webhook-patch-ca-bundle.sh

[sagarwala]

I run the webhook-patch-ca-bundle.sh script to replace ${CA_BUNDLE}. On running kubectl create for mutatingwebhook-ca-bundle.yaml, I get the following error :

error validating "deployment/mutatingwebhook-ca-bundle.yaml": error validating data: ValidationError(MutatingWebhookConfiguration.webhooks[0].clientConfig.caBundle): invalid type for io.k8s.api.admissionregistration.v1beta1.WebhookClientConfig.caBundle: got "array", expected "string"; if you choose to ignore these errors, turn validation off with --validate=false

When I manually replaced the ${CA_BUNDLE} with the output of (kubectl get configmap -n kube-system extension-apiserver-authentication -o=jsonpath='{.data.client-ca-file}' | base64 | tr -d '\n'), it seems to be fine.

[windyear]

I met some problem in running the webhook-patch-ca-bundle.sh. I Thank you for your advise!

[morvencao]

@sagarwala @windyear Sorry for late response. Please check if the caBundle is patched correctly in deployment/mutatingwebhook-ca-bundle.yaml.

The ca is retrieved from kubeconfig file, but sometimes kubeconfig may does't contain ca data, just contains token. In that case, please get ca from the secret for default serviceaccount from default namespace.

export CA_BUNDLE=$(kubectl get secrets -o jsonpath="{.items[?(@.metadata.annotations['kubernetes\.io/service-account\.name']=='default')].data.ca\.crt}")

I also raised a PR to fix this: https://github.com/morvencao/kube-mutating-webhook-tutorial/pull/14

Will close this, feel free to reopen this if you still have issue.