ECK Operator chart webhook secret name reference invalid

[gwvandesteeg]

Bug Report

Issues

• documentation has no bearing to reality
• values specified if the helm chart values don't get use

What did you do?

Create a Certificate that looks like this

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: elastic-webhook-server-cert
  namespace: elastic-operator
spec:
  dnsNames:
    - elastic-webhook-server.elastic-operator.svc
    - elastic-webhook-server.elastic-operator.svc.cluster.local
  issuerRef:
    kind: ClusterIssuer
    name: self-signed-cluster-issuer
  secretName: elastic-webhook-server-cert
  subject:
    organizationalUnits:
      - elastic-operator

Specified in the webhook.secret variable (as used in the template and the chart templates) the name of the above certificate elastic-webhook-server-cert. This also contradicts the documentation which says to use webhook.certsSecret which is not used in the helm chart templates or helpers or exist in the values.yaml file so cannot be correct.

What did you expect to see?

Chart deployed and mounted with the specified TLS certificate

What did you see instead? Under which circumstances?

Pod fails to start

Describing the deployed pod we see

  Type     Reason       Age                    From               Message
  ----     ------       ----                   ----               -------
  Normal   Scheduled    9m57s                  default-scheduler  Successfully assigned elastic-operator/elastic-operator-0 to kind-worker2
  Warning  FailedMount  3m23s (x2 over 7m55s)  kubelet            Unable to attach or mount volumes: unmounted volumes=[cert], unattached volumes=[kube-api-access-sshpk conf cert]: timed out waiting for the condition
  Warning  FailedMount  104s (x12 over 9m57s)  kubelet            MountVolume.SetUp failed for volume "cert" : secret "elastic-operator-webhook-cert" not found
  Warning  FailedMount  67s (x2 over 5m38s)    kubelet            Unable to attach or mount volumes: unmounted volumes=[cert], unattached volumes=[conf cert kube-api-access-sshpk]: timed out waiting for the condition

This is caused by the templates using the helper function eck-operator.webhookSecretName, which doesn't look at the actual defined values. Digging through the helper functions we can see that they completely and utterly ignore the majority of settings actually set in the values.yaml.

Environment

• kind v0.22.0 go1.21.7 linux/amd64
• kubernetes Server Version: v1.26.14
• ECK operator chart v2.12

• Kubernetes information:

$ kubectl version
Client Version: v1.30.0
Kustomize Version: v5.0.4-0.20230601165947-6ce0bf390ce3
Server Version: v1.26.14
WARNING: version difference between client (1.30) and server (1.26) exceeds the supported minor version skew of +/-1

• Resource definition:
  See above

• Logs:
  See above

If we look at the values.yaml and compare to the _helpers.tpl we see that they don't line up, and when we check the statefulset.yaml template we see it use the value from the helper and as such leads in to an incorrect configuration.

cloud-on-k8s/deploy/eck-operator/values.yaml

Lines 121 to 143 in 233cbd0

	webhook:
	# enabled determines whether the webhook is installed.
	enabled: true
	# caBundle is the PEM-encoded CA trust bundle for the webhook certificate. Only required if manageCerts is false and certManagerCert is null.
	caBundle: Cg==
	# certManagerCert is the name of the cert-manager certificate to use with the webhook.
	certManagerCert: null
	# certsDir is the directory to mount the certificates.
	certsDir: "/tmp/k8s-webhook-server/serving-certs"
	# failurePolicy of the webhook.
	failurePolicy: Ignore
	# manageCerts determines whether the operator manages the webhook certificates automatically.
	manageCerts: true
	# namespaceSelector corresponds to the namespaceSelector property of the webhook.
	# Setting this restricts the webhook to act only on objects submitted to namespaces that match the selector.
	namespaceSelector: {}
	# objectSelector corresponds to the objectSelector property of the webhook.
	# Setting this restricts the webhook to act only on objects that match the selector.
	objectSelector: {}
	# port is the port that the validating webhook binds to.
	port: 9443
	# secret specifies the Kubernetes secret to be mounted into the path designated by the certsDir value to be used for webhook certificates.
	secret: ""

cloud-on-k8s/deploy/eck-operator/templates/_helpers.tpl

Lines 93 to 104 in 8e283b0

	{{/*
	Determine the name for the webhook secret
	*/}}
	{{- define "eck-operator.webhookSecretName" -}}
	{{- if .Values.global.manifestGen -}}
	elastic-webhook-server-cert
	{{- else -}}
	{{- $name := include "eck-operator.name" . -}}
	{{ printf "%s-webhook-cert" $name | trunc 63 }}
	{{- end -}}
	{{- end -}}

cloud-on-k8s/deploy/eck-operator/templates/statefulset.yaml

Lines 65 to 68 in 8e283b0

	{{- if .Values.webhook.enabled }}
	- name: WEBHOOK_SECRET
	value: {{ include "eck-operator.webhookSecretName" . }}
	{{- end }}

cloud-on-k8s/deploy/eck-operator/templates/statefulset.yaml

Lines 99 to 103 in 8e283b0

	{{- if .Values.webhook.enabled }}
	- mountPath: {{ .Values.webhook.certsDir }}
	name: cert
	readOnly: true
	{{- end }}

cloud-on-k8s/deploy/eck-operator/templates/statefulset.yaml

Lines 142 to 151 in 8e283b0

	volumes:
	- name: conf
	configMap:
	name: {{ include "eck-operator.fullname" . }}
	{{- if .Values.webhook.enabled }}
	- name: cert
	secret:
	defaultMode: 420
	secretName: {{ include "eck-operator.webhookSecretName" . }}
	{{- end }}