Admission Controller - certificate is not valid for any names

[karlhaworth]

I created an admission controller. It's rather simple at the moment. I am using AKS and a service tunnel. I get the error below. Can anyone help point me in the right direction?

❯ k apply -f test/examples/deployment_bad.yaml
Error from server (InternalError): error when creating "test/examples/deployment_bad.yaml": Internal error occurred: failed calling webhook "validate.image-validator.runway.test.com": failed to call webhook: Post "https://runway-image-scanning-operator.runway-operator.svc:443/validate?timeout=30s": x509: certificate is not valid for any names, but wanted to match runway-image-scanning-operator.runway-operator.svc

The caBundle on the validatingwebhookconfigurations matches what the server is serving up.

k get validatingwebhookconfigurations image-validator.runway.test.com -o yaml

openssl s_client -connect runway-image-scanning-operator.runway-operator.svc:443 -showcerts </dev/null | openssl x509 -outform pem > test.pem && python -c "with open('test.pem', 'r') as f: print(f.read())"

Below is what I get using the openssl tool, so it does have a common name. Confused at what could be the problem.

        Subject: CN = runway-image-scanning-operator.runway-operator.svc

            X509v3 Subject Alternative Name:
                DNS:runway-image-scanning-operator.runway-operator.svc, DNS:runway-image-scanning-operator, DNS:runway-image-scanning-operator.runway-operator.svc.cluster.local, DNS:localhost

[gaggarwal21]

I am stuck at a similar thing and I am deciding to not use KOPF anymore for my controller. For me, the certificate gets loaded only once at initialization and after it expires, the webhook does not load the new cert and I guess an error. No idea how to auto-load this certificate.

Internal error occurred: failed calling webhook "mutate.webhook.operator.svc.cluster.local": failed to call webhook: Post "https://webhook.operator.svc:443/mutate?timeout=30s": x509: certificate has expired or is not yet valid: current time 2023-06-26T23:18:40Z is after 2023-06-14T13:44:30Z

[gaggarwal21]

@nolar any ideas on how to get the new certificate auto reloaded by the webhook? Maybe I need to update the decorator to not just use "on.startup()"?

class Configure:
async def call(
self, fn: kopf.WebhookFn
) -> AsyncIterator[kopf.WebhookClientConfig]:
namespace = os.environ.get("NAMESPACE")
name = os.environ.get("SERVICE_NAME")
service_port = int(os.environ.get("SERVICE_PORT", 443))
container_port = int(os.environ.get("CONTAINER_PORT", 9443))
server = kopf.WebhookServer(port=container_port, host=f"{name}.{namespace}.svc",
cafile="/etc/webhook-server/certs/webhook-server-cert/ca.crt",
certfile="/etc/webhook-server/certs/webhook-server-cert/tls.crt",
pkeyfile="/etc/webhook-server/certs/webhook-server-cert/tls.key")
async for client_config in server(fn):
del client_config["url"]
client_config["service"] = kopf.WebhookClientConfigService(
name=name, namespace=namespace, port=service_port
)
yield client_config

@kopf.on.startup()
def configure(settings: kopf.OperatorSettings, logger, **_):
# Get the necessary params to configure KOPF startup
settings.admission.server = Configure()
settings.admission.managed = os.environ.get("WEBHOOK_NAME")
logger.info("Successfully configured Secrets Operator!")