Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Webhook Server Certificate #1157

Open
bdwyertech opened this issue Aug 3, 2023 · 2 comments
Open

Webhook Server Certificate #1157

bdwyertech opened this issue Aug 3, 2023 · 2 comments
Labels
bug Something isn't working

Comments

@bdwyertech
Copy link

bdwyertech commented Aug 3, 2023
edited

Description

Seems like the webhook server is not getting restarted when cert-manager issues a new certificate. I would expect the devworkspace-controller-manager to do this, or for the webhook server to see that the cert has been rolled.

ERROR: Job failed (system failure): prepare environment: setting up trapping scripts on emptyDir: Internal error occurred: failed calling webhook "validate-exec.devworkspace-controller.svc": failed to call webhook: Post "[https://devworkspace-webhookserver.devworkspace-controller.svc:443/validate?timeout=10s](https://devworkspace-webhookserver.devworkspace-controller.svc/validate?timeout=10s)": tls: failed to verify certificate: x509: certificate signed by unknown authority. Check https://docs.gitlab.com/runner/shells/index.html#shell-profile-loading for more information

Perhaps I just have something misconfigured, but when this cert expires, it causes issues for other non-devworkspace pods. Killing the webhook server and letting a new pod come up resolves the issue.

I am using the following Flux config to deploy the manifests under deploy/deployment/kubernetes/objects/

apiVersion: source.toolkit.fluxcd.io/v1beta2
kind: GitRepository
metadata:
  name: devworkspace-operator
  namespace: devworkspace-controller
spec:
  interval: 1h
  url: https://github.com/devfile/devworkspace-operator
  ref:
    tag: v0.22.0
  ignore: |
    # exclude all
    /*
    # include k8s deploy objects directory
    !/deploy/deployment/kubernetes/objects/
---
apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
kind: Kustomization
metadata:
  name: devworkspace-operator
  namespace: devworkspace-controller
spec:
  interval: 1h
  retryInterval: 1m
  timeout: 5m
  sourceRef:
    kind: GitRepository
    name: devworkspace-operator
  path: ./deploy/deployment/kubernetes/objects
  prune: true
@jsnouffer
Copy link

I also have been encountering this issue when cert-manager renews the webhook certificate, requiring a restart of the pod. It would be nice to get this addressed.

@AObuchow AObuchow added the bug Something isn't working label Jan 29, 2024
@AObuchow
Copy link
Collaborator

@bdwyertech @jsnouffer Thank you for reporting and following up on this issue. I apologize it went unattended for so long. I have been caught up with other priorities but wanted to let you know this issue's priority will be assessed, and it will hopefully be worked on in the near future.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@bdwyertech @AObuchow @jsnouffer