Comments (8)
When I try /validate, I get the following message:
{"response":{"uid":"","allowed":false,"status":{"metadata":{},"message":"contentType=, expected application/json","code":400}}}
Probably, the /readyz path is not served via https. But it is strange that the webhook fails every time I create a bundle resource.
from trust-manager.
I also tried creating the resource via kubectl
:
apiVersion: trust.cert-manager.io/v1alpha1
kind: Bundle
metadata:
name: linkerd-identity-trust-roots
namespace: cert-manager
spec:
sources:
- secret:
name: linkerd-trust-anchor
key: "ca.crt"
target:
configMap:
key: "ca-bundle.crt"
I am still getting the same error:
Error from server (InternalError): error when creating "ca-bundle.yaml": Internal error occurred: failed calling webhook "trust.cert-manager.io": Post "https://cert-manager-trust.cert-manager.svc:443/validate?timeout=5s": context deadline exceeded
I enabled the maximum log level in trust and these are the logs that are generating while trying to apply the bundle resource:
I1018 12:35:59.211298 1 controller.go:220] trust/manager/controller/bundle "msg"="Starting workers" "reconciler group"="trust.cert-manager.io" "reconciler kind"="Bundle" "worker count"=1
I1018 12:36:01.246575 1 leaderelection.go:278] successfully renewed lease cert-manager/cert-manager-trust-leader-election
I1018 12:36:03.282208 1 leaderelection.go:278] successfully renewed lease cert-manager/cert-manager-trust-leader-election
I1018 12:36:04.291138 1 shared_informer.go:270] caches populated
I1018 12:36:04.291602 1 shared_informer.go:270] caches populated
I1018 12:36:05.338569 1 leaderelection.go:278] successfully renewed lease cert-manager/cert-manager-trust-leader-election
I1018 12:36:07.377623 1 leaderelection.go:278] successfully renewed lease cert-manager/cert-manager-trust-leader-election
I1018 12:36:09.420697 1 leaderelection.go:278] successfully renewed lease cert-manager/cert-manager-trust-leader-election
I1018 12:36:11.288194 1 shared_informer.go:270] caches populated
I1018 12:36:11.288467 1 shared_informer.go:270] caches populated
from trust-manager.
Is there any update on this issue? I am also hitting error when creating bundle.
Errror looks like this:
k apply -f bundletest.yaml
Error from server (InternalError): error when creating "bundletest.yaml": Internal error occurred: failed calling webhook "trust.cert-manager.io": Post "https://cert-manager-trust.cert-manager.svc:443/validate?timeout=5s": Address is not allowed
from trust-manager.
Hi, thanks for raising this!
I'm not sure how to proceed debugging this. I've not seen it personally as far as I can remember.
Are you able to share any details about your environments? Does this happen on the latest release (v0.3.0 at the time of writing)?
from trust-manager.
I have exactly same error with message:
Post "https://trust-manager.cert-manager.svc:443/validate?timeout=5s: Address is not allowed
IMO, we need an option set hostNetwork: true
from trust-manager.
Same issue i am facing in EKS
trust-manager version: v0.3.0
I used below bundle manifest
bundle.yaml -
apiVersion: trust.cert-manager.io/v1alpha1
kind: Bundle
metadata:
name: linkerd-identity-trust-roots
namespace: linkerd
spec:
sources:
- secret:
name: "linkerd-identity-trust-roots"
key: "ca.crt"
target:
configMap:
key: "ca-bundle.crt"
Getting below error:
Error from server (InternalError): error when creating "bundle.yaml": Internal error occurred:
failed calling webhook "trust.cert-manager.io": failed to call webhook:
Post "https://trust-manager.cert-manager.svc:443/validate?timeout=5s": context deadline exceeded
UPDATE:
SOLUTION: I resolved by whitelisting the 6443 port [cert-manager-trust port].
URL: #62 (comment)
from trust-manager.
In my case, there was connection issue between the API-server subnets & resource subnets where cert-manager-trust pod is configured. The api-server was not able to make a call with the cert-manager-trust pod.
Solution: I resolved by whitelisting the 6443
port [cert-manager-trust port].
from trust-manager.
This will not work when using a custom CNI on managed kuberentes services like EKS. The control plane CNI can not be updated and made aware of the new network routing. The only current solution to this is to support hostNetwork
. This solves the exact same issue we saw in cert-manager
itself.
from trust-manager.
Related Issues (20)
- New alpha version helm chart kubeVersion needs a dash 0 at the end to work in eks? HOT 3
- Create trust bundle based on Debian bookworm HOT 22
- Allow TLS to be configured on the admission webhook server
- Support of setting arbitrary password for PKCS12 truststore HOT 19
- Allow to select multiple "trust" namespaces
- Allow Bundle to specify jks keystore alias HOT 3
- [Feature] - Ability to inject a CA cert into a cert-manager managed secret resource HOT 4
- Custom trust namespace - permissions issue HOT 7
- trust-manager and Kubernetes version compatibility HOT 2
- New version of Bundle API HOT 14
- More flexible and better organized target specification in API HOT 6
- Split Bundle controller into multiple controllers HOT 2
- Incorrect error handling in cert-manager-package-debian updater
- Use label selector to add sources to a bundle
- Bundle is continuously synced when PKCS12 is enabled HOT 2
- cluster role does not have sufficient permission to update resources HOT 1
- Add option to filter out expired certificates
- Improve filtered certs error reporting HOT 5
- Issue with CRDs when having trust-manager as chart dependency
- No flag to set structured logging format, e.g. JSON? HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from trust-manager.