UNCLASSIFIED - NO CUI

Skip to content

#37 : Add wait script to check for functional validating web hook

Andrew Kesterson requested to merge 37_wait_script into main

General MR

Summary

The ESO validating webhook usually (some days, constantly) comes up in an unhealthy state. Sometimes this is because the cert-controller has not yet delivered the appropriate certificates to the webhook pod and configured them in the validating webhook object. Sometimes if we wait long enough this condition settles itself. Sometimes it does not. This wait script prevents the scenario where the ESO helm release says it is finished, the pods report healthy, but the webhook is actually broken, so new resources cannot be added.

Relevant logs/screenshots

Release "external-secrets" does not exist. Installing it now.                                                                                                           
Error: failed post-install: 1 error occurred:                                                                                                                           
        * timed out waiting for the condition   

$ kubectl logs -n external-secrets external-secrets-wait-job-k2xvv
---
Running wait.sh...
---
+ cat
+ kubectl apply -f clustersecretstore.yaml
Error from server (InternalError): error when creating "clustersecretstore.yaml": Internal error occurred: failed calling webhook "validate.secretstore.external-secrets.io": failed to call webhook: Post "https://external-secrets-webhook.external-secrets.svc:443/validate-external-secrets-io-v1beta1-secretstore?timeout=5s": proxy error from 127.0.0.1:6443 while dialing 10.42.1.4:10250, code 502: 502 Bad Gateway
+ [[ 1 -eq 0 ]]
+ exit 1

Linked Issue

#37 (closed)

Upgrade Notices

N/A

Edited by Andrew Kesterson

Merge request reports