Uploaded image for project: 'Couchbase Kubernetes'
  1. Couchbase Kubernetes
  2. K8S-2843

Can't rotate expired admission controller certificate

    XMLWordPrintable

Details

    • Bug
    • Resolution: Fixed
    • Major
    • .maintenance, 2.4.1
    • None
    • operator
    • None
    • 9 - Krakend, 10 - Krackeverlasting
    • 1

    Description

      Had an issue whereby the self-signed admission controller certificate on the mutating/validating webhook had expired and couldn't be rotated...because it was expired.

       

      After a few different approaches, Alex Emery tested and recommended:
      kubectl delete validatingwebhookconfigurations.admissionregistration.k8s.io couchbase-couchbase-admission-controller
      kubectl delete mutatingwebhookconfigurations.admissionregistration.k8s.io couchbase-couchbase-admission-controller
      kubectl delete secrets couchbase-couchbase-admission-controller
      helm upgrade couchbase couchbase/couchbase-operator
      Which worked smoothly.

      We should:

      a) document this as a workaround (for both Helm and non-Helm deployments)

      b) auto-renew the internal certificate on the webhook

      c) increase the helm cert from 1 year to 10 like cao does

      Attachments

        For Gerrit Dashboard: K8S-2843
        # Subject Branch Project Status CR V
        185398,11 K8S-2843: Allow extending webhook certs master couchbase-operator Status: MERGED +2 +1

        Activity

          People

            Alex.emery Alex Emery
            perry Perry Krug
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Gerrit Reviews

                There are no open Gerrit changes

                PagerDuty