Flux: Be able to turn off schema validation of a resource

Created on 30 May 2019  路  3Comments  路  Source: fluxcd/flux

Describe the feature
Currently flux seems to use kubectl with the default flags and options set. One of these flags is --validate which "use a schema to validate the input before sending it".

One Kuberentes application that is gaining a lot of traction is cert-manager.
As per the cert-manager installation instructions:

If you are running kubectl v1.12 or below, you will need to add the --validate=false flag to your kubectl apply command above else you will receive a validation error relating to the caBundle field of the ValidatingWebhookConfiguration resource. This issue is resolved in Kubernetes 1.13 onwards. More details can be found in kubernetes/kubernetes#69590.

To install the cert-manager in Kubernetes clusters v1.12 and older, which are still very common, one needs to turn of validation.
I think it would be useful to be able to specify additional flags to be passed to kubectl per resource (yaml or helm chart).

enhancement
Source
picture alejandrox1
👍20

Most helpful comment

Regarding cert-manager, this is also an issue with newer Kubernetes version e.g. 1.14. Jetstack still recommend turning validations off...

https://github.com/jetstack/cert-manager/issues/2208

picture flurdy on 7 Nov 2019
👍13 🎉1

All 3 comments

Related #1816 and #1962

2opremio picture 2opremio on 30 May 2019

Regarding cert-manager, this is also an issue with newer Kubernetes version e.g. 1.14. Jetstack still recommend turning validations off...

https://github.com/jetstack/cert-manager/issues/2208

flurdy picture flurdy on 7 Nov 2019
👍13 🎉1

@2opremio I just ran into this with Flux 1.18 and using cert-manager for k8s 1.11

Errors:
Resource <cluster>:validatingwebhookconfiguration/cert-manager-webhook, file: clusters/us-green/services/infra/cert-manager/cert-manager-legacy.yaml:
running kubectl: error: error validating "STDIN": error validating data: [ValidationError(ValidatingWebhookConfiguration.webhooks[0].clientConfig): missing required field "caBundle" in io.k8s.api.admissionregistration.v1beta1.WebhookClientConfig, ValidationError(ValidatingWebhookConfiguration.webhooks[0]): unknown field "sideEffects" in io.k8s.api.admissionregistration.v1beta1.Webhook]; if you choose to ignore these errors, turn validation off with --validate=false
Resource <cluster>:mutatingwebhookconfiguration/cert-manager-webhook, file: clusters/us-green/services/infra/cert-manager/cert-manager-legacy.yaml:
running kubectl: error: error validating "STDIN": error validating data: [ValidationError(MutatingWebhookConfiguration.webhooks[0].clientConfig): missing required field "caBundle" in io.k8s.api.admissionregistration.v1beta1.WebhookClientConfig, ValidationError(MutatingWebhookConfiguration.webhooks[0]): unknown field "sideEffects" in io.k8s.api.admissionregistration.v1beta1.Webhook]; if you choose to ignore these errors, turn validation off with --validate=false

would be nice if there was an annotation i could use to add --validate=false

Its minor since this is our last 1.11 cluster (we are on 1.15 elsewhere and flux with the 1.15 version of cert-manager works fine)

rocktavious picture rocktavious on 9 Jun 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

audrey-brightloom picture audrey-brightloom  路  3Comments
MaralKay picture MaralKay  路  3Comments
GJKrupa picture GJKrupa  路  4Comments
jstevans picture jstevans  路  4Comments
kuburoman picture kuburoman  路  3Comments