Static manifest `with-rbac-webhook.yaml` busted

Question

Static manifest `with-rbac-webhook.yaml` busted

jbeda opened this issue 7 years ago · 4 comments

Describe the bug:

The non-helm version that installs the webhook fails as it doesn't define the CRDs. They don't appear to be included in the manifest.

Expected behaviour:

I would expect the yaml to be applied cleanly.

Steps to reproduce the bug:

cd contrib/manifests/cert-manager
kubectl create namespace cert-manager
kubectl label namespace cert-manager certmanager.k8s.io/disable-validation=true
kubectl apply -f with-rbac-webhook.yaml

You'll get some errors like this:

unable to recognize "with-rbac-webhook.yaml": no matches for kind "Issuer" in version "certmanager.k8s.io/v1alpha1"
unable to recognize "with-rbac-webhook.yaml": no matches for kind "Certificate" in version "certmanager.k8s.io/v1alpha1"
unable to recognize "with-rbac-webhook.yaml": no matches for kind "Issuer" in version "certmanager.k8s.io/v1alpha1"
unable to recognize "with-rbac-webhook.yaml": no matches for kind "Certificate" in version "certmanager.k8s.io/v1alpha1"

Anything else we need to know?:

Environment details::
k8s v1.11.2

/kind bug

Answer 1 · 2018-11-01T22:54:53.000Z

Also, this static manifest doesn't create the namespace. I had to create it manually. Looks like it is created as part of the non webhook static manifests.

Answer 2 · 2018-11-01T23:02:29.000Z

Hey Joe, Thanks for the issue! This is definitely something not quite documented clearly enough. The webhook manifests should be taken as *additive* as opposed to a replacement for the normal ones. We really should clear this up though and expand our README to instruct people what to do, step by step. Additionally, I think you *may* (at least in kubernetes pre 1.12 or maybe even 1.13) hit issues with validation of the 'spec.caBundle' field on the ValidatingWebhookConfiguration with the webhook - I think we already have an issue tracking this, but I'm on mobile right now so not able to check! It can be resolved with '--validate=false' on the kubectl create command (disabling client side validation!) Hope that helps, we'll get this triaged and improved ASAP though as the webhook is a new piece and I am super keen to gather feedback on it!

…

On Thu, 1 Nov 2018 at 22:54, Joe Beda ***@***.***> wrote: Also, this static manifest doesn't create the namespace. I had to create it manually. Looks like it *is* created as part of the non webhook static manifests. — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#1034 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AAMbP1gscO0sXVH1LhB_6pOxAAdG6dfrks5uq3u9gaJpZM4YJ8zh> .

Answer 3 · 2018-11-01T23:06:35.000Z

Ah! That makes more sense then.

It is cool for sure and I'll have to try it out some time soon. Very meta to have cert-manager create a cert so that it can talk to k8s.

Answer 4 · 2018-11-05T14:13:03.000Z

Yep - the way it's setup right now is a little shakey. We use a CronJob/Job resource that copies the certificate into the ValidatingWebhookConfiguration and APIService resources...

I'm hoping we can come up with a better way to handle this soon, but wanted to unblock the validation work and get it out in some form to gather feedback 😄