polardbx-sql icon indicating copy to clipboard operation
polardbx-sql copied to clipboard

Published 20 hours ago verified publisher icon polardb

K8S operator webhook error x509: certificate is not valid for any names

Open qchenzi opened this issue 1 year ago • 6 comments
trafficstars

apps@(datamars)mlpl70855-10.18.106.234 crds$ kubectl apply -f quick-start.yaml Error from server (InternalError): error when creating "quick-start.yaml": Internal error occurred: failed calling webhook "polardbxcluster-mutate.polardbx.aliyun.com": failed to call webhook: Post "https://polardbx-admission-webhook.polardbx-operator-system.svc:443/apis/admission.polardbx.aliyun.com/v1/mutate-polardbx-aliyun-com-v1-polardbxcluster?timeout=10s": x509: certificate is not valid for any names, but wanted to match polardbx-admission-webhook.polardbx-operator-system.svc

qchenzi avatar Nov 22 '23 06:11 qchenzi

image 所示webhook服务的available状态为True

qchenzi avatar Nov 22 '23 06:11 qchenzi

@qchenzi It seems that Kubernetes API server is unable to verify the webhook's TLS certificate. Do you use cert manager or a self generated cert file? Please find it and check the cert info by following command:

openssl x509 -in webhook-certificate.crt -text -noout

vettalwu avatar Nov 22 '23 14:11 vettalwu

Hi @vettalwu ,

I've checked the TLS certificate using the openssl command, and it appears to be generated for the hostname polardbx-admission-webhook.polardbx-operator-system.svc, which matches the required hostname for the webhook service. Here are the details from the certificate:

  • Issuer: CN=polardbx-admission-webhook.polardbx-operator-system.svc
  • Subject: CN=polardbx-admission-webhook.polardbx-operator-system.svc

Despite the certificate seemingly correctly configured, I'm still encountering the x509 certificate error when applying configurations via kubectl. Do you have any suggestions on what steps I should take next to resolve this? Thank you for your assistance.

image

qchenzi avatar Nov 23 '23 07:11 qchenzi

@qchenzi Can you try to restart the api-server? K8s api-server may create a self-generated certificate, which may be invalid. Refer to: https://github.com/kubernetes/kubernetes/issues/86552.

vettalwu avatar Nov 23 '23 10:11 vettalwu

Hi @vettalwu ,

I've restarted the api-server as you suggested, but the issue persists with the x509: certificate is not valid for any names error still occurring. Here are the steps I've taken:

  1. Restarted the Kubernetes api-server.
  2. retry to apply *.yaml file image image

Could there be other diagnostic steps to attempt? Or is there a possibility of a different configuration causing the certificate validation issue?

Thank you for your assistance!

qchenzi avatar Dec 25 '23 07:12 qchenzi

@qchenzi Check the apiserver ca using following command:

eplace {Master_IP} with your master IP and 6443 with your apiserver port curl --resolve apiserver-loopback-client:6443:{Master_IP} -k -v https://apiserver-loopback-client:6443/healthz

vettalwu avatar Aug 07 '24 07:08 vettalwu