Cert issue
RAFFENNEvalentin opened this issue · 6 comments
Hello,
First, thanks for this repository and documentation is really well.
I initiatialize the operator in subchart and then i launch another subchart which aims to create a VarnishCluster but this message occures when i install my repo with this two subcharts.
"Internal error occurred: failed calling webhook "mvarnishcluster.kb.io": could not get REST client: unable to load root certificates: unable to parse bytes as PEM block"
My VarnishCluster is consisted by the backend, vanish and service options.
What have I done wrong ?
Thank you in advance for helping me.
Sorry for the delay. I recall something similar to this happening w/Kubernetes 1.16 changes. Are you running an old version of Kubernetes by chance? What Kubernetes platform are you running this on? Maybe web hooks are disabled?
No problem !
i check my version of kubernetes is 1.25 and helm 3. It is OVH that manages the kubernetes plateform. I check the ValidatingWebhookConfiguration of the varnish operator. This is given passing describe:
"Name: varnish-operator-webhook-configuration
Namespace:
Labels: app.kubernetes.io/managed-by=Helm
Annotations: meta.helm.sh/release-name: $$$$$$$$$$$
meta.helm.sh/release-namespace: ******************
API Version: admissionregistration.k8s.io/v1
Kind: ValidatingWebhookConfiguration
Metadata:
Creation Timestamp: 2023-02-08T16:40:59Z
Generation: 1
Managed Fields:
API Version: admissionregistration.k8s.io/v1
Fields Type: FieldsV1
fieldsV1:
f:metadata:
f:annotations:
.:
f:meta.helm.sh/release-name:
f:meta.helm.sh/release-namespace:
f:labels:
.:
f:app.kubernetes.io/managed-by:
f:webhooks:
.:
k:{"name":"vvarnishcluster.kb.io"}:
.:
f:admissionReviewVersions:
f:clientConfig:
.:
f:caBundle:
f:service:
.:
f:name:
f:namespace:
f:path:
f:port:
f:failurePolicy:
f:matchPolicy:
f:name:
f:namespaceSelector:
f:objectSelector:
f:rules:
f:sideEffects:
f:timeoutSeconds:
Manager: helm
Operation: Update
Time: 2023-02-08T16:40:59Z
Resource Version: 1060183292
UID: 70aa4cdf-9779-44c8-a696-02f9634c4d4c
Webhooks:
Admission Review Versions:
v1
v1beta1
Client Config:
Ca Bundle: Cg==
Service:
Name: varnish-operator-service
Namespace: ********************
Path: /validate-caching-ibm-com-v1alpha1-varnishcluster
Port: 443
Failure Policy: Fail
Match Policy: Equivalent
Name: vvarnishcluster.kb.io
Namespace Selector:
Object Selector:
Rules:
API Groups:
caching.ibm.com
API Versions:
v1alpha1
Operations:
CREATE
UPDATE
Resources:
varnishclusters
Scope: *
Side Effects: None
Timeout Seconds: 10
Events: "
It seems to be good for me.
After all i am working on a private cluster which is behind a gateway .. If it can be useful.
I do not know what do you need to solve this issue so if you have any intuition i can provide you what you need.
Yeah, sadly I'm not sure offhand either. :( Is the operator even starting? What is the output of kubectl describe mutatingwebhookconfigurations.admissionregistration.k8s.io? Are there any events associated with the webhook? What about kubectl get events --sort-by='.lastTimestamp'? Anything interesting there? Beyond that, checking logs for any obvious errors may be necessary. I'm not familiar with OVH, so maybe there's an issue we need to iron out with that platform.
I solve the issue but i just change the way i create my object. It seems that you cannot set the operator in subchart at the same time you create the cluster in another subchart. It could be due to the order that helm create object.
Clearly the PEM isn't set when you do that in this order. Now it works perfectly !
If you want, i can do some tests for you if you want to clearly solve the problem.
Ah, that makes sense! I'm glad you were able to work it out. Given the nature of how subcharts are rendered down in Helm, I don't think there's much we could from the operator side to avoid this type of behavior. Maybe we could add init-containers to each object or more extensive, overridable health checks but that seems to be overkill. Thanks for the update!