operator icon indicating copy to clipboard operation
operator copied to clipboard

Published 20 hours ago verified publisher icon VictoriaMetrics

custom namespace not respected in certificate dnsNames

Open moritzj29 opened this issue 7 months ago • 2 comments

Steps to reproduce:

  1. deploy vm operator with custom namespace via kustomize
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization

resources:
- github.com/VictoriaMetrics/operator/config/base-with-webhook?ref=v0.55.0

namespace: data

images:
- name: manager
  newName: victoriametrics/operator
  newTag: v0.55.0

kubectl kustomize > out.yaml
  1. check generated Certificate resources
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  labels:
    app.kubernetes.io/component: certificate
    app.kubernetes.io/created-by: vm-operator
    app.kubernetes.io/instance: vm-metrics-cert
    app.kubernetes.io/managed-by: kustomize
    app.kubernetes.io/name: vm-operator
    app.kubernetes.io/part-of: vm-operator
  name: vm-metrics-certs
  namespace: data
spec:
  dnsNames:
  - vm-webhook-service.vm.svc
  - vm-webhook-service.vm.svc.cluster.local
  issuerRef:
    kind: Issuer
    name: vm-selfsigned-issuer
  secretName: metrics-server-cert
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  labels:
    app.kubernetes.io/component: certificate
    app.kubernetes.io/created-by: vm-operator
    app.kubernetes.io/instance: vm-serving-cert
    app.kubernetes.io/managed-by: kustomize
    app.kubernetes.io/name: vm-operator
    app.kubernetes.io/part-of: vm-operator
  name: vm-serving-cert
  namespace: data
spec:
  dnsNames:
  - vm-webhook-service.vm.svc
  - vm-webhook-service.vm.svc.cluster.local
  issuerRef:
    kind: Issuer
    name: vm-selfsigned-issuer
  secretName: webhook-server-cert
---

The problem are the generated dnsNames which have the wrong namespace:

dnsNames:
  - vm-webhook-service.vm.svc
  - vm-webhook-service.vm.svc.cluster.local

should be:

dnsNames:
  - vm-webhook-service.data.svc
  - vm-webhook-service.data.svc.cluster.local

This issue results in certificate validation errors when trying to deploy resources.

moritzj29 avatar Apr 16 '25 18:04 moritzj29

@AndrewChubatiuk Could you please take a look?

f41gh7 avatar Apr 17 '25 09:04 f41gh7

meanwhile I realized that I don’t actually need the webhook functionality. If I understand correctly, these self-signed certificates need to be anyway replaced with proper certificates since otherwise the validation will fail. So I’m not sure if this is really an issue…

moritzj29 avatar Apr 17 '25 09:04 moritzj29