Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

K8S operator webhook error x509: certificate is not valid for any names #188

Open
qchenzi opened this issue Nov 22, 2023 · 6 comments
Open
Assignees

Comments

@qchenzi
Copy link

qchenzi commented Nov 22, 2023

apps@(datamars)mlpl70855-10.18.106.234 crds$ kubectl apply -f quick-start.yaml
Error from server (InternalError): error when creating "quick-start.yaml": Internal error occurred: failed calling webhook "polardbxcluster-mutate.polardbx.aliyun.com": failed to call webhook: Post "https://polardbx-admission-webhook.polardbx-operator-system.svc:443/apis/admission.polardbx.aliyun.com/v1/mutate-polardbx-aliyun-com-v1-polardbxcluster?timeout=10s": x509: certificate is not valid for any names, but wanted to match polardbx-admission-webhook.polardbx-operator-system.svc

@qchenzi
Copy link
Author

qchenzi commented Nov 22, 2023

image 所示webhook服务的available状态为True

@vettalwu vettalwu self-assigned this Nov 22, 2023
@vettalwu
Copy link
Collaborator

@qchenzi It seems that Kubernetes API server is unable to verify the webhook's TLS certificate. Do you use cert manager or a self generated cert file? Please find it and check the cert info by following command:

openssl x509 -in webhook-certificate.crt -text -noout

@qchenzi
Copy link
Author

qchenzi commented Nov 23, 2023

Hi @vettalwu ,

I've checked the TLS certificate using the openssl command, and it appears to be generated for the hostname polardbx-admission-webhook.polardbx-operator-system.svc, which matches the required hostname for the webhook service. Here are the details from the certificate:

  • Issuer: CN=polardbx-admission-webhook.polardbx-operator-system.svc
  • Subject: CN=polardbx-admission-webhook.polardbx-operator-system.svc

Despite the certificate seemingly correctly configured, I'm still encountering the x509 certificate error when applying configurations via kubectl. Do you have any suggestions on what steps I should take next to resolve this?
Thank you for your assistance.

image

@vettalwu
Copy link
Collaborator

@qchenzi Can you try to restart the api-server? K8s api-server may create a self-generated certificate, which may be invalid. Refer to: kubernetes/kubernetes#86552.

@vettalwu vettalwu changed the title K8S上部署完operator后,搭建quick-start集群报错x509: certificate is not valid for any names K8S operator webhook error x509: certificate is not valid for any names Nov 23, 2023
@qchenzi
Copy link
Author

qchenzi commented Dec 25, 2023

Hi @vettalwu ,

I've restarted the api-server as you suggested, but the issue persists with the x509: certificate is not valid for any names error still occurring. Here are the steps I've taken:

  1. Restarted the Kubernetes api-server.
  2. retry to apply *.yaml file
    image
image

Could there be other diagnostic steps to attempt? Or is there a possibility of a different configuration causing the certificate validation issue?

Thank you for your assistance!

@vettalwu
Copy link
Collaborator

vettalwu commented Aug 7, 2024

@qchenzi Check the apiserver ca using following command:

eplace {Master_IP} with your master IP and 6443 with your apiserver port
curl --resolve apiserver-loopback-client:6443:{Master_IP} -k -v https://apiserver-loopback-client:6443/healthz

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants