-
Notifications
You must be signed in to change notification settings - Fork 2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Getting "cluster doesn't provide client-ca-file" #1220
Comments
This sounds like EKS is not configuring one of the core Kubernetes CAs properly - I've heard reports of this in the past with EKS, but I also thought they'd been resolved in newer versions. Are there any upgrades available for EKS that you've not applied yet? |
@munnerz Nope no upgrades what so ever. |
You can see more info here: https://cert-manager.readthedocs.io/en/master/admin/resource-validation-webhook.html Basically, we install a ValidatingWebhookConfiguration resource in order to provide resource validation for your API types. This requires your Kubernetes cluster to have properly configure API aggregation certificates (which as I understand it is now part of the conformance test suite as well) |
You can see some more info on configuring this here: https://kubernetes.io/docs/tasks/access-kubernetes-api/configure-aggregation-layer/ |
Spoke to AWS customer support about this. This isnt currently possible on the platform. They said theyl take it up as a feature request. So i guess on EKS, validation isnt possible. |
I am getting the same error with EKS with k8s 1.11, and I believe EKS has supported this since October 2018 - and it says it supports ValidatingWebhookConfiguration at |
I did some digging, and noticed there was a feature request in apiserver to address this issue: kubernetes/kubernetes#65724 |
@gordcorp nice find! Thanks for digging into this for us. Hopefully the 1.13 apimachinery PR will land soon, but if that takes a while it may be worth us putting in a patch to bump within the 1.10 series and cherry picking this into v0.6 😄 /reopen |
@munnerz: Reopened this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
I've opened #1344 to bump the 1.10 dependencies 😄 |
- We need to apply the `cert-manager` CRDs ourselves [1]. - We have to disable some `cert-manager`-specific validation in the `ingress-system` namespace [1]. - We have disabled the webhook. The webhook currently fails to install and was not installed by default in version 0.5.2 of the `cert-manager` chart. It appears as though enabling Aggregation Layer Routing may solve the problem [2,3]. [1] https://github.com/helm/charts/blob/2978da57109b37351f9d032fb0a73a976e56cf20/stable/cert-manager/README.md#installing-the-chart [2] cert-manager/cert-manager#1220 [3] https://kubernetes.io/docs/tasks/access-kubernetes-api/configure-aggregation-layer/#enable-kubernetes-apiserver-flags
- We need to apply the `cert-manager` CRDs ourselves [1]. - We have to disable some `cert-manager`-specific validation in the `ingress-system` namespace [1]. - We have disabled the webhook. The webhook currently fails to install and was not installed by default in version 0.5.2 of the `cert-manager` chart. It appears as though enabling Aggregation Layer Routing may solve the problem [2,3]. [1] https://github.com/helm/charts/blob/2978da57109b37351f9d032fb0a73a976e56cf20/stable/cert-manager/README.md#installing-the-chart [2] cert-manager/cert-manager#1220 [3] https://kubernetes.io/docs/tasks/access-kubernetes-api/configure-aggregation-layer/#enable-kubernetes-apiserver-flags
Can I ask you for more details how you "bumped cert-apiserver to 1.10.7" ? Thank you M |
@MilanDasek No not just with helm values alone - I bumped apiserver in Gopkg.toml, rebuilt the binary, published new docker images, and then set the helm values to use the new image:
|
@MilanDasek In case you are wondering version |
@nixgadget but helm installs still 0.6.0 and --version 0.6.2 gives me No chart version found for cert-manager-0.6.2 |
@MilanDasek try chart version v0.6.6 - gives you cert-manager 0.6.2 |
I attempted at deploying cert-manager 0.5.2 with Helm but running into the following error and the pod for the webhook is in a crashloop.
I get the following error message,
Looking at
extension-apiserver-authentication
I can see thatclient-ca-file
is missing.Any idea what could be causing this ? I have not tried reaching out to AWS yet.
Environment details::
/kind bug
The text was updated successfully, but these errors were encountered: