UNCLASSIFIED - NO CUI

Skip to content

#37 : Disable the validating webhook and certificate controller

Andrew Kesterson requested to merge 37_disable_certcontroller_webhook into main

General MR

Summary

This MR disables the cert-controller and validating webhook in the default external-secrets operator deployment. This resolves the issue we've seen where the deployment will come up in apparently healthy state but where resources cannot be created.

This MR includes the MR to deploy the wait job to detect this state and fail the deployment when it occurs.

Unfortunately we haven't been able to (yet) reliably determine why this is occurring. What we can say for sure is that the issue is within the way that the cert-controller is behaving related to the validating webhook, and the certificates deployed to them. The only way we have found to reliably prevent this issue from occurring is to simply disable the cert-controller and the validating webhook.

Relevant logs/screenshots

Here is the result of this patch. Before this patch is applied, the wait job will reliably fail, which fails the release:

$ kubectl logs -n external-secrets external-secrets-wait-job-2h66j
---
Running wait.sh...
---
+ cat
+ kubectl apply -f clustersecretstore.yaml
Error from server (InternalError): error when creating "clustersecretstore.yaml": Internal error occurred: failed calling webhook "validate.secretstore.external-secrets.io": failed to call webhook: Post "https://external-secrets-webhook.external-secrets.svc:443/validate-external-secrets-io-v1beta1-secretstore?timeout=5s": proxy error from 127.0.0.1:6443 while dialing 10.42.0.5:10250, code 502: 502 Bad Gateway
+ [[ 1 -eq 0 ]]
+ exit 1

... And here is the result of running that same wait script with this patch (--set webhook.create=false --set certController.create=false):

Release "external-secrets" does not exist. Installing it now.
NAME: external-secrets
LAST DEPLOYED: Mon Nov 11 11:42:30 2024
NAMESPACE: external-secrets
STATUS: deployed
REVISION: 1
NOTES:
external-secrets has been deployed successfully in namespace external-secrets!

Linked Issue

Closes #37 (closed)

Upgrade Notices

If you are deploying any deprecated v1alpha1 custom resources, your deployment may break with this patch. Please upgrade resources to non-deprecated versions.

Edited by Andrew Kesterson

Merge request reports

Loading