Skip to content
This repository has been archived by the owner on Sep 2, 2022. It is now read-only.

How to update the webhook certificate #356

Closed
elanv opened this issue Oct 23, 2020 · 6 comments
Closed

How to update the webhook certificate #356

elanv opened this issue Oct 23, 2020 · 6 comments
Assignees
@hongyegong

Comments

@elanv
Copy link
Contributor

elanv commented Oct 23, 2020
edited
Loading

Currently, cert-manager is not supported, so if the certificate expires, you need to manually update the webhook certificate. It would be helpful if a guide for updating the certificate was presented.
@hongyegong
Copy link
Contributor

Can you provide more information about certificate expiration issue? Like how long did you see it expires and what's the behavior after in your test?

A potential fix is to refresh certificate at certain interval but let's make sure we are solving the problem in a correct way.

@guruprasathT
Copy link
Contributor

guruprasathT commented Nov 12, 2020
edited
Loading

Sorry to interrupt in between. Yes it is expired after every 30 days.

https://flink-operator-webhook-service.importer.svc:443/mutate-flinkoperator-k8s-io-v1beta1-flinkcluster?timeout=30s: x509: certificate has expired or is not yet valid

And I believe it is due to openssl default expiration is set to 30 days.

https://github.com/GoogleCloudPlatform/flink-on-k8s-operator/blob/master/helm-chart/flink-operator/templates/generate-cert.yaml#L35-L38

i referred to here

@elanv
Copy link
Contributor Author

elanv commented Nov 12, 2020
edited
Loading

I couldn't create new FlinkCluster CR or update already created CR because default or validate webhook doesn't work when the certificate expires.

@kinderyj
Copy link
Contributor

kinderyj commented Nov 17, 2020
edited
Loading

One of the way to update the webhook certificate:
kubectl get job cert-job -n flink-operator-system -oyaml > cert-job.yaml
kubectl delete job cert-job -n flink-operator-system
kubectl apply -f cert-job.yaml
(delete the controller-id labels in the cert-job.yaml if needed)

One of the way to change the default expires days(30):

flink-on-k8s-operator/helm-chart/flink-operator/templates/generate-cert.yaml

Line 38 in 4f421e7

| openssl x509 -req -CA ca.crt -CAkey ca.key -CAcreateserial -out ${tmpdir}/server-cert.pem 

    | openssl x509 -req -CA ca.crt -CAkey ca.key -CAcreateserial -out ${tmpdir}/server-cert.pem
    > change to: 
    | openssl x509 -days 3650 -req -CA ca.crt -CAkey ca.key -CAcreateserial -out ${tmpdir}/server-cert.pem

@functicons
Copy link
Collaborator

+1 to make the expire days longer.

@kinderyj kinderyj mentioned this issue Nov 24, 2020
Merged
@guruprasathT guruprasathT mentioned this issue Dec 8, 2020
Open
@jamesclair jamesclair mentioned this issue Jun 29, 2021
Open
@sumchak1 sumchak1 mentioned this issue Jul 16, 2021
Open
@brunomrpx
Copy link

For those who don't use Helm Chart to install the operator, we solved this by deleting the webhook-server-cert secret:

$ kubectl delete secret webhook-server-cert -n flink-operator-system

And running a re-deploy:

$ make deploy

We've tried to run just the make webhook-cert, but the following error happens when deploying a job:

x509: certificate signed by unknown authority

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@hongyegong hongyegong

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@brunomrpx @hongyegong @kinderyj @guruprasathT @functicons @elanv