Hello,

I tried to install a HNC controller version (HNC_VERSION = v0.7.0)
kubectl apply -f https://github.com/kubernetes-sigs/multi-tenancy/releases/download/hnc-${HNC_VERSION}/hnc-manager.yaml
I have also have installed the latest hnc kubectl plugin.

The installation did not error out but when i tried to associate a parent-child relationship between 2 namespaces.
kubectl hns set childns --parent parentns
Error
Could not update the hierarchical configuration of barkley-pe. Reason: Internal error occurred: failed calling webhook "hierarchyconfigurations.hnc.x-k8s.io": Post https://hnc-webhook-service.hnc-system.svc:443/validate-hnc-x-k8s-io-v1alpha2-hierarchyconfigurations?timeout=30s: x509: certificate is not valid for any names, but wanted to match hnc-webhook-service.hnc-system.svc

hnc-controller-manager.log
In the k8s cluster Istio is enabled. This means that HNC controller automatically gets Istio side car proxy injected. Istio proxy is configured to do all mTLS communication. I get the feeling that the certificates generated by HNC controller is now interfering with the certificates that are used by istio side car proxy for all mTLS.

In the HNC manager yaml there is are options --enable-internal-cert-management and --cert-restart-on-secret-refresh. Will disabling these options allow HNC to delegate all mTLS to istio side car?

best Regards,
Madhav

Hi Madhav,

Unfortunately, we haven't tested HNC with Istio. HNC talks to apiserver through webhook, which is already encrypted (TLS). After talking with @adrianludwin , who knows about Istio, our guess is that apiserver is not part of Istio that cannot decrypt the encrypted calls by Istio from the HNC manager pod.

There are two possible Istio configurations that you can explore to solve the issue:

1. Search for some standard/general way of configuring Istio when there are pods talking to apiserver with webhooks in the same cluster (there should be a lot of similar cases as this);

OR

2. Exclude HNC manager pod from Istio so that Istio won't encrypt our calls to apiserver; besides, we already have TLS when talking to apiserver through webhook.

Hope this helps and please let us know if you figure out a solution and we can update the user doc about using HNC with Istio. Thanks!

Update: @unmarshall mentioned in the Slack: "I was able to install HNC manager by adding sidecar.istio.io/inject: “false” annotation to Deployment spec. This prevents istio sidecar injection into the hnc-controller-manager pod. "

Anyone picking up this bug can update the HNC doc on HNC working with Istio.

Moved to kubernetes-sigs/hierarchical-namespaces#17

/close

@adrianludwin: Closing this issue.