Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

MutatingWebhook is failing due to wrong or untrusted certificate #12

Closed
GerbenWelter opened this issue Feb 21, 2022 · 1 comment · Fixed by #18
Closed

MutatingWebhook is failing due to wrong or untrusted certificate #12

GerbenWelter opened this issue Feb 21, 2022 · 1 comment · Fixed by #18

Comments

@GerbenWelter
Copy link

I have tried this operator before and was using the Patch CR. That worked great. Now I want to use the MutatingWebhook as described in this project's documentation. I'm using the operator through OperatorHub so I created the OLM version adjusted for the resource it needs to patch:

apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
metadata:
  name: patch-operator-inject
  annotations:
    service.beta.openshift.io/inject-cabundle: "true"
webhooks:
- admissionReviewVersions:
  - v1
  clientConfig:
    service:
      name: patch-operator-webhook-service
      namespace: patch-operator
      path: /inject
  failurePolicy: Fail
  name: patch-operator-inject.redhatcop.redhat.io
  rules:
    - apiGroups:   ["cert-manager.io"]
      apiVersions: ["v1"]
      operations:  ["CREATE"]
      resources:   ["certificates"]
  sideEffects: None

When trying to create the resource it needs to patch I get the following error message:

Error from server (InternalError): error when creating "gitops-cert.yaml": Internal error occurred: failed calling webhook "patch-operator-inject.redhatcop.redhat.io": failed to call webhook: Post "https://patch-operator-webhook-service.patch-operator.svc:443/inject?timeout=10s": x509: certificate is valid for patch-operator-controller-manager-service.patch-operator, patch-operator-controller-manager-service.patch-operator.svc, not patch-operator-webhook-service.patch-operator.svc

It seems that the 'patch-operator-webhook-service' Service is s running with the certs of the 'patch-operator-controller-manager-service' Service.

I tried adjusting the MutatingWebhook to use 'patch-operator-controller-manager-service' but that resulted in untrusted certificate:

Error from server (InternalError): error when creating "gitops-cert.yaml": Internal error occurred: failed calling webhook "patch-operator-inject.redhatcop.redhat.io": failed to call webhook: Post "https://patch-operator-controller-manager-service.patch-operator.svc:443/inject?timeout=10s": x509: certificate signed by unknown authority

Am I missing something or is this a bug in the operator installation?
@raffaelespazzoli
Copy link
Collaborator

you are right there is a problem there and the doc is wrong. We are looking into this. For now you have to manually inject the CA based on what OLM generates. Not ideal.

@sabre1041 sabre1041 mentioned this issue Apr 17, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Steps to enable creation time webhooks using OLM sabre1041/patch-operator
2 participants
@GerbenWelter @raffaelespazzoli