting the same error, any news on this?
Open clarechu opened 4 years ago
gabrielecastellano
commented
3 years ago Getting the same error, any news on this?
clarechu
commented
3 years ago Getting the same error, any news on this?
We haven't solved the problem yet?
clarechu
commented
3 years ago Have you solved it now?
gabrielecastellano
commented
3 years ago Hello, I am still stuck with that problem and have no hint of what causes it. It seems that the CSR is accepted, but then the server does not recognize the certificate.
anjz
commented
3 years ago Hello,
I had this issue on a different project and it turned out that the cause is a deprecation of X.509 CommonName in Go 1.15.
The Kubernetes API Server in my cluster had been compiled with Go 1.15. Looking at Kubernetes API server logs I found that this was the cause of the rejection with tls: bad certificate.
Basically -subj "/CN=${service}.${namespace}.svc" in webhook-create-signed-cert.sh is not enough. It also needs -addext "subjectAltName = DNS:${service}.${namespace}.svc"
I haven't tested in this repo, but I believe this is the problem you're facing here.
clarechu
commented
3 years ago Hello, I had this issue on a different project and it turned out that the cause is a deprecation of X.509 CommonName in Go 1.15. The Kubernetes API Server in my cluster had been compiled with Go 1.15. Looking at Kubernetes API server logs I found that this was the cause of the rejection with
tls: bad certificate.Basically
-subj "/CN=${service}.${namespace}.svc"in webhook-create-signed-cert.sh is not enough. It also needs-addext "subjectAltName = DNS:${service}.${namespace}.svc"I haven't tested in this repo, but I believe this is the problem you're facing here.
OK, I'll try. Thank you
morvencao
commented
2 years ago TheCertificateSigningRequest v1beta1 API has been deprecated in k8s 1.19 and was removed in k8s 1.22, see: https://kubernetes.io/docs/reference/using-api/deprecation-guide/#certificatesigningrequest-v122
It is replaced with the CertificateSigningRequest v1 API, and in v1 API, the signerName is required and limited, and it is no longer suitable to sign certificate for webhook server, so I change the code to use self generate CA and certificate, see: https://github.com/morvencao/kube-sidecar-injector/pull/38
It also simplify the deploy steps, we don't need to handle CSR creation and approval, if you're still interested, please refer to the new doc: https://github.com/morvencao/kube-sidecar-injector/blob/master/README.md
hello, According to your method, find the following problem in the sidecar-injector-webhook-deployment-57cb9d9954-qqqlt pod log
api-server
W0611 14:21:25.798710 1 dispatcher.go:168] Failed calling webhook, failing open sidecar-injector.istio.io: failed calling webhook "sidecar-injector.istio.io": Post https://sidecar-injector.istio-system.svc:443/mutate?timeout=30s: x509: certificate signed by unknown authority