Cert-manager: missing "caBundle" in ValidatingWebhookConfiguration

+1

I'm having the same issue

This looks like it is due to this change: https://github.com/jetstack/cert-manager/pull/911

I think you should be able to just add an empty string for caBundle, but ultimately this should be made to be an optional property.

Thanks @rrichardson
Adding empty string for caBundle helps:

diff --git a/deploy/manifests/cert-manager.yaml b/deploy/manifests/cert-manager.yaml
index 7a2d3a63..d965256c 100644
--- a/deploy/manifests/cert-manager.yaml
+++ b/deploy/manifests/cert-manager.yaml
@@ -595,6 +595,7 @@ webhooks:
         name: kubernetes
         namespace: default
         path: /apis/admission.certmanager.k8s.io/v1beta1/certificates
+      caBundle: ""
   - name: issuers.admission.certmanager.k8s.io
     namespaceSelector:
       matchExpressions:
@@ -622,6 +623,7 @@ webhooks:
         name: kubernetes
         namespace: default
         path: /apis/admission.certmanager.k8s.io/v1beta1/issuers
+      caBundle: ""
   - name: clusterissuers.admission.certmanager.k8s.io
     namespaceSelector:
       matchExpressions:
@@ -649,4 +651,4 @@ webhooks:
         name: kubernetes
         namespace: default
         path: /apis/admission.certmanager.k8s.io/v1beta1/clusterissuers
-
+      caBundle: ""

I just encountered this problem with 0.6:

$ kubectl apply -f https://raw.githubusercontent.com/jetstack/cert-manager/release-0.6/deploy/manifests/cert-manager.yaml

customresourcedefinition.apiextensions.k8s.io "certificates.certmanager.k8s.io" configured
customresourcedefinition.apiextensions.k8s.io "issuers.certmanager.k8s.io" configured
customresourcedefinition.apiextensions.k8s.io "clusterissuers.certmanager.k8s.io" configured
customresourcedefinition.apiextensions.k8s.io "orders.certmanager.k8s.io" configured
customresourcedefinition.apiextensions.k8s.io "challenges.certmanager.k8s.io" configured
namespace "cert-manager" configured
serviceaccount "cert-manager-webhook" unchanged
serviceaccount "cert-manager" unchanged
clusterrole.rbac.authorization.k8s.io "cert-manager" created
clusterrolebinding.rbac.authorization.k8s.io "cert-manager" created
clusterrole.rbac.authorization.k8s.io "cert-manager-view" created
clusterrole.rbac.authorization.k8s.io "cert-manager-edit" created
clusterrolebinding.rbac.authorization.k8s.io "cert-manager-webhook:auth-delegator" created
rolebinding.rbac.authorization.k8s.io "cert-manager-webhook:webhook-authentication-reader" created
clusterrole.rbac.authorization.k8s.io "cert-manager-webhook:webhook-requester" created
service "cert-manager-webhook" unchanged
deployment.apps "cert-manager-webhook" configured
deployment.apps "cert-manager" configured
cronjob.batch "cert-manager-webhook-ca-sync" unchanged
job.batch "cert-manager-webhook-ca-sync" unchanged
configmap "cert-manager-webhook-ca-sync" unchanged
serviceaccount "cert-manager-webhook-ca-sync" unchanged
clusterrole.rbac.authorization.k8s.io "cert-manager-webhook-ca-sync" created
clusterrolebinding.rbac.authorization.k8s.io "cert-manager-webhook-ca-sync" created
apiservice.apiregistration.k8s.io "v1beta1.admission.certmanager.k8s.io" created
issuer.certmanager.k8s.io "cert-manager-webhook-selfsign" configured
certificate.certmanager.k8s.io "cert-manager-webhook-ca" configured
issuer.certmanager.k8s.io "cert-manager-webhook-ca" configured
certificate.certmanager.k8s.io "cert-manager-webhook-webhook-tls" configured
error: error validating "https://raw.githubusercontent.com/jetstack/cert-manager/release-0.6/deploy/manifests/cert-manager.yaml": error validating data: [ValidationError(ValidatingWebhookConfiguration.webhooks[0].clientConfig): missing required field "caBundle" in io.k8s.api.admissionregistration.v1beta1.WebhookClientConfig, ValidationError(ValidatingWebhookConfiguration.webhooks[1].clientConfig): missing required field "caBundle" in io.k8s.api.admissionregistration.v1beta1.WebhookClientConfig, ValidationError(ValidatingWebhookConfiguration.webhooks[2].clientConfig): missing required field "caBundle" in io.k8s.api.admissionregistration.v1beta1.WebhookClientConfig]; if you choose to ignore these errors, turn validation off with --validate=false

As per the install guide, you need to either upgrade to kubectl 1.13 or
later, or add '--validate=false' to your 'kubectl apply' command.

On Sat, 9 Mar 2019 at 20:24, Mike Bridge notifications@github.com wrote:

I just encountered this problem with 0.6:

kubectl apply -f https://raw.githubusercontent.com/jetstack/cert-manager/release-0.6/deploy/manifests/cert-manager.yamlcustomresourcedefinition.apiextensions.k8s.io "certificates.certmanager.k8s.io" configuredcustomresourcedefinition.apiextensions.k8s.io "issuers.certmanager.k8s.io" configuredcustomresourcedefinition.apiextensions.k8s.io "clusterissuers.certmanager.k8s.io" configuredcustomresourcedefinition.apiextensions.k8s.io "orders.certmanager.k8s.io" configuredcustomresourcedefinition.apiextensions.k8s.io "challenges.certmanager.k8s.io" configured
namespace "cert-manager" configured
serviceaccount "cert-manager-webhook" unchanged
serviceaccount "cert-manager" unchangedclusterrole.rbac.authorization.k8s.io "cert-manager" createdclusterrolebinding.rbac.authorization.k8s.io "cert-manager" createdclusterrole.rbac.authorization.k8s.io "cert-manager-view" createdclusterrole.rbac.authorization.k8s.io "cert-manager-edit" createdclusterrolebinding.rbac.authorization.k8s.io "cert-manager-webhook:auth-delegator" createdrolebinding.rbac.authorization.k8s.io "cert-manager-webhook:webhook-authentication-reader" createdclusterrole.rbac.authorization.k8s.io "cert-manager-webhook:webhook-requester" created
service "cert-manager-webhook" unchanged
deployment.apps "cert-manager-webhook" configured
deployment.apps "cert-manager" configured
cronjob.batch "cert-manager-webhook-ca-sync" unchanged
job.batch "cert-manager-webhook-ca-sync" unchanged
configmap "cert-manager-webhook-ca-sync" unchanged
serviceaccount "cert-manager-webhook-ca-sync" unchangedclusterrole.rbac.authorization.k8s.io "cert-manager-webhook-ca-sync" createdclusterrolebinding.rbac.authorization.k8s.io "cert-manager-webhook-ca-sync" createdapiservice.apiregistration.k8s.io "v1beta1.admission.certmanager.k8s.io" createdissuer.certmanager.k8s.io "cert-manager-webhook-selfsign" configuredcertificate.certmanager.k8s.io "cert-manager-webhook-ca" configuredissuer.certmanager.k8s.io "cert-manager-webhook-ca" configuredcertificate.certmanager.k8s.io "cert-manager-webhook-webhook-tls" configured
error: error validating "https://raw.githubusercontent.com/jetstack/cert-manager/release-0.6/deploy/manifests/cert-manager.yaml": error validating data: [ValidationError(ValidatingWebhookConfiguration.webhooks[0].clientConfig): missing required field "caBundle" in io.k8s.api.admissionregistration.v1beta1.WebhookClientConfig, ValidationError(ValidatingWebhookConfiguration.webhooks[1].clientConfig): missing required field "caBundle" in io.k8s.api.admissionregistration.v1beta1.WebhookClientConfig, ValidationError(ValidatingWebhookConfiguration.webhooks[2].clientConfig): missing required field "caBundle" in io.k8s.api.admissionregistration.v1beta1.WebhookClientConfig]; if you choose to ignore these errors, turn validation off with --validate=false

—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
https://github.com/jetstack/cert-manager/issues/1143#issuecomment-471218930,
or mute the thread
https://github.com/notifications/unsubscribe-auth/AAMbP2ORqo7KwCrcdvQjcS_uuo9Zf8Ukks5vVBhygaJpZM4ZH8pr
.

@munnerz my mistake, thanks! (link)

Still happening with 1.12 at GKE.

 kubectl version
Client Version: version.Info{Major:"1", Minor:"12", GitVersion:"v1.12.2", GitCommit:"17c77c7898218073f14c8d573582e8d2313dc740", GitTreeState:"clean", BuildDate:"2018-10-24T06:54:59Z", GoVersion:"go1.10.4", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"12+", GitVersion:"v1.12.5-gke.5", GitCommit:"2c44750044d8aeeb6b51386ddb9c274ff0beb50b", GitTreeState:"clean", BuildDate:"2019-02-01T23:53:25Z", GoVersion:"go1.10.8b4", Compiler:"gc", Platform:"linux/amd64"}

This is the error

certificate.certmanager.k8s.io/cert-manager-webhook-webhook-tls created
error: error validating "https://raw.githubusercontent.com/jetstack/cert-manager/release-0.7/deploy/manifests/cert-manager.yaml": error validating data: [ValidationError(ValidatingWebhookConfiguration.webhooks[0].clientConfig): missing required field "caBundle" in io.k8s.api.admissionregistration.v1beta1.WebhookClientConfig, ValidationError(ValidatingWebhookConfiguration.webhooks[1].clientConfig): missing required field "caBundle" in io.k8s.api.admissionregistration.v1beta1.WebhookClientConfig, ValidationError(ValidatingWebhookConfiguration.webhooks[2].clientConfig): missing required field "caBundle" in io.k8s.api.admissionregistration.v1beta1.WebhookClientConfig]; if you choose to ignore these errors, turn validation off with --validate=false

On GKE the webhook never gets to the completed state. The errors in the stackdriver log say

message: "Forbidden: "/", Reason: "no RBAC policy matched""

Here are the RBAC policies I have set up.

kubectl create clusterrolebinding cluster-admin-binding \
    --clusterrole=cluster-admin \
    --user=$(gcloud config get-value core/account) \
    --dry-run \
    -o yaml | kubectl apply -f -

kubectl create clusterrolebinding add-on-cluster-admin \
    --clusterrole=cluster-admin \
    --serviceaccount=kube-system:default \
     --dry-run \
     -o yaml | kubectl apply -f -

I had the same error, my cluster version is 1.12.7, but the error in my case was by the following:

I was trying attach cert-manager as a helm dependency in my requirements.yaml helm chart file and when I do that, I execute helm dep update to tell to helm that attach to cert-manager.

Then a *.tgz cert-manager package is downloaded to my chart/ directory.
My idea was to remove cert-manager like dependency and so I had to remove the *.tgz cert-manager package from chart/ directory and also update the helm dependencies executing again executing helm dep update in order to don't have any dependency attached.

⟩ helm dep update
Hang tight while we grab the latest from your chart repositories...
...Unable to get an update from the "local" chart repository (http://127.0.0.1:8879/charts):
        Get http://127.0.0.1:8879/charts/index.yaml: dial tcp 127.0.0.1:8879: connect: connection refused
...Successfully got an update from the "jetstack" chart repository
...Successfully got an update from the "stable" chart repository
Update Complete. ⎈Happy Helming!⎈
Saving 0 charts
Deleting outdated charts

And my problem with the "caBundle"has disappear.

This is still happening for me with version v1.13.4 @munnerz

I'm also seeing it with v1.14.1

I too am seeing this with v1.14.1

Still happening, also when using helm as per docs

helm install \ --name cert-manager \ --namespace cert-manager \ --version v0.7.2 \ jetstack/cert-manager

disabling webhooks helps

I also have the same error

Me as well

/reopen

I'm seeing this as well on
$ kubectl version Client Version: version.Info{Major:"1", Minor:"14", GitVersion:"v1.14.2", GitCommit:"66049e3b21efe110454d67df4fa62b08ea79a19b", GitTreeState:"clean", BuildDate:"2019-05-16T16:23:09Z", GoVersion:"go1.12.5", Compiler:"gc", Platform:"linux/amd64"} Server Version: version.Info{Major:"1", Minor:"12", GitVersion:"v1.12.7", GitCommit:"6f482974b76db3f1e0f5d24605a9d1d38fad9a2b", GitTreeState:"clean", BuildDate:"2019-03-25T02:41:57Z", GoVersion:"go1.10.8", Compiler:"gc", Platform:"linux/amd64"}
$ helm version 2019/05/29 02:32:48.168301 main.go:220: WARNING: cannot create syslog logger Client: &version.Version{SemVer:"v2.14.0", GitCommit:"05811b84a3f93603dd6c2fcfe57944dfa7ab7fd0", GitTreeState:"clean"} Server: &version.Version{SemVer:"v2.14.0", GitCommit:"05811b84a3f93603dd6c2fcfe57944dfa7ab7fd0", GitTreeState:"clean"}

@WebSpider: You can't reopen an issue/PR unless you authored it or you are a collaborator.

seeing a similar error

Error: validation failed: error validating "": error validating data: [ValidationError(ValidatingWebhookConfiguration.webhooks[0].clientConfig): missing required field "caBundle" in io.k8s.api.admissionregistration.v1beta1.WebhookClientConfig, ValidationError(ValidatingWebhookConfiguration.webhooks[1].clientConfig): missing required field "caBundle" in io.k8s.api.admissionregistration.v1beta1.WebhookClientConfig, ValidationError(ValidatingWebhookConfiguration.webhooks[2].clientConfig): missing required field "caBundle" in io.k8s.api.admissionregistration.v1beta1.WebhookClientConfig]

helm version
Client: &version.Version{SemVer:"v2.14.0", GitCommit:"05811b84a3f93603dd6c2fcfe57944dfa7ab7fd0", GitTreeState:"clean"}
Server: &version.Version{SemVer:"v2.14.0", GitCommit:"05811b84a3f93603dd6c2fcfe57944dfa7ab7fd0", GitTreeState:"clean"}

kubectl version
Client Version: version.Info{Major:"1", Minor:"14", GitVersion:"v1.14.3", GitCommit:"5e53fd6bc17c0dec8434817e69b04a25d8ae0ff0", GitTreeState:"clean", BuildDate:"2019-06-06T01:44:30Z", GoVersion:"go1.12.5", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"12+", GitVersion:"v1.12.7-gke.10", GitCommit:"8d9b8641e72cf7c96efa61421e87f96387242ba1", GitTreeState:"clean", BuildDate:"2019-04-12T22:59:24Z", GoVersion:"go1.10.8b4", Compiler:"gc", Platform:"linux/amd64"}

Solved upgrading Helm to 2.14.1 (both client and server)

Reference:

• https://github.com/helm/helm/pull/5643
• https://github.com/jetstack/cert-manager/issues/1690

Also seeing this, (though it's been 6 months?)

/home/chris/temp/wiptemp/28/linux-amd64/helm version   
version.BuildInfo{Version:"v3.0.2", GitCommit:"19e47ee3283ae98139d98460de796c1be1e3975f", GitTreeState:"clean", GoVersion:"go1.13.5"}

 /home/chris/temp/wiptemp/28/linux-amd64/helm  install cert-manager-myr --namespace cert-manager jetstack/cert-manager
Error: unable to build kubernetes objects from release manifest: error validating "": error validating data: ValidationError(MutatingWebhookConfiguration.webhooks[0].clientConfig): missing required field "caBundle" in io.k8s.api.admissionregistration.v1beta1.WebhookClientConfig