Cert-manager: Static manifest `with-rbac-webhook.yaml` busted
Describe the bug:
The non-helm version that installs the webhook fails as it doesn't define the CRDs. They don't appear to be included in the manifest.
Expected behaviour:
I would expect the yaml to be applied cleanly.
Steps to reproduce the bug:
cd contrib/manifests/cert-manager
kubectl create namespace cert-manager
kubectl label namespace cert-manager certmanager.k8s.io/disable-validation=true
kubectl apply -f with-rbac-webhook.yaml
You'll get some errors like this:
unable to recognize "with-rbac-webhook.yaml": no matches for kind "Issuer" in version "certmanager.k8s.io/v1alpha1"
unable to recognize "with-rbac-webhook.yaml": no matches for kind "Certificate" in version "certmanager.k8s.io/v1alpha1"
unable to recognize "with-rbac-webhook.yaml": no matches for kind "Issuer" in version "certmanager.k8s.io/v1alpha1"
unable to recognize "with-rbac-webhook.yaml": no matches for kind "Certificate" in version "certmanager.k8s.io/v1alpha1"
Anything else we need to know?:
Environment details::
k8s v1.11.2
/kind bug
jbeda
All 4 comments
Also, this static manifest doesn't create the namespace. I had to create it manually. Looks like it is created as part of the non webhook static manifests.
jbeda
on 1 Nov 2018
Hey Joe,
Thanks for the issue! This is definitely something not quite documented
clearly enough. The webhook manifests should be taken as additive as
opposed to a replacement for the normal ones.
We really should clear this up though and expand our README to instruct
people what to do, step by step.
Additionally, I think you may (at least in kubernetes pre 1.12 or maybe
even 1.13) hit issues with validation of the 'spec.caBundle' field on the
ValidatingWebhookConfiguration with the webhook - I think we already have
an issue tracking this, but I'm on mobile right now so not able to check!
It can be resolved with '--validate=false' on the kubectl create command
(disabling client side validation!)
Hope that helps, we'll get this triaged and improved ASAP though as the
webhook is a new piece and I am super keen to gather feedback on it!
On Thu, 1 Nov 2018 at 22:54, Joe Beda notifications@github.com wrote:
Also, this static manifest doesn't create the namespace. I had to create
it manually. Looks like it is created as part of the non webhook static
manifests.—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
https://github.com/jetstack/cert-manager/issues/1034#issuecomment-435214172,
or mute the thread
https://github.com/notifications/unsubscribe-auth/AAMbP1gscO0sXVH1LhB_6pOxAAdG6dfrks5uq3u9gaJpZM4YJ8zh
.
munnerz
on 2 Nov 2018
Ah! That makes more sense then.
It is cool for sure and I'll have to try it out some time soon. Very meta to have cert-manager create a cert so that it can talk to k8s.
jbeda
on 2 Nov 2018
Yep - the way it's setup right now is a little shakey. We use a CronJob/Job resource that copies the certificate into the ValidatingWebhookConfiguration and APIService resources...
I'm hoping we can come up with a better way to handle this soon, but wanted to unblock the validation work and get it out in some form to gather feedback 😄
munnerz
on 5 Nov 2018
Related issues
tommy-dk
·
4Comments
matthew-muscat
·
4Comments
cpick
·
3Comments
kragniz
·
4Comments
jonathan-kosgei
·
4Comments
Most helpful comment
Yep - the way it's setup right now is a little shakey. We use a CronJob/Job resource that copies the certificate into the ValidatingWebhookConfiguration and APIService resources...
I'm hoping we can come up with a better way to handle this soon, but wanted to unblock the validation work and get it out in some form to gather feedback 😄