issue with using webhook in the cronjob tutorial

383 views
Skip to first unread message

James Zhang

unread,
Aug 18, 2020, 2:38:48 PM8/18/20
to kubebuilder
I'm following this tutorial: https://github.com/kubernetes-sigs/kubebuilder/tree/master/docs/book/src/cronjob-tutorial/testdata/project

The CRD works without the webhook enabled.

But when it is deployed in the kubernetes cluster with webhook enabled (cert-manager used for certs),  I'm having the following error when trying to deploy cronjob.

Error from server (InternalError): error when creating "config/samples/batch_v1_cronjob.yaml": Internal error occurred: failed calling webhook "mcronjob.kb.io": Post https://project-webhook-service.project-system.svc:443/mutate-batch-tutorial-kubebuilder-io-v1-cronjob?timeout=30s: dial tcp 10.110.254.224:443: connect: connection refused

Hoping someone can give me some clues to troubleshoot further...

Thanks
James


James Zhang

unread,
Aug 19, 2020, 10:22:12 AM8/19/20
to kubebuilder
found one issue, main.go specify 9443 for the webhook, but service.yaml uses 443 (https://github.com/kubernetes-sigs/kubebuilder/blob/master/docs/book/src/cronjob-tutorial/testdata/project/config/webhook/service.yaml), 
then I got another error:
Error from server (InternalError): error when creating "config/samples/batch_v1_cronjob.yaml": Internal error occurred: failed calling webhook "mcronjob.kb.io": Post https://project-webhook-service.project-system.svc:443/mutate-batch-tutorial-kubebuilder-io-v1-cronjob?timeout=30s: x509: certificate is valid for project-webhook-service.project-system.svc.cluster.local, not project-webhook-service.project-system.svc

not sure why it doesn't append cluster.local for the service name, for now I added project-webhook-service.project-system.svc to certs, it works now.

/J

Mengqi Yu

unread,
Aug 19, 2020, 2:12:51 PM8/19/20
to James Zhang, kubebuilder
Hi James,

Please feel free to create a PR to update the port number if there is a mismatch.

If you take a look at the certificate CRD, you can find `project-webhook-service.project-system.svc` is used as the common name and `project-webhook-service.project-system.svc.cluster.local` is used as the SAN. https://github.com/kubernetes-sigs/kubebuilder/blob/master/docs/book/src/cronjob-tutorial/testdata/project/config/certmanager/certificate.yaml#L18-L20
I'm not sure why the server throws an error.

- Mengqi

--
You received this message because you are subscribed to the Google Groups "kubebuilder" group.
To unsubscribe from this group and stop receiving emails from it, send an email to kubebuilder...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/kubebuilder/991de712-dcad-459b-bf8c-e9029d1ce0a6n%40googlegroups.com.

James Zhang

unread,
Aug 20, 2020, 8:04:50 PM8/20/20
to kubebuilder
Hi Mengqi,
Thanks for the response. I have created PR for the correction of the port number. 
Regarding to url, based on this doc [Service Reference] https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/,  it's in the format of "my-service-name.my-service-namespace.svc". (without cluster.local).

Thanks,
James

Jorge Lozano

unread,
Oct 12, 2021, 10:35:14 PM10/12/21
to kubebuilder

Can you please expand on how you made it work?  What do you mean by "now I added project-webhook-service.project-system.svc to certs, it works now."? 
I know it's been a long time but i am writing this just in case this post got you in a good mood and you feel like sharing your findings (in the case that you still remember) . 

Regards, 
Jorge

Yetkin Timocin

unread,
Sep 25, 2022, 1:10:04 PM9/25/22
to kubebuilder
Hi!

I am also stuck at the same point. When I run `kubectl create -f config/samples/batch_v1_cronjob.yaml`, I get the same error. Could you please let me know what you did to make it work?

Thanks,
Yetkin.

Reply all
Reply to author
Forward
0 new messages