Failed to make webhook authorizer request

[llaforest]

We are running on OCP 4.9. We did not have this problem when running on OCP 4.6 but I'm not sure if it's the cause. When the pod is started by the deployment I get this error in the logs: I0120 23:38:25.792011 1 secure_serving.go:123] Serving securely on [::]:443 E0120 23:38:26.212137 1 webhook.go:196] Failed to make webhook authorizer request: the server could not find the requested resource E0120 23:38:26.212299 1 errors.go:77] the server could not find the requested resource

If I start the pod in debug and call the webhook entrypoint, the log is different and it works / # / # webhook I0120 23:44:12.820241 7 serving.go:312] Generated self-signed cert (apiserver.local.config/certificates/apiserver.crt, apiserver.local.config/certificates/apiserver.key) I0120 23:44:13.220626 7 secure_serving.go:123] Serving securely on [::]:443

Would there be a reason why the self-served certificate generation does not happen when the pod is started by the deployment?

[cmoulliard]

We are running on OCP 4.9. We did not have this problem when running on OCP 4.6 but I'm not sure if it's the cause.

I dont know if this related but the versions of cert manager supported on openshift changed between 1.5, 1.6 - see

As this version of godady-webhook has not been changed since v1.2, I will first bump to 1.5 to check if project still works.

[cmoulliard]

I0120 23:38:25.792011 1 secure_serving.go:123] Serving securely on [::]:443 E0120 23:38:26.212137 1

Can you try to use the port 8443 instead of 443 within the Deployment resource and Service

[llaforest]

Ok if I change to 8443, I do not get the "Failed to make webhook authorizer request" but the readiness probes are not working. Tried to change the ports of the probes to 8443 but they do not get ready. The only log I get is: I0124 12:59:24.961734 1 secure_serving.go:123] Serving securely on [::]:443

Tried to change the imagePullPolicy to Always. Since the deployment uses latest tag, it will not pull if the tag gets updated in the quay.io repo. I can see though that this image did not change in two years...

[cmoulliard]

I0124 12:59:24.961734 1 secure_serving.go:123] Serving securely on [::]:443

Yep. Even if we change the containerPort, the Webhook API server is nevertheless launched on port 443 by default. The workaround should be to pass as parameter --secure-port= as doculented within the cert-manager helm chart and documented here

https://github.com/jetstack/cert-manager/blob/3c9510b782b6e5aed6eac8bb9b2e103d6ef718a9/deploy/charts/cert-manager/values.yaml#L331-L336

Alternative is to enable the NET_BIND_SERVICE capabilities to bind port numbers <1000

[llaforest]

This problem was resolved with a new docker image and new RBAC needed in k8s > 1.20