K8S operator webhook error x509: certificate is not valid for any names

Question

K8S operator webhook error x509: certificate is not valid for any names

qchenzi opened this issue 8 months ago · comments

apps@(datamars)mlpl70855-10.18.106.234 crds$ kubectl apply -f quick-start.yaml
Error from server (InternalError): error when creating "quick-start.yaml": Internal error occurred: failed calling webhook "polardbxcluster-mutate.polardbx.aliyun.com": failed to call webhook: Post "https://polardbx-admission-webhook.polardbx-operator-system.svc:443/apis/admission.polardbx.aliyun.com/v1/mutate-polardbx-aliyun-com-v1-polardbxcluster?timeout=10s": x509: certificate is not valid for any names, but wanted to match polardbx-admission-webhook.polardbx-operator-system.svc

qchenzi · Answer 1 · Wed Nov 22 2023 14:15:35 GMT+0800 (China Standard Time)

所示webhook服务的available状态为True

Vettal · Answer 2 · Wed Nov 22 2023 22:27:38 GMT+0800 (China Standard Time)

@qchenzi It seems that Kubernetes API server is unable to verify the webhook's TLS certificate. Do you use cert manager or a self generated cert file? Please find it and check the cert info by following command:

openssl x509 -in webhook-certificate.crt -text -noout

qchenzi · Answer 3 · Thu Nov 23 2023 15:20:44 GMT+0800 (China Standard Time)

Hi @vettalwu ,

I've checked the TLS certificate using the openssl command, and it appears to be generated for the hostname polardbx-admission-webhook.polardbx-operator-system.svc, which matches the required hostname for the webhook service. Here are the details from the certificate:

Issuer: CN=polardbx-admission-webhook.polardbx-operator-system.svc
Subject: CN=polardbx-admission-webhook.polardbx-operator-system.svc

Despite the certificate seemingly correctly configured, I'm still encountering the x509 certificate error when applying configurations via kubectl. Do you have any suggestions on what steps I should take next to resolve this?
Thank you for your assistance.

Vettal · Answer 4 · Thu Nov 23 2023 18:56:48 GMT+0800 (China Standard Time)

@qchenzi Can you try to restart the api-server? K8s api-server may create a self-generated certificate, which may be invalid. Refer to: kubernetes/kubernetes#86552.

qchenzi · Answer 5 · Mon Dec 25 2023 15:28:09 GMT+0800 (China Standard Time)

Hi @vettalwu ,

I've restarted the api-server as you suggested, but the issue persists with the x509: certificate is not valid for any names error still occurring. Here are the steps I've taken:

Restarted the Kubernetes api-server.
retry to apply *.yaml file

Could there be other diagnostic steps to attempt? Or is there a possibility of a different configuration causing the certificate validation issue?

Thank you for your assistance!