Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove CABundle from CRDs if the cert is invalid #800

Open
stefanprodan opened this issue Aug 14, 2024 · 0 comments
Open

Remove CABundle from CRDs if the cert is invalid #800

stefanprodan opened this issue Aug 14, 2024 · 0 comments
Labels
area/server-side-apply SSA related issues and pull requests

Comments

@stefanprodan
Copy link
Member

stefanprodan commented Aug 14, 2024
edited
Loading

Starting with Kubernetes 1.31, CRDs which have an invalid cert as the value of spec.conversion.webhook.clientConfig.caBundle are being rejected by the API. Since there are lots of CRDs with a dummy value for caBundle, these will fail to be reconciled even if cert-manager is configured to update the bundle to a valid one. To avoid this type of conflict, we should validate the bundle in the same way Kubernetes does it, and if the validation fails we need to remove the field from the SSA patch.

Xref:
@stefanprodan stefanprodan added the area/server-side-apply SSA related issues and pull requests label Aug 14, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/server-side-apply SSA related issues and pull requests
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@stefanprodan