Ingress-nginx: Ingress Admission Controller does not work due TLS issue

Created on 26 Jul 2019 · 11Comments · Source: kubernetes/ingress-nginx

Is this a request for help? (If yes, you should use our troubleshooting guide and community support channels, see https://kubernetes.io/docs/tasks/debug-application-cluster/troubleshooting/.): No

What keywords did you search in NGINX Ingress controller issues before filing this one? (If you have found any duplicates, you should instead reply there.): validation webhook, admission controller

Is this a BUG REPORT or FEATURE REQUEST? (choose one):

NGINX Ingress controller version: 0.25.0

Kubernetes version (use kubectl version): 1.13.4 / 1.14.2

Environment:

Cloud provider or hardware configuration: AWS/GKE
OS (e.g. from /etc/os-release): CoreOS
Kernel (e.g. uname -a): 4.19.50
Install tools:
Others:

What happened:

I have tried to configure the validation webhook (the three different ways) but I get

 Post https://nginx-ingress-controller-validation.kube-system.svc:443/extensions/v1beta1/ingress?timeout=30s: remote error: tls: internal error

What you expected to happen:
When I submit the ingress resource it is proxy to the admission controller and it verifies is correct.

How to reproduce it (as minimally and precisely as possible):

Try to deploy nginx chart with the certs generation using helm (as described in the docs page). I have created a chart repo for that.

Anything else we need to know:
I have used the manual cert generation with no success either. And I have been running some other admission controllers in same cluster with success.

lifecyclstale

Source

pipo02mix

Most helpful comment

if you are redeploying nginx ingress , make sure to delete kubectl delete validatingwebhookconfiguration ingress-nginx-admission first

hayderimran7 on 23 Apr 2020

👍26 ❤18 🚀5 🎉3

All 11 comments

Hi, in your chart, you are generating the certificate for a service inside .Release.Namespace, provided on the command line to helm https://github.com/pipo02mix/nginx-controller/blob/691448a364b21a5aedcb77834a0fe021f4134c86/templates/validation.yaml#L2
but the service is deployed inside .Values.namespace https://github.com/pipo02mix/nginx-controller/blob/691448a364b21a5aedcb77834a0fe021f4134c86/templates/validation.yaml#L23 which may differ

In your chart, .Values.namespace is set to kube-system https://github.com/pipo02mix/nginx-controller/blob/691448a364b21a5aedcb77834a0fe021f4134c86/values.yaml#L5

but helm defaults to the namespace pointed by your ~/.kube/config (default: default):

      --namespace string         namespace to install the release into. Defaults to the current kube config namespace.

tjamet on 23 Sep 2019

Thanks for the help but it is not the problem. I moved the company chart to my own repo to try to simplify it and I missed that part, thanks for poiting it. In reality, the validation webhook is added here to the real chart we are trying to release. You can see the changes I added to get the validation webhook enabled. I have enabled netpol and I can connect via debug container to the validation port, so I suspect it is something else. I have tried with new 0.26.1 version but the error is the same

Error from server (InternalError): error when creating "helloworld-manifest.yaml": Internal error occurred: failed calling webhook "validate.nginx.ingress.kubernetes.io": Post https://nginx-ingress-controller-validation.kube-system.svc:443/extensions/v1beta1/ingress?timeout=30s: remote error: tls: internal error

pipo02mix on 4 Oct 2019

👍1

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

fejta-bot on 2 Jan 2020

/remove-lifecycle stale

pipo02mix on 3 Jan 2020

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

fejta-bot on 2 Apr 2020

Closing. The nginx-ingress chart was moved to this repository, the webhook is enabled by default and the SSL certificate is created automatically using a job.