Resource not found in cluster: apps.kusionstack.io/v1alpha1/CollaSet

[0nimaru]

Bug Report

Please answer these questions before submitting your issue. Thanks!

1. Minimal reproduce step (Required)

Install ctrlmesh in cluster through argocd with helm charts.
Install kuperator in cluster through argocd with helm charts.
Deploy application with collaset apps.kusionstack.io/v1alpha1 in a different namespace than ctrlmesh and kuperator

2. What did you expect to see? (Required)

Healthy ctlmesh pod with successful deploy logs
Healthy kuperator pod with successful deploy logs
Healthy application pod deployed with collaset

3. What did you see instead (Required)

ctrlmesh logs:
manager (2).txt
manager (1).txt
manager.txt

kuperator logs:
manager (4).txt
manager (3).txt
manager (2).txt
deployed application condition with collaset:

4. What is your KusionStack components version? (Required)

ctrlmesh version: 0.2.0
kuperator version: 0.5.3

[Eikykun]

Based on the information, it appears that there might be an issue with ApiServer accessing kuperator's webhook domain.
You may need to check if the ApiServer container can properly resolve the internal domain kusionstack-controller-manager.kusionstack-system.svc. cc @0nimaru

[0nimaru]

Running curl on busybox pod i get the following output

Im guessing i need to edit webhook files and rebuild the kuperator image to use it in the kuperator helm charts?

[Eikykun]

Running curl on busybox pod i get the following output Im guessing i need to edit webhook files and rebuild the kuperator image to use it in the kuperator helm charts?

Make sure your ApiServer can access the Kuperator webhook server. Security group policies, and network policies may cause issues with ApiServer accessing the webhook server. You can find similar issues by searching the keyword "Webhook address is not allowed" on GitHub.

You can get the webhook configuration with the following command.

kubectl get validatingwebhookconfiguration kusionstack-controller-manager-validating
kubectl get mutatingwebhookconfiguration kusionstack-controller-manager-mutating

The client configuration here uses the internal service domain of k8s by default.

...
  clientConfig:
    service:
      namespace: kusionstack-system
      name: kusionstack-controller-manager
      path: /validating-generic
...

[0nimaru]

The configuration for validatingwebhookconfiguration and mutatingwebhookconfiguration seems to be okay. If needed i can provide the configuration
Running curl with verbosity gives the following output:

curl -kv -H "Content-Type: application/json" https://kusionstack-controller-manager.kusionstack-system.svc:443/mutat
ing-generic

• Host kusionstack-controller-manager.kusionstack-system.svc:443 was resolved.
• IPv6: (none)
• IPv4: 172.20.63.187
• Trying 172.20.63.187:443...
• Connected to kusionstack-controller-manager.kusionstack-system.svc (172.20.63.187) port 443
• ALPN: curl offers h2,http/1.1
• TLSv1.3 (OUT), TLS handshake, Client hello (1):
• TLSv1.3 (IN), TLS handshake, Server hello (2):
• TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
• TLSv1.3 (IN), TLS handshake, Certificate (11):
• TLSv1.3 (IN), TLS handshake, CERT verify (15):
• TLSv1.3 (IN), TLS handshake, Finished (20):
• TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
• TLSv1.3 (OUT), TLS handshake, Finished (20):
• SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256 / X25519 / RSASSA-PSS
• ALPN: server accepted h2
• Server certificate:
• subject: CN=kusionstack-controller-manager.kusionstack-system.svc
• start date: Aug 28 14:44:24 2024 GMT
• expire date: Aug 28 14:44:24 2025 GMT
• issuer: CN=self-signed-k8s-cert
• SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
• Certificate level 0: Public key type RSA (2048/112 Bits/secBits), signed using sha256WithRSAEncryption
• TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
• using HTTP/2
• [HTTP/2] [1] OPENED stream for https://kusionstack-controller-manager.kusionstack-system.svc:443/mutating-generic
• [HTTP/2] [1] [:method: GET]
• [HTTP/2] [1] [:scheme: https]
• [HTTP/2] [1] [:authority: kusionstack-controller-manager.kusionstack-system.svc]
• [HTTP/2] [1] [:path: /mutating-generic]
• [HTTP/2] [1] [user-agent: curl/8.9.0]
• [HTTP/2] [1] [accept: /]
• [HTTP/2] [1] [content-type: application/json]

GET /mutating-generic HTTP/2
Host: kusionstack-controller-manager.kusionstack-system.svc
User-Agent: curl/8.9.0
Accept: /
Content-Type: application/json

< HTTP/2 200
< content-type: text/plain; charset=utf-8
< content-length: 157
< date: Wed, 04 Sep 2024 11:35:35 GMT
<
{"kind":"AdmissionReview","apiVersion":"admission.k8s.io/v1","response":{"uid":"","allowed":true,"status":{"metadata":{},"reason":"NoMutating","code":200}}}

• Connection #0 to host kusionstack-controller-manager.kusionstack-system.svc left intact

I included the "Content-Type: application/json" for the output to throw the code 200 so i guess the ApiServer can access the Kuperator webhook server.

[Eikykun]

If your curl command is executed on the running container of ApiServer, the networking should be fine.
I don't observe any anomalies from the existing context on this side.
You can refer to this issue to check if you have a similar problem.