Closed llaforest closed 2 years ago
We are running on OCP 4.9. We did not have this problem when running on OCP 4.6 but I'm not sure if it's the cause.
I dont know if this related but the versions of cert manager supported on openshift changed between 1.5, 1.6 - see
As this version of godady-webhook has not been changed since v1.2, I will first bump to 1.5 to check if project still works.
I0120 23:38:25.792011 1 secure_serving.go:123] Serving securely on [::]:443 E0120 23:38:26.212137 1
Can you try to use the port 8443 instead of 443 within the Deployment resource and Service
Ok if I change to 8443, I do not get the "Failed to make webhook authorizer request" but the readiness probes are not working. Tried to change the ports of the probes to 8443 but they do not get ready. The only log I get is: I0124 12:59:24.961734 1 secure_serving.go:123] Serving securely on [::]:443
Tried to change the imagePullPolicy to Always. Since the deployment uses latest tag, it will not pull if the tag gets updated in the quay.io repo. I can see though that this image did not change in two years...
I0124 12:59:24.961734 1 secure_serving.go:123] Serving securely on [::]:443
Yep. Even if we change the containerPort, the Webhook API server is nevertheless launched on port 443 by default. The workaround should be to pass as parameter --secure-port=
as doculented within the cert-manager helm chart and documented here
Alternative is to enable the NET_BIND_SERVICE capabilities to bind port numbers <1000
This problem was resolved with a new docker image and new RBAC needed in k8s > 1.20
We are running on OCP 4.9. We did not have this problem when running on OCP 4.6 but I'm not sure if it's the cause. When the pod is started by the deployment I get this error in the logs:
I0120 23:38:25.792011 1 secure_serving.go:123] Serving securely on [::]:443 E0120 23:38:26.212137 1 webhook.go:196] Failed to make webhook authorizer request: the server could not find the requested resource E0120 23:38:26.212299 1 errors.go:77] the server could not find the requested resource
If I start the pod in debug and call the webhook entrypoint, the log is different and it works
/ # [6n/ # [Jwebhook I0120 23:44:12.820241 7 serving.go:312] Generated self-signed cert (apiserver.local.config/certificates/apiserver.crt, apiserver.local.config/certificates/apiserver.key) I0120 23:44:13.220626 7 secure_serving.go:123] Serving securely on [::]:443
Would there be a reason why the self-served certificate generation does not happen when the pod is started by the deployment?