Details
-
Bug
-
Resolution: Fixed
-
Major
-
None
-
None
-
9 - Krakend, 10 - Krackeverlasting
-
1
Description
Had an issue whereby the self-signed admission controller certificate on the mutating/validating webhook had expired and couldn't be rotated...because it was expired.
After a few different approaches, Alex Emery tested and recommended:
kubectl delete validatingwebhookconfigurations.admissionregistration.k8s.io couchbase-couchbase-admission-controller
kubectl delete mutatingwebhookconfigurations.admissionregistration.k8s.io couchbase-couchbase-admission-controller
kubectl delete secrets couchbase-couchbase-admission-controller
helm upgrade couchbase couchbase/couchbase-operator
Which worked smoothly.
We should:
a) document this as a workaround (for both Helm and non-Helm deployments)
b) auto-renew the internal certificate on the webhook
c) increase the helm cert from 1 year to 10 like cao does
Attachments
For Gerrit Dashboard: K8S-2843 | ||||||
---|---|---|---|---|---|---|
# | Subject | Branch | Project | Status | CR | V |
185398,11 | K8S-2843: Allow extending webhook certs | master | couchbase-operator | Status: MERGED | +2 | +1 |