Cluster-api: Installing cert-manager via latest clusterctl produces warning logs

Created on 13 Oct 2020  路  7Comments  路  Source: kubernetes-sigs/cluster-api

What steps did you take and what happened:

  1. Updated my kind, kubectl and clusterctl versions to the latest. For clusterctl, I pulled the latest code for cluster-api and did make clusterctl.
  2. Created a management cluster with verbose logging on. clusterctl init --infrastructure aws -v10
  3. Saw the warning logs below for cert-manager CustomResourceDefinition, ClusterRole, ClusterRoleBinding, Role, RoleBinding.
Installing cert-manager Version="v0.16.1"
Creating Namespace="cert-manager"
W1013 09:59:38.254239   18812 warnings.go:67] apiextensions.k8s.io/v1beta1 CustomResourceDefinition is deprecated in v1.16+, unavailable in v1.22+; use apiextensions.k8s.io/v1 CustomResourceDefinition
Creating CustomResourceDefinition="certificaterequests.cert-manager.io"
W1013 09:59:38.264514   18812 warnings.go:67] apiextensions.k8s.io/v1beta1 CustomResourceDefinition is deprecated in v1.16+, unavailable in v1.22+; use apiextensions.k8s.io/v1 CustomResourceDefinition
W1013 09:59:38.307612   18812 warnings.go:67] apiextensions.k8s.io/v1beta1 CustomResourceDefinition is deprecated in v1.16+, unavailable in v1.22+; use apiextensions.k8s.io/v1 CustomResourceDefinition
Creating CustomResourceDefinition="certificates.cert-manager.io"
W1013 09:59:38.322425   18812 warnings.go:67] apiextensions.k8s.io/v1beta1 CustomResourceDefinition is deprecated in v1.16+, unavailable in v1.22+; use apiextensions.k8s.io/v1 CustomResourceDefinition
W1013 09:59:38.351129   18812 warnings.go:67] apiextensions.k8s.io/v1beta1 CustomResourceDefinition is deprecated in v1.16+, unavailable in v1.22+; use apiextensions.k8s.io/v1 CustomResourceDefinition
Creating CustomResourceDefinition="challenges.acme.cert-manager.io"
W1013 09:59:38.435585   18812 warnings.go:67] apiextensions.k8s.io/v1beta1 CustomResourceDefinition is deprecated in v1.16+, unavailable in v1.22+; use apiextensions.k8s.io/v1 CustomResourceDefinition
W1013 09:59:38.488810   18812 warnings.go:67] apiextensions.k8s.io/v1beta1 CustomResourceDefinition is deprecated in v1.16+, unavailable in v1.22+; use apiextensions.k8s.io/v1 CustomResourceDefinition
Creating CustomResourceDefinition="clusterissuers.cert-manager.io"
W1013 09:59:38.556429   18812 warnings.go:67] apiextensions.k8s.io/v1beta1 CustomResourceDefinition is deprecated in v1.16+, unavailable in v1.22+; use apiextensions.k8s.io/v1 CustomResourceDefinition
W1013 09:59:38.617999   18812 warnings.go:67] apiextensions.k8s.io/v1beta1 CustomResourceDefinition is deprecated in v1.16+, unavailable in v1.22+; use apiextensions.k8s.io/v1 CustomResourceDefinition
Creating CustomResourceDefinition="issuers.cert-manager.io"
W1013 09:59:38.718542   18812 warnings.go:67] apiextensions.k8s.io/v1beta1 CustomResourceDefinition is deprecated in v1.16+, unavailable in v1.22+; use apiextensions.k8s.io/v1 CustomResourceDefinition
W1013 09:59:38.793088   18812 warnings.go:67] apiextensions.k8s.io/v1beta1 CustomResourceDefinition is deprecated in v1.16+, unavailable in v1.22+; use apiextensions.k8s.io/v1 CustomResourceDefinition
Creating CustomResourceDefinition="orders.acme.cert-manager.io"
W1013 09:59:38.816450   18812 warnings.go:67] apiextensions.k8s.io/v1beta1 CustomResourceDefinition is deprecated in v1.16+, unavailable in v1.22+; use apiextensions.k8s.io/v1 CustomResourceDefinition
Creating ServiceAccount="cert-manager-cainjector" Namespace="cert-manager"
Creating ServiceAccount="cert-manager" Namespace="cert-manager"
Creating ServiceAccount="cert-manager-webhook" Namespace="cert-manager"
W1013 09:59:39.123578   18812 warnings.go:67] rbac.authorization.k8s.io/v1beta1 ClusterRole is deprecated in v1.17+, unavailable in v1.22+; use rbac.authorization.k8s.io/v1 ClusterRole
Creating ClusterRole="cert-manager-cainjector"
W1013 09:59:39.131652   18812 warnings.go:67] rbac.authorization.k8s.io/v1beta1 ClusterRole is deprecated in v1.17+, unavailable in v1.22+; use rbac.authorization.k8s.io/v1 ClusterRole
W1013 09:59:39.170967   18812 warnings.go:67] rbac.authorization.k8s.io/v1beta1 ClusterRole is deprecated in v1.17+, unavailable in v1.22+; use rbac.authorization.k8s.io/v1 ClusterRole
Creating ClusterRole="cert-manager-controller-issuers"
W1013 09:59:39.181787   18812 warnings.go:67] rbac.authorization.k8s.io/v1beta1 ClusterRole is deprecated in v1.17+, unavailable in v1.22+; use rbac.authorization.k8s.io/v1 ClusterRole
W1013 09:59:39.218173   18812 warnings.go:67] rbac.authorization.k8s.io/v1beta1 ClusterRole is deprecated in v1.17+, unavailable in v1.22+; use rbac.authorization.k8s.io/v1 ClusterRole
Creating ClusterRole="cert-manager-controller-clusterissuers"
W1013 09:59:39.224567   18812 warnings.go:67] rbac.authorization.k8s.io/v1beta1 ClusterRole is deprecated in v1.17+, unavailable in v1.22+; use rbac.authorization.k8s.io/v1 ClusterRole
W1013 09:59:39.260203   18812 warnings.go:67] rbac.authorization.k8s.io/v1beta1 ClusterRole is deprecated in v1.17+, unavailable in v1.22+; use rbac.authorization.k8s.io/v1 ClusterRole
Creating ClusterRole="cert-manager-controller-certificates"
W1013 09:59:39.269022   18812 warnings.go:67] rbac.authorization.k8s.io/v1beta1 ClusterRole is deprecated in v1.17+, unavailable in v1.22+; use rbac.authorization.k8s.io/v1 ClusterRole
W1013 09:59:39.294878   18812 warnings.go:67] rbac.authorization.k8s.io/v1beta1 ClusterRole is deprecated in v1.17+, unavailable in v1.22+; use rbac.authorization.k8s.io/v1 ClusterRole
Creating ClusterRole="cert-manager-controller-orders"
W1013 09:59:39.300982   18812 warnings.go:67] rbac.authorization.k8s.io/v1beta1 ClusterRole is deprecated in v1.17+, unavailable in v1.22+; use rbac.authorization.k8s.io/v1 ClusterRole
W1013 09:59:39.337549   18812 warnings.go:67] rbac.authorization.k8s.io/v1beta1 ClusterRole is deprecated in v1.17+, unavailable in v1.22+; use rbac.authorization.k8s.io/v1 ClusterRole
Creating ClusterRole="cert-manager-controller-challenges"
W1013 09:59:39.351089   18812 warnings.go:67] rbac.authorization.k8s.io/v1beta1 ClusterRole is deprecated in v1.17+, unavailable in v1.22+; use rbac.authorization.k8s.io/v1 ClusterRole
W1013 09:59:39.378046   18812 warnings.go:67] rbac.authorization.k8s.io/v1beta1 ClusterRole is deprecated in v1.17+, unavailable in v1.22+; use rbac.authorization.k8s.io/v1 ClusterRole
Creating ClusterRole="cert-manager-controller-ingress-shim"
W1013 09:59:39.383474   18812 warnings.go:67] rbac.authorization.k8s.io/v1beta1 ClusterRole is deprecated in v1.17+, unavailable in v1.22+; use rbac.authorization.k8s.io/v1 ClusterRole
Creating ClusterRole="cert-manager-view"
Creating ClusterRole="cert-manager-edit"
W1013 09:59:39.508143   18812 warnings.go:67] rbac.authorization.k8s.io/v1beta1 ClusterRoleBinding is deprecated in v1.17+, unavailable in v1.22+; use rbac.authorization.k8s.io/v1 ClusterRoleBinding
Creating ClusterRoleBinding="cert-manager-cainjector"
W1013 09:59:39.513840   18812 warnings.go:67] rbac.authorization.k8s.io/v1beta1 ClusterRoleBinding is deprecated in v1.17+, unavailable in v1.22+; use rbac.authorization.k8s.io/v1 ClusterRoleBinding
W1013 09:59:39.534876   18812 warnings.go:67] rbac.authorization.k8s.io/v1beta1 ClusterRoleBinding is deprecated in v1.17+, unavailable in v1.22+; use rbac.authorization.k8s.io/v1 ClusterRoleBinding
Creating ClusterRoleBinding="cert-manager-controller-issuers"
W1013 09:59:39.540511   18812 warnings.go:67] rbac.authorization.k8s.io/v1beta1 ClusterRoleBinding is deprecated in v1.17+, unavailable in v1.22+; use rbac.authorization.k8s.io/v1 ClusterRoleBinding
W1013 09:59:39.566924   18812 warnings.go:67] rbac.authorization.k8s.io/v1beta1 ClusterRoleBinding is deprecated in v1.17+, unavailable in v1.22+; use rbac.authorization.k8s.io/v1 ClusterRoleBinding
Creating ClusterRoleBinding="cert-manager-controller-clusterissuers"
W1013 09:59:39.587528   18812 warnings.go:67] rbac.authorization.k8s.io/v1beta1 ClusterRoleBinding is deprecated in v1.17+, unavailable in v1.22+; use rbac.authorization.k8s.io/v1 ClusterRoleBinding
W1013 09:59:39.612989   18812 warnings.go:67] rbac.authorization.k8s.io/v1beta1 ClusterRoleBinding is deprecated in v1.17+, unavailable in v1.22+; use rbac.authorization.k8s.io/v1 ClusterRoleBinding
Creating ClusterRoleBinding="cert-manager-controller-certificates"
W1013 09:59:39.617900   18812 warnings.go:67] rbac.authorization.k8s.io/v1beta1 ClusterRoleBinding is deprecated in v1.17+, unavailable in v1.22+; use rbac.authorization.k8s.io/v1 ClusterRoleBinding
W1013 09:59:39.640627   18812 warnings.go:67] rbac.authorization.k8s.io/v1beta1 ClusterRoleBinding is deprecated in v1.17+, unavailable in v1.22+; use rbac.authorization.k8s.io/v1 ClusterRoleBinding
Creating ClusterRoleBinding="cert-manager-controller-orders"
W1013 09:59:39.647513   18812 warnings.go:67] rbac.authorization.k8s.io/v1beta1 ClusterRoleBinding is deprecated in v1.17+, unavailable in v1.22+; use rbac.authorization.k8s.io/v1 ClusterRoleBinding
W1013 09:59:39.669863   18812 warnings.go:67] rbac.authorization.k8s.io/v1beta1 ClusterRoleBinding is deprecated in v1.17+, unavailable in v1.22+; use rbac.authorization.k8s.io/v1 ClusterRoleBinding
Creating ClusterRoleBinding="cert-manager-controller-challenges"
W1013 09:59:39.674454   18812 warnings.go:67] rbac.authorization.k8s.io/v1beta1 ClusterRoleBinding is deprecated in v1.17+, unavailable in v1.22+; use rbac.authorization.k8s.io/v1 ClusterRoleBinding
W1013 09:59:39.704552   18812 warnings.go:67] rbac.authorization.k8s.io/v1beta1 ClusterRoleBinding is deprecated in v1.17+, unavailable in v1.22+; use rbac.authorization.k8s.io/v1 ClusterRoleBinding
Creating ClusterRoleBinding="cert-manager-controller-ingress-shim"
W1013 09:59:39.710999   18812 warnings.go:67] rbac.authorization.k8s.io/v1beta1 ClusterRoleBinding is deprecated in v1.17+, unavailable in v1.22+; use rbac.authorization.k8s.io/v1 ClusterRoleBinding
W1013 09:59:39.734214   18812 warnings.go:67] rbac.authorization.k8s.io/v1beta1 Role is deprecated in v1.17+, unavailable in v1.22+; use rbac.authorization.k8s.io/v1 Role
Creating Role="cert-manager-cainjector:leaderelection" Namespace="kube-system"
W1013 09:59:39.741441   18812 warnings.go:67] rbac.authorization.k8s.io/v1beta1 Role is deprecated in v1.17+, unavailable in v1.22+; use rbac.authorization.k8s.io/v1 Role
W1013 09:59:39.769800   18812 warnings.go:67] rbac.authorization.k8s.io/v1beta1 Role is deprecated in v1.17+, unavailable in v1.22+; use rbac.authorization.k8s.io/v1 Role
Creating Role="cert-manager:leaderelection" Namespace="kube-system"
W1013 09:59:39.776490   18812 warnings.go:67] rbac.authorization.k8s.io/v1beta1 Role is deprecated in v1.17+, unavailable in v1.22+; use rbac.authorization.k8s.io/v1 Role
W1013 09:59:39.799060   18812 warnings.go:67] rbac.authorization.k8s.io/v1beta1 Role is deprecated in v1.17+, unavailable in v1.22+; use rbac.authorization.k8s.io/v1 Role
Creating Role="cert-manager-webhook:dynamic-serving" Namespace="cert-manager"
W1013 09:59:39.807952   18812 warnings.go:67] rbac.authorization.k8s.io/v1beta1 Role is deprecated in v1.17+, unavailable in v1.22+; use rbac.authorization.k8s.io/v1 Role
W1013 09:59:39.831432   18812 warnings.go:67] rbac.authorization.k8s.io/v1beta1 RoleBinding is deprecated in v1.17+, unavailable in v1.22+; use rbac.authorization.k8s.io/v1 RoleBinding
Creating RoleBinding="cert-manager-cainjector:leaderelection" Namespace="kube-system"
W1013 09:59:39.836692   18812 warnings.go:67] rbac.authorization.k8s.io/v1beta1 RoleBinding is deprecated in v1.17+, unavailable in v1.22+; use rbac.authorization.k8s.io/v1 RoleBinding
W1013 09:59:39.855332   18812 warnings.go:67] rbac.authorization.k8s.io/v1beta1 RoleBinding is deprecated in v1.17+, unavailable in v1.22+; use rbac.authorization.k8s.io/v1 RoleBinding
Creating RoleBinding="cert-manager:leaderelection" Namespace="kube-system"
W1013 09:59:39.865611   18812 warnings.go:67] rbac.authorization.k8s.io/v1beta1 RoleBinding is deprecated in v1.17+, unavailable in v1.22+; use rbac.authorization.k8s.io/v1 RoleBinding
W1013 09:59:39.889114   18812 warnings.go:67] rbac.authorization.k8s.io/v1beta1 RoleBinding is deprecated in v1.17+, unavailable in v1.22+; use rbac.authorization.k8s.io/v1 RoleBinding
Creating RoleBinding="cert-manager-webhook:dynamic-serving" Namespace="cert-manager"
W1013 09:59:39.894340   18812 warnings.go:67] rbac.authorization.k8s.io/v1beta1 RoleBinding is deprecated in v1.17+, unavailable in v1.22+; use rbac.authorization.k8s.io/v1 RoleBinding

What did you expect to happen:
No warnings to show up.

Anything else you would like to add:
We may need to either coordinate with jetstack/cert-manager to update their release manifests or upgrade our cert-manager or make the changes to our embedded cert-manager.yaml like we've done in the past. https://github.com/kubernetes-sigs/cluster-api/blob/master/cmd/clusterctl/config/assets/cert-manager.yaml

Environment:

  • Cluster-api version: b4cb2fca47edfd2e16d0175f035bfd8a5dd0fda1
  • Minikube/KIND version: kind v0.9.0 go1.15.2 darwin/amd64
  • Kubernetes version: (use kubectl version): 
Client Version: version.Info{Major:"1", Minor:"19", GitVersion:"v1.19.2", GitCommit:"f5743093fd1c663cb0cbc89748f730662345d44d", GitTreeState:"clean", BuildDate:"2020-09-16T21:51:49Z", GoVersion:"go1.15.2", Compiler:"gc", Platform:"darwin/amd64"}
Server Version: version.Info{Major:"1", Minor:"19", GitVersion:"v1.19.1", GitCommit:"206bcadf021e76c27513500ca24182692aabd17e", GitTreeState:"clean", BuildDate:"2020-09-14T07:30:52Z", GoVersion:"go1.15", Compiler:"gc", Platform:"linux/amd64"}

/kind bug
/area clusterctl

areclusterctl kinbug
Source
picture wfernandes

Most helpful comment

Well, we should probably sync up with the kubebuilder folks and update there as well, given that they're also stuck on a really old version.

Updating to cert-manager v1 isn't something that was discussed, let's bring it up at a community meeting. We'd have to explore if there can be a smooth transition first.

picture vincepri on 14 Oct 2020
👍3

All 7 comments

Let's coordinate with cert-manager project 馃憤

/milestone v0.4.0

vincepri picture vincepri on 13 Oct 2020

I think this can mostly be solved by upgrading to a newer version of cert-manager, It looks like the latest manifests (v1.0.3) use the newer resources by default (but they still publish -legacy yaml files with the older versions for backwards compatibility.

detiber picture detiber on 13 Oct 2020

@detiber I saw that but considering we are on v0.16.1 of cert-manager, I'm assuming that the major version bump may lead to some breaking changes. So we may need to be careful of just bumping directly to their latest version.

wfernandes picture wfernandes on 14 Oct 2020

If it's mostly RoleBinding that are outdated (haven't looked at the rest), but IIRC there is also webhook on v1beta1, we can make the effort to update v0.16.1 if we're not ready to update to the new version

vincepri picture vincepri on 14 Oct 2020

Considering that v1alpha4 targets Q1 2021, I don't think that it will be possible to stick with the v0.x series
Given that, I personally prefer to upgrade to the cert-manager v1 series as soon as possible, at least on the main branch.

For backporting to release-0.3, instead, I would wait for some evidence about how many changes this upgrade requires.

fabriziopandini picture fabriziopandini on 14 Oct 2020

Well, we should probably sync up with the kubebuilder folks and update there as well, given that they're also stuck on a really old version.

Updating to cert-manager v1 isn't something that was discussed, let's bring it up at a community meeting. We'd have to explore if there can be a smooth transition first.

vincepri picture vincepri on 14 Oct 2020
👍3

xref https://github.com/kubernetes-sigs/cluster-api/issues/3996

fabriziopandini picture fabriziopandini on 10 Dec 2020
👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

rsmitty picture rsmitty  路  5Comments
jsturtevant picture jsturtevant  路  5Comments
fabriziopandini picture fabriziopandini  路  3Comments
gyliu513 picture gyliu513  路  6Comments
chuckha picture chuckha  路  4Comments