sidecar-injector
sidecar-injector copied to clipboard
cyberark
TLS handshake error when following README in local cluster
Summary
When executing the readme (manual deployment) in a rancher desktop local environment to get to know the product, I am receiving Internal error occurred: failed calling webhook "sidecar-injector.conjur.org": failed to call webhook: Post "https://cyberark-sidecar-injector.injectors.svc:443/mutate?timeout=10s": x509: certificate signed by unknown authority:Deployment does not have minimum availability. in my deployment of the testing app.
In the logs of the mutating webhook pod I am seeing multiple http: TLS handshake error from 10.42.0.1:42142: remote error: tls: bad certificate error lines.
This is being tested by bypassing the conjur setup locally as I expect the mutation to happen ( authentication sidecar gets injected) and only then the conjur connection not being available would cause errors.
We decided to give it a go and test this in our openshift test environment using the helm chart, but are getting exactly same issue over there. In that environment conjur is set up and working. Would love to get it running locally first so that we can test the product in a "playground" environment.
Reproducible
- [x] Always
- [ ] Sometimes
- [ ] Non-Reproducible
Version/Tag number
latest/master
Environment setup
Rancher desktop on MAC + Openshift
When you change CA_BUNDLE of webhook with output of kubectl config view --raw --minify --flatten -o jsonpath='{.clusters[].cluster.certificate-authority-data}'
logs change to
Mutation policy for sidecar-test/: status: "" required:false
Skipping mutation for sidecar-test/ due to policy check
apiVersion: apps/v1
kind: Deployment
metadata:
name: application
namespace: sidecar-test
spec:
replicas: 1
selector:
matchLabels:
app: application
template:
metadata:
labels:
app: application
annotations:
conjur.org/conjurAuthConfig: conjur
conjur.org/conjurConnConfig: conjur
conjur.org/container-mode: sidecar
conjur.org/conjur-token-receivers: "application"
conjur.org/inject: "y"
conjur.org/inject-type: authenticator
conjur.org/container-name: application
spec:
containers:
- name: application
image: googlecontainer/echoserver:1.1
imagePullPolicy: IfNotPresent
This issue got resolved by changing the latest image to 'edge' image. This indicates this repo is not really the one behind the images as edge image is updated some hours ago, latest image is from 3 years ago and no code was pushed here in these timestamps. Makes set-up quite confusing. Can we get some clarity on this? Is the real code versioned on internal atlantis git repo?
helm --namespace injectors \
install \
--set "caBundle=$(kubectl config view --raw --minify --flatten -o jsonpath='{.clusters[].cluster.certificate-authority-data}')" \
--set "sidecarInjectorImage=cyberark/sidecar-injector:edge"
./helm/cyberark-sidecar-injector/ --generate-name
For openshift we decided to use the service signer built in injecting a secret into our namespace based on this repo
As this repo is quite old without any updates, would you be open for PR's? After getting it to run, we have some issues discovered in documentation, examples, but also some optimization discovered for the go app. For now, we are just using our own sidecar injector based on this one.