gateway-api icon indicating copy to clipboard operation
gateway-api copied to clipboard

Published 20 hours ago verified publisher icon kubernetes-sigs

Webhook Certificate Issue

Open anjuls opened this issue 2 years ago • 7 comments

I am installing Gateway API with Traefik. After installing the webhook, I am getting following when creating Gateway and HTTPRoute.

Error from server (InternalError): error when applying patch:
{"spec":{"listeners":[{"name":"prod-web-gw","port":80,"protocol":"HTTP"}]}}
to:
Resource: "gateway.networking.k8s.io/v1alpha2, Resource=gateways", GroupVersionKind: "gateway.networking.k8s.io/v1alpha2, Kind=Gateway"
Name: "example-gateway", Namespace: "default"
for: "gateway.yaml": Internal error occurred: failed calling webhook "validate.gateway.networking.k8s.io": failed to call webhook: Post "https://gateway-api-admission-server.gateway-api.svc:443/validate?timeout=10s": x509: certificate signed by unknown authority
Error from server (InternalError): error when applying patch:
{"spec":{"parentRefs":[{"name":"example-gateway"}],"rules":[{"matches":[{"path":{"type":"Exact","value":"/podinfo"}}]},{"backendRefs":[{"name":"podinfo","port":9898}]}]}}
to:
Resource: "gateway.networking.k8s.io/v1alpha2, Resource=httproutes", GroupVersionKind: "gateway.networking.k8s.io/v1alpha2, Kind=HTTPRoute"
Name: "podinfo", Namespace: "default"
for: "gateway.yaml": Internal error occurred: failed calling webhook "validate.gateway.networking.k8s.io": failed to call webhook: Post "https://gateway-api-admission-server.gateway-api.svc:443/validate?timeout=10s": x509: certificate signed by unknown authority

Please point me to the right direction or documentation. I couldn't find much documentation around the webhook. Is it really required?

anjuls avatar May 05 '22 12:05 anjuls

Hey @anjuls, a few follow up questions:

  1. How did you install the webhook?
  2. What version of the webhook are you using?
  3. What version of Kubernetes are you using?
  4. Are any pods in the gateway-system namespace in an error state?

robscott avatar May 05 '22 17:05 robscott

I have followed the installation given on Traefik docs and skipped the installation of webhooks. It is working fine without them as well. It would have been nice to get more information about why we need these webhooks. Closing the issue.

anjuls avatar May 09 '22 07:05 anjuls

@anjuls, the webhook is required to do more specific validation of Gateway API resources. Without it, there are cases in which you'll supply invalid objects, that may or may not be handled correctly by your implementation.

The kubebuilder validations we use for some validation can't handle more complex validations, so we're forced to require the webhook.

We are still in the process of setting up the infrastructure to track all of this, but webhook validation will also be required for an implementation to pass conformance at some point in the near future because of this.

@robscott's questions are important because they're to help you and us figure out if we've made any mistakes with the webhook deployment YAMLs we supply.

youngnick avatar May 09 '22 10:05 youngnick

I've reopened the issue for now, I really would like to hear more about what went wrong when you tried to install; we don't have much information about actual usage of the webhook, and any information you could give would be super helpful if you can @anjuls.

youngnick avatar May 09 '22 10:05 youngnick

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue or PR as fresh with /remove-lifecycle stale
  • Mark this issue or PR as rotten with /lifecycle rotten
  • Close this issue or PR with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

k8s-triage-robot avatar Aug 07 '22 10:08 k8s-triage-robot

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue or PR as fresh with /remove-lifecycle rotten
  • Close this issue or PR with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten

k8s-triage-robot avatar Sep 06 '22 10:09 k8s-triage-robot

/remove-lifecycle rotten

robscott avatar Sep 06 '22 14:09 robscott

The Kubernetes project currently lacks enough contributors to adequately respond to all PRs.

This bot triages PRs according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the PR is closed

You can:

  • Mark this PR as fresh with /remove-lifecycle stale
  • Close this PR with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

k8s-triage-robot avatar Feb 08 '23 02:02 k8s-triage-robot

While grooming we noticed this hasn't been responded to in about a year. We're going to close this as we don't expect anyone's ready to drive it forward, but if you still want this feature and have a strong use case we will be happy to reconsider this and re-open.

shaneutt avatar Apr 05 '23 22:04 shaneutt