K8S operator webhook error x509: certificate is not valid for any names
qchenzi opened this issue · comments
apps@(datamars)mlpl70855-10.18.106.234 crds$ kubectl apply -f quick-start.yaml
Error from server (InternalError): error when creating "quick-start.yaml": Internal error occurred: failed calling webhook "polardbxcluster-mutate.polardbx.aliyun.com": failed to call webhook: Post "https://polardbx-admission-webhook.polardbx-operator-system.svc:443/apis/admission.polardbx.aliyun.com/v1/mutate-polardbx-aliyun-com-v1-polardbxcluster?timeout=10s": x509: certificate is not valid for any names, but wanted to match polardbx-admission-webhook.polardbx-operator-system.svc
@qchenzi It seems that Kubernetes API server is unable to verify the webhook's TLS certificate. Do you use cert manager or a self generated cert file? Please find it and check the cert info by following command:
openssl x509 -in webhook-certificate.crt -text -noout
Hi @vettalwu ,
I've checked the TLS certificate using the openssl command, and it appears to be generated for the hostname polardbx-admission-webhook.polardbx-operator-system.svc
, which matches the required hostname for the webhook service. Here are the details from the certificate:
- Issuer: CN=polardbx-admission-webhook.polardbx-operator-system.svc
- Subject: CN=polardbx-admission-webhook.polardbx-operator-system.svc
Despite the certificate seemingly correctly configured, I'm still encountering the x509 certificate error when applying configurations via kubectl. Do you have any suggestions on what steps I should take next to resolve this?
Thank you for your assistance.
@qchenzi Can you try to restart the api-server? K8s api-server may create a self-generated certificate, which may be invalid. Refer to: kubernetes/kubernetes#86552.
Hi @vettalwu ,
I've restarted the api-server as you suggested, but the issue persists with the x509: certificate is not valid for any names error still occurring. Here are the steps I've taken:
![image](https://private-user-images.githubusercontent.com/21999330/292727056-59e83258-e79c-4c59-bce8-de3453502a8f.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MDk5NjU5MzAsIm5iZiI6MTcwOTk2NTYzMCwicGF0aCI6Ii8yMTk5OTMzMC8yOTI3MjcwNTYtNTllODMyNTgtZTc5Yy00YzU5LWJjZTgtZGUzNDUzNTAyYThmLnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNDAzMDklMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjQwMzA5VDA2MjcxMFomWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPWEzNzA0Mzc1M2E0YzhjZjg0YTg2NTIzOGNlNmIxNzEzNTc2NThiN2JlZmE4ODE4ZDA4YzVlZDBjYTA3NTMzZDImWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0JmFjdG9yX2lkPTAma2V5X2lkPTAmcmVwb19pZD0wIn0.gOATcvRhT_r2FVZwzRztq8T90X33jP20lAouUoSCH6E)
Could there be other diagnostic steps to attempt? Or is there a possibility of a different configuration causing the certificate validation issue?
Thank you for your assistance!