Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

missing "caBundle" in ValidatingWebhookConfiguration #1143

Closed
Paxa opened this issue Dec 7, 2018 · 21 comments · Fixed by #1223
Closed

missing "caBundle" in ValidatingWebhookConfiguration #1143

Paxa opened this issue Dec 7, 2018 · 21 comments · Fixed by #1223

Comments

@Paxa
Copy link

@Paxa Paxa commented Dec 7, 2018

I try to apply manifest but validating webhook can not be created.
With --validate=false it works fine

$ kubectl apply -f https://raw.githubusercontent.com/jetstack/cert-manager/master/deploy/manifests/cert-manager.yaml
serviceaccount/cert-manager-webhook created
serviceaccount/cert-manager configured
clusterrole.rbac.authorization.k8s.io/cert-manager configured
clusterrolebinding.rbac.authorization.k8s.io/cert-manager configured
clusterrole.rbac.authorization.k8s.io/cert-manager-view created
clusterrole.rbac.authorization.k8s.io/cert-manager-edit created
clusterrolebinding.rbac.authorization.k8s.io/cert-manager-webhook:auth-delegator created
rolebinding.rbac.authorization.k8s.io/cert-manager-webhook:webhook-authentication-reader created
clusterrole.rbac.authorization.k8s.io/cert-manager-webhook:webhook-requester created
service/cert-manager-webhook created
deployment.apps/cert-manager-webhook created
deployment.apps/cert-manager configured
cronjob.batch/cert-manager-webhook-ca-sync created
job.batch/cert-manager-webhook-ca-sync created
configmap/cert-manager-webhook-ca-sync created
serviceaccount/cert-manager-webhook-ca-sync created
clusterrole.rbac.authorization.k8s.io/cert-manager-webhook-ca-sync created
clusterrolebinding.rbac.authorization.k8s.io/cert-manager-webhook-ca-sync created
apiservice.apiregistration.k8s.io/v1beta1.admission.certmanager.k8s.io created
issuer.certmanager.k8s.io/cert-manager-webhook-selfsign created
certificate.certmanager.k8s.io/cert-manager-webhook-ca created
issuer.certmanager.k8s.io/cert-manager-webhook-ca created
certificate.certmanager.k8s.io/cert-manager-webhook-webhook-tls created
error: error validating "https://raw.githubusercontent.com/jetstack/cert-manager/master/deploy/manifests/cert-manager.yaml": error validating data: [ValidationError(ValidatingWebhookConfiguration.webhooks[0].clientConfig): missing required field "caBundle" in io.k8s.api.admissionregistration.v1beta1.WebhookClientConfig, ValidationError(ValidatingWebhookConfiguration.webhooks[1].clientConfig): missing required field "caBundle" in io.k8s.api.admissionregistration.v1beta1.WebhookClientConfig, ValidationError(ValidatingWebhookConfiguration.webhooks[2].clientConfig): missing required field "caBundle" in io.k8s.api.admissionregistration.v1beta1.WebhookClientConfig]; if you choose to ignore these errors, turn validation off with --validate=false
@andrew-dovu

This comment has been minimized.

Copy link

@andrew-dovu andrew-dovu commented Dec 8, 2018

+1

@jakubigla

This comment has been minimized.

Copy link

@jakubigla jakubigla commented Dec 15, 2018

I'm having the same issue

@rrichardson

This comment has been minimized.

Copy link

@rrichardson rrichardson commented Dec 16, 2018

This looks like it is due to this change: #911

I think you should be able to just add an empty string for caBundle, but ultimately this should be made to be an optional property.

@r0bj

This comment has been minimized.

Copy link

@r0bj r0bj commented Dec 17, 2018

Thanks @rrichardson
Adding empty string for caBundle helps:

diff --git a/deploy/manifests/cert-manager.yaml b/deploy/manifests/cert-manager.yaml
index 7a2d3a63..d965256c 100644
--- a/deploy/manifests/cert-manager.yaml
+++ b/deploy/manifests/cert-manager.yaml
@@ -595,6 +595,7 @@ webhooks:
         name: kubernetes
         namespace: default
         path: /apis/admission.certmanager.k8s.io/v1beta1/certificates
+      caBundle: ""
   - name: issuers.admission.certmanager.k8s.io
     namespaceSelector:
       matchExpressions:
@@ -622,6 +623,7 @@ webhooks:
         name: kubernetes
         namespace: default
         path: /apis/admission.certmanager.k8s.io/v1beta1/issuers
+      caBundle: ""
   - name: clusterissuers.admission.certmanager.k8s.io
     namespaceSelector:
       matchExpressions:
@@ -649,4 +651,4 @@ webhooks:
         name: kubernetes
         namespace: default
         path: /apis/admission.certmanager.k8s.io/v1beta1/clusterissuers
-
+      caBundle: ""
@mikebridge

This comment has been minimized.

Copy link

@mikebridge mikebridge commented Mar 9, 2019

I just encountered this problem with 0.6:

$ kubectl apply -f https://raw.githubusercontent.com/jetstack/cert-manager/release-0.6/deploy/manifests/cert-manager.yaml

customresourcedefinition.apiextensions.k8s.io "certificates.certmanager.k8s.io" configured
customresourcedefinition.apiextensions.k8s.io "issuers.certmanager.k8s.io" configured
customresourcedefinition.apiextensions.k8s.io "clusterissuers.certmanager.k8s.io" configured
customresourcedefinition.apiextensions.k8s.io "orders.certmanager.k8s.io" configured
customresourcedefinition.apiextensions.k8s.io "challenges.certmanager.k8s.io" configured
namespace "cert-manager" configured
serviceaccount "cert-manager-webhook" unchanged
serviceaccount "cert-manager" unchanged
clusterrole.rbac.authorization.k8s.io "cert-manager" created
clusterrolebinding.rbac.authorization.k8s.io "cert-manager" created
clusterrole.rbac.authorization.k8s.io "cert-manager-view" created
clusterrole.rbac.authorization.k8s.io "cert-manager-edit" created
clusterrolebinding.rbac.authorization.k8s.io "cert-manager-webhook:auth-delegator" created
rolebinding.rbac.authorization.k8s.io "cert-manager-webhook:webhook-authentication-reader" created
clusterrole.rbac.authorization.k8s.io "cert-manager-webhook:webhook-requester" created
service "cert-manager-webhook" unchanged
deployment.apps "cert-manager-webhook" configured
deployment.apps "cert-manager" configured
cronjob.batch "cert-manager-webhook-ca-sync" unchanged
job.batch "cert-manager-webhook-ca-sync" unchanged
configmap "cert-manager-webhook-ca-sync" unchanged
serviceaccount "cert-manager-webhook-ca-sync" unchanged
clusterrole.rbac.authorization.k8s.io "cert-manager-webhook-ca-sync" created
clusterrolebinding.rbac.authorization.k8s.io "cert-manager-webhook-ca-sync" created
apiservice.apiregistration.k8s.io "v1beta1.admission.certmanager.k8s.io" created
issuer.certmanager.k8s.io "cert-manager-webhook-selfsign" configured
certificate.certmanager.k8s.io "cert-manager-webhook-ca" configured
issuer.certmanager.k8s.io "cert-manager-webhook-ca" configured
certificate.certmanager.k8s.io "cert-manager-webhook-webhook-tls" configured
error: error validating "https://raw.githubusercontent.com/jetstack/cert-manager/release-0.6/deploy/manifests/cert-manager.yaml": error validating data: [ValidationError(ValidatingWebhookConfiguration.webhooks[0].clientConfig): missing required field "caBundle" in io.k8s.api.admissionregistration.v1beta1.WebhookClientConfig, ValidationError(ValidatingWebhookConfiguration.webhooks[1].clientConfig): missing required field "caBundle" in io.k8s.api.admissionregistration.v1beta1.WebhookClientConfig, ValidationError(ValidatingWebhookConfiguration.webhooks[2].clientConfig): missing required field "caBundle" in io.k8s.api.admissionregistration.v1beta1.WebhookClientConfig]; if you choose to ignore these errors, turn validation off with --validate=false
@munnerz

This comment has been minimized.

Copy link
Member

@munnerz munnerz commented Mar 9, 2019

@mikebridge

This comment has been minimized.

Copy link

@mikebridge mikebridge commented Mar 9, 2019

@munnerz my mistake, thanks! (link)

@timuckun

This comment has been minimized.

Copy link

@timuckun timuckun commented Mar 21, 2019

Still happening with 1.12 at GKE.

 kubectl version
Client Version: version.Info{Major:"1", Minor:"12", GitVersion:"v1.12.2", GitCommit:"17c77c7898218073f14c8d573582e8d2313dc740", GitTreeState:"clean", BuildDate:"2018-10-24T06:54:59Z", GoVersion:"go1.10.4", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"12+", GitVersion:"v1.12.5-gke.5", GitCommit:"2c44750044d8aeeb6b51386ddb9c274ff0beb50b", GitTreeState:"clean", BuildDate:"2019-02-01T23:53:25Z", GoVersion:"go1.10.8b4", Compiler:"gc", Platform:"linux/amd64"}

This is the error

certificate.certmanager.k8s.io/cert-manager-webhook-webhook-tls created
error: error validating "https://raw.githubusercontent.com/jetstack/cert-manager/release-0.7/deploy/manifests/cert-manager.yaml": error validating data: [ValidationError(ValidatingWebhookConfiguration.webhooks[0].clientConfig): missing required field "caBundle" in io.k8s.api.admissionregistration.v1beta1.WebhookClientConfig, ValidationError(ValidatingWebhookConfiguration.webhooks[1].clientConfig): missing required field "caBundle" in io.k8s.api.admissionregistration.v1beta1.WebhookClientConfig, ValidationError(ValidatingWebhookConfiguration.webhooks[2].clientConfig): missing required field "caBundle" in io.k8s.api.admissionregistration.v1beta1.WebhookClientConfig]; if you choose to ignore these errors, turn validation off with --validate=false
@timuckun

This comment has been minimized.

Copy link

@timuckun timuckun commented Mar 21, 2019

On GKE the webhook never gets to the completed state. The errors in the stackdriver log say

message: "Forbidden: "/", Reason: "no RBAC policy matched""

Here are the RBAC policies I have set up.

kubectl create clusterrolebinding cluster-admin-binding \
    --clusterrole=cluster-admin \
    --user=$(gcloud config get-value core/account) \
    --dry-run \
    -o yaml | kubectl apply -f -

kubectl create clusterrolebinding add-on-cluster-admin \
    --clusterrole=cluster-admin \
    --serviceaccount=kube-system:default \
     --dry-run \
     -o yaml | kubectl apply -f -
@bgarcial

This comment has been minimized.

Copy link

@bgarcial bgarcial commented May 6, 2019

I had the same error, my cluster version is 1.12.7, but the error in my case was by the following:

I was trying attach cert-manager as a helm dependency in my requirements.yaml helm chart file and when I do that, I execute helm dep update to tell to helm that attach to cert-manager.

Then a *.tgz cert-manager package is downloaded to my chart/ directory.
My idea was to remove cert-manager like dependency and so I had to remove the *.tgz cert-manager package from chart/ directory and also update the helm dependencies executing again executing helm dep update in order to don't have any dependency attached.

⟩ helm dep update
Hang tight while we grab the latest from your chart repositories...
...Unable to get an update from the "local" chart repository (http://127.0.0.1:8879/charts):
        Get http://127.0.0.1:8879/charts/index.yaml: dial tcp 127.0.0.1:8879: connect: connection refused
...Successfully got an update from the "jetstack" chart repository
...Successfully got an update from the "stable" chart repository
Update Complete. ⎈Happy Helming!⎈
Saving 0 charts
Deleting outdated charts

And my problem with the "caBundle"has disappear.

@Sahasrara

This comment has been minimized.

Copy link

@Sahasrara Sahasrara commented May 15, 2019

This is still happening for me with version v1.13.4 @munnerz

@snstanton

This comment has been minimized.

Copy link

@snstanton snstanton commented May 16, 2019

I'm also seeing it with v1.14.1

@dbourcet

This comment has been minimized.

Copy link

@dbourcet dbourcet commented May 17, 2019

I too am seeing this with v1.14.1

@andrei-dascalu

This comment has been minimized.

Copy link

@andrei-dascalu andrei-dascalu commented May 19, 2019

Still happening, also when using helm as per docs

helm install \ --name cert-manager \ --namespace cert-manager \ --version v0.7.2 \ jetstack/cert-manager

disabling webhooks helps

@casiodk

This comment has been minimized.

Copy link

@casiodk casiodk commented May 23, 2019

I also have the same error

@lucasantarella

This comment has been minimized.

Copy link

@lucasantarella lucasantarella commented May 28, 2019

Me as well

@WebSpider

This comment has been minimized.

Copy link

@WebSpider WebSpider commented May 29, 2019

/reopen

I'm seeing this as well on

Client Version: version.Info{Major:"1", Minor:"14", GitVersion:"v1.14.2", GitCommit:"66049e3b21efe110454d67df4fa62b08ea79a19b", GitTreeState:"clean", BuildDate:"2019-05-16T16:23:09Z", GoVersion:"go1.12.5", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"12", GitVersion:"v1.12.7", GitCommit:"6f482974b76db3f1e0f5d24605a9d1d38fad9a2b", GitTreeState:"clean", BuildDate:"2019-03-25T02:41:57Z", GoVersion:"go1.10.8", Compiler:"gc", Platform:"linux/amd64"}```
```$ helm version
2019/05/29 02:32:48.168301 main.go:220: WARNING: cannot create syslog logger
Client: &version.Version{SemVer:"v2.14.0", GitCommit:"05811b84a3f93603dd6c2fcfe57944dfa7ab7fd0", GitTreeState:"clean"}
Server: &version.Version{SemVer:"v2.14.0", GitCommit:"05811b84a3f93603dd6c2fcfe57944dfa7ab7fd0", GitTreeState:"clean"}
@jetstack-bot

This comment has been minimized.

Copy link
Collaborator

@jetstack-bot jetstack-bot commented May 29, 2019

@WebSpider: You can't reopen an issue/PR unless you authored it or you are a collaborator.

In response to this:

/reopen

I'm seeing this as well on

Client Version: version.Info{Major:"1", Minor:"14", GitVersion:"v1.14.2", GitCommit:"66049e3b21efe110454d67df4fa62b08ea79a19b", GitTreeState:"clean", BuildDate:"2019-05-16T16:23:09Z", GoVersion:"go1.12.5", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"12", GitVersion:"v1.12.7", GitCommit:"6f482974b76db3f1e0f5d24605a9d1d38fad9a2b", GitTreeState:"clean", BuildDate:"2019-03-25T02:41:57Z", GoVersion:"go1.10.8", Compiler:"gc", Platform:"linux/amd64"}```
```$ helm version
2019/05/29 02:32:48.168301 main.go:220: WARNING: cannot create syslog logger
Client: &version.Version{SemVer:"v2.14.0", GitCommit:"05811b84a3f93603dd6c2fcfe57944dfa7ab7fd0", GitTreeState:"clean"}
Server: &version.Version{SemVer:"v2.14.0", GitCommit:"05811b84a3f93603dd6c2fcfe57944dfa7ab7fd0", GitTreeState:"clean"}

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@mavrick

This comment has been minimized.

Copy link

@mavrick mavrick commented Jun 16, 2019

seeing a similar error

Error: validation failed: error validating "": error validating data: [ValidationError(ValidatingWebhookConfiguration.webhooks[0].clientConfig): missing required field "caBundle" in io.k8s.api.admissionregistration.v1beta1.WebhookClientConfig, ValidationError(ValidatingWebhookConfiguration.webhooks[1].clientConfig): missing required field "caBundle" in io.k8s.api.admissionregistration.v1beta1.WebhookClientConfig, ValidationError(ValidatingWebhookConfiguration.webhooks[2].clientConfig): missing required field "caBundle" in io.k8s.api.admissionregistration.v1beta1.WebhookClientConfig]
helm version
Client: &version.Version{SemVer:"v2.14.0", GitCommit:"05811b84a3f93603dd6c2fcfe57944dfa7ab7fd0", GitTreeState:"clean"}
Server: &version.Version{SemVer:"v2.14.0", GitCommit:"05811b84a3f93603dd6c2fcfe57944dfa7ab7fd0", GitTreeState:"clean"}
kubectl version
Client Version: version.Info{Major:"1", Minor:"14", GitVersion:"v1.14.3", GitCommit:"5e53fd6bc17c0dec8434817e69b04a25d8ae0ff0", GitTreeState:"clean", BuildDate:"2019-06-06T01:44:30Z", GoVersion:"go1.12.5", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"12+", GitVersion:"v1.12.7-gke.10", GitCommit:"8d9b8641e72cf7c96efa61421e87f96387242ba1", GitTreeState:"clean", BuildDate:"2019-04-12T22:59:24Z", GoVersion:"go1.10.8b4", Compiler:"gc", Platform:"linux/amd64"}
@nico282

This comment has been minimized.

Copy link

@nico282 nico282 commented Jun 18, 2019

Solved upgrading Helm to 2.14.1 (both client and server)

Reference:

@chrissound

This comment has been minimized.

Copy link

@chrissound chrissound commented Jan 17, 2020

Also seeing this, (though it's been 6 months?)

/home/chris/temp/wiptemp/28/linux-amd64/helm version   
version.BuildInfo{Version:"v3.0.2", GitCommit:"19e47ee3283ae98139d98460de796c1be1e3975f", GitTreeState:"clean", GoVersion:"go1.13.5"}

 /home/chris/temp/wiptemp/28/linux-amd64/helm  install cert-manager-myr --namespace cert-manager jetstack/cert-manager
Error: unable to build kubernetes objects from release manifest: error validating "": error validating data: ValidationError(MutatingWebhookConfiguration.webhooks[0].clientConfig): missing required field "caBundle" in io.k8s.api.admissionregistration.v1beta1.WebhookClientConfig
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
You can’t perform that action at this time.