search

spiffe / spire-controller-manager

Kubernetes controller manager that reconciles workload registration and federation relationships.
Apache License 2.0
53 stars 37 forks source link

TTL validation bug #282

Open kfox1111 opened 8 months ago

kfox1111 commented 8 months ago

I accidentally created a cluster spiffe id with ttl set to 5d.

It doesn't work as 'd' is not supported. This is fine. The whole controller manager is kind of broken with syncing at this point... this even is kind of fine, as its not supported and my mistake.

I then did a kubectl edit on it and tried to remove the ttl, or change it to something valid. It fails:

error: clusterspiffeids.spire.spiffe.io "spire-root-server-spire-step" could not be patched: admission webhook "vclusterspiffeid.kb.io" denied the request: time: unknown unit "d" in duration "5d"

It seems to be validating the previous version before validating the current version?

But there's now not a way to fix it.

azdagron commented 8 months ago

Hmm, that's no good. Curious how the CR got past the admission controller in the first place?

kfox1111 commented 8 months ago

Used the helm chart. I think it may have been an initial deployment... I guess in that case it may load in the cr before the webhook gets into place.