Istio: Istio helm chart install failed when enable sidecar-injector
env:
centos: 7.2
istio version: 0.6.0
kubenetes version: v1.9.1
action:
helm install --name istio --namespace istio-system --set sidecar-injector.enabled=true ./istio
problem:
Error: release istio failed: MutatingWebhookConfiguration in version "v1beta1" cannot be handled as a MutatingWebhookConfiguration: v1beta1.MutatingWebhookConfiguration: Webhooks: []v1beta1.Webhook: v1beta1.Webhook: ClientConfig: v1beta1.WebhookClientConfig: Service: CABundle: decode base64: illegal base64 data at input byte 0, parsing 339 ...A_BUNDLE}"... at {"apiVersion":"admissionregistration.k8s.io/v1beta1","kind":"MutatingWebhookConfiguration","metadata":{"labels":{"app":"sidecar-injector","chart":"sidecar-injector-0.5.0","heritage":"Tiller","istio":"sidecar-injector","release":"istio"},"name":"istio-sidecar-injector","namespace":""},"webhooks":[{"clientConfig":{"caBundle":"${CA_BUNDLE}","service":{"name":"istio-sidecar-injector","namespace":"istio-system","path":"/inject"}},"name":"sidecar-injector.istio.io","namespaceSelector":{"matchLabels":{"istio-injection":"enabled"}},"rules":[{"apiGroups":[""],"apiVersions":["v1"],"operations":["CREATE"],"resources":["pods"]}]}]}
While the admissionregistration.k8s.io/v1beta1 API enabled:
[admin@mstnode helm]# kubectl api-versions | grep admissionregistration
admissionregistration.k8s.io/v1alpha1
admissionregistration.k8s.io/v1beta1
And kube-apiserver process has the admission-control flag set with the MutatingAdmissionWebhook and ValidatingAdmissionWebhook admission controllers added and listed in the correct order:
--admission-control=Initializers,NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,PodSecurityPolicy,DefaultTolerationSeconds,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota
morvencao
All 4 comments
It looks like the 0.6.0 helm chart doesn't generate certificates correctly.
decode base64: illegal base64 data at input byte 0, parsing 339 ...A_BUNDLE
it mentions the certificate problem in earlier releases here
https://istio.io/docs/setup/kubernetes/sidecar-injection.html#installing-the-webhook
I was able to get the helm chart working by running the following commands from the webhook manual installation
./install/kubernetes/webhook-create-signed-cert.sh \
--service istio-sidecar-injector \
--namespace istio-system \
--secret sidecar-injector-certs
then
cat install/kubernetes/istio-sidecar-injector.yaml | \
./install/kubernetes/webhook-patch-ca-bundle.sh > \
install/kubernetes/istio-sidecar-injector-with-ca-bundle.yaml
and taking the MutatingWebhookConfiguration's caBundle: line and replacing it here
https://github.com/istio/istio/blob/master/install/kubernetes/helm/istio/charts/sidecar-injector/templates/mutatingwebhook.yaml#L19
It looks like this line was meant to be templated with bash instead of helm.
I'd be willing to put together a PR if some one can direct me on the most appropriate way to handle this. Should it be through helm or via the bash scripts?
sammerry
on 3 Mar 2018
Thanks @sammerry for your reply.
Currently helm chart doesn't support auto sidecar injection with mutatingWebhook(>= v0.5.0)
I have submit a #PR(3935) to make helm chart support for auto sidecar injection.
morvencao
on 4 Mar 2018
I ran into the same issue with Istio v0.7.1, presumably because the PR has not landed yet. Is there an ETA for helm chart support for auto sidecar injection with mutatingWebhook?
Amey-D
on 4 Apr 2018
Have tested that auto-sidecar-injection works fine for helm chart of branch release-0.8, let's close this.
morvencao
on 29 May 2018
Related issues
fhoy
路
139Comments
emedina
路
130Comments
lanceliuu
路
82Comments
prune998
路
76Comments
lhotrifork
路
78Comments
Most helpful comment
I ran into the same issue with Istio v0.7.1, presumably because the PR has not landed yet. Is there an ETA for helm chart support for auto sidecar injection with mutatingWebhook?