Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Self signed request is not accepted by kubernetes #32

Closed
alexnederlof opened this issue May 30, 2023 · 2 comments · Fixed by #31
Closed

Self signed request is not accepted by kubernetes #32

alexnederlof opened this issue May 30, 2023 · 2 comments · Fixed by #31
Labels
bug Something isn't working

Comments

@alexnederlof
Copy link

alexnederlof commented May 30, 2023

Your environment

Secret Injector Version: 1.0.1

1Password CLI Version:

Connect Server Version: n/a

Kubernetes Version: v1.26.4+k3s1

What happened?

  • Deployed injector through the helm template
  • Deployed a service that wants to inject secrets
  • Noticed no pods being scheduled
  • Found out the ReplicaSet is flagging a problem with the self signed certificate of the web hook:
Error creating: Internal error occurred: failed calling webhook "secrets-injector.1password.com": failed to call webhook: Post "https://secrets-injector.one-password.svc:443/inject?timeout=10s": x509: certificate signed by unknown authority (possibly because of "crypto/rsa: verification error" while trying to verify candidate authority certificate "1password.com")

The inject has the following logs:
http: TLS handshake error from 10.42.0.0:50982: remote error: tls: bad certificate

What did you expect to happen?

Pods to be scheduled, secrets to be injected

Steps to reproduce

On the latest K3s Kubernetes cluster
Deploy the helm chart (after fixing some bugs with it trying to be a hook 1Password/connect-helm-charts#150)
See the injector come online
Notice the logs mentioned above

Notes & Logs

Used the following test deployment
apiVersion: apps/v1
kind: Deployment
metadata:
  name: tester
  namespace: optest
spec:
  selector:
    matchLabels:
      app.kubernetes.io/name: tester
  replicas: 1
  strategy:
    type: Recreate
  template:
    metadata:
      labels:
        app.kubernetes.io/name: tester
        operator.1password.io/inject: "exporter"
    spec:
      containers:
        - name: exporter
          image: mendhak/http-https-echo
          imagePullPolicy: Always
          ports:
            - name: http
              containerPort: 8080
          env:
            - name: REFRESH_TOKEN
              value: "op://my-vault/xxx/credential"
            - name: OP_SERVICE_ACCOUNT_TOKEN
              valueFrom:
                secretKeyRef:
                  name: service-account
                  key: token
          livenessProbe:
            httpGet:
              path: /
              port: 8080
            initialDelaySeconds: 5
            periodSeconds: 10
         
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: tester
  namespace: optest

---
apiVersion: v1
kind: Service
metadata:
  name: tester
  namespace: optest
  labels:
    app.kubernetes.io/name: tester
spec:
  selector:
    app.kubernetes.io/name: tester
  ports:
    - port: 80
      targetPort: http
      name: http
---
kind: Namespace
apiVersion: v1
metadata:
  name: optest
  labels:
    name: optest
    secrets-injection: enabled
@alexnederlof alexnederlof added the bug Something isn't working label May 30, 2023
@alexnederlof
Copy link
Author

Workaround: delete the mutating webhook and the one password deployment. Then re-deploy and it might work the next time

@antoineco
Copy link
Contributor

See #31

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants