Deployment via Helm chart fail

[paullaffitte]

I know that 2 issues already exists about installing kube-fledged via YAML and operator fail but this one is about installing it with Helm, and it's not exactly the same problem.

When I run:

$ curl -fsSL https://raw.githubusercontent.com/senthilrch/kube-fledged/master/deploy/webhook-create-signed-cert.sh | bash -s -- --namespace ${KUBEFLEDGED_NAMESPACE}

I got this error message: The CertificateSigningRequest "kubefledged-webhook-server.kube-fledged" is invalid: spec.signerName: Invalid value: "kubernetes.io/legacy-unknown": the legacy signerName is not allowed via this API version.

My k8s version:

$ kubectl version
Client Version: version.Info{Major:"1", Minor:"19", GitVersion:"v1.19.2", GitCommit:"f5743093fd1c663cb0cbc89748f730662345d44d", GitTreeState:"clean", BuildDate:"2020-09-16T13:41:02Z", GoVersion:"go1.15", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"19", GitVersion:"v1.19.2", GitCommit:"f5743093fd1c663cb0cbc89748f730662345d44d", GitTreeState:"clean", BuildDate:"2020-09-16T13:32:58Z", GoVersion:"go1.15", Compiler:"gc", Platform:"linux/amd64"}

PS: FYI, if it can be useful:

$ kubectl api-versions | grep certificates.k8s.io | head -1
certificates.k8s.io/v1

EDIT:

If I try to edit the script and remove the signerName key, I got this quite interesting error message:
error: error validating "STDIN": error validating data: ValidationError(CertificateSigningRequest.spec): missing required field "signerName" in io.k8s.api.certificates.v1.CertificateSigningRequestSpec; if you choose to ignore these errors, turn validation off with --validate=false. Not sure if the issue is coming from kube-fledged or k8s itself 🤔

[paullaffitte]

I found something interesting. According to k8s docs:

The stable CertificateSigningRequest API (version certificates.k8s.io/v1 and later) does not allow to set the signerName as kubernetes.io/legacy-unknown

If I try to change signerName and replace kubernetes.io/legacy-unknown by an arbitrary value it works.

[senthilrch]

@paullaffitte : thanks for posting this issue. Please use the workaround mentioned in following issue:-
#75

[paullaffitte]

Thanks, but unfortunately, it doesn't work either.

error: unable to recognize "STDIN": no matches for kind "CertificateSigningRequest" in version "apiVersion=certificates.k8s.io/v1beta1"

[senthilrch]

Please share the output of following command:-

kubectl api-versions | grep certificates.k8s.io

[paullaffitte]

$ kubectl api-versions | grep certificates.k8s.io
certificates.k8s.io/v1
certificates.k8s.io/v1beta1

EDIT: My bad, I was too fast and did a mistake, I wrote apiVersion='apiVersion=certificates.k8s.io/v1beta1' instead of apiVersion='certificates.k8s.io/v1beta1'. It's now working. Thanks