webhook-create-signed-cert.sh and kubectl 1.10 + missing fields

[visheyra]

Kind: BUG

istioctl version

Version: 0.6.0
GitRevision: 2cb09cdf040a8573330a127947b11e5082619895
User: root@a28f609ab931
Hub: docker.io/istio
GolangVersion: go1.9
BuildStatus: Clean

kubectl version

Client Version: version.Info{Major:"1", Minor:"10+", GitVersion:"v1.10.0-rc.1", GitCommit:"2106a5910f6de3c07b8f329c7adaca38a0d3f825", GitTreeState:"clean", BuildDate:"2018-03-19T23:38:18Z", GoVersion:"go1.9.3", Compiler:"gc", Platform:"linux/amd64"}

In kubectl 1.10+ version when you do a dry run then output it as yaml or json the following fields are missing: Kind, APIVersion

Since you just pipe the output to kubectl to apply the secret, it can happen because those mandatory fields are unset.

How to reproduce it:
You should have a kubectl client in 1.10+ at least and istio installedm then use this script to install the secret and vcertificate for the webhook => webhook-create-signed-cert.sh.

At this point you should see the following error:

error: error validating "STDIN": error validating data: [apiVersion not set, kind not set]; if you choose to ignore these errors, turn validation off with --validate=false

[jsenon]

Link to kubernetes/kubectl#384

[mikedoug]

I too ran into this problem, but worked around it for the time being by changing the bottom of the script to read:

# create the secret with CA cert and server cert/key
echo "apiVersion: v1" > ${tmpdir}/create-secret.yaml
echo "kind: Secret" >> ${tmpdir}/create-secret.yaml
kubectl create secret generic ${secret} \
        --from-file=key.pem=${tmpdir}/server-key.pem \
        --from-file=cert.pem=${tmpdir}/server-cert.pem \
        --dry-run -o yaml >> ${tmpdir}/create-secret.yaml
kubectl -n ${namespace} apply -f ${tmpdir}/create-secret.yaml

[jsenon]

It seems that bug is corrected in 1.10.1 beta, will be available soon on stable version

[linsun]

@ayj could you help triage this?

[linsun]

maybe this could be just a limitation to document in our istio.io for kubectl 1.10

[jsenon]

I think so, I can update docs if needed

[jsenon]

Still have issue with v1.10.1 beta

./kubectl.dms create secret generic toto -o yaml --dry-run
metadata:
  creationTimestamp: null
  name: toto

./kubectl.dms version
Client Version: version.Info{Major:"1", Minor:"10+", GitVersion:"v1.10.1-beta.0", GitCommit:"75861c097c6499acc662c1094b3e95de851bd87a", GitTreeState:"clean", BuildDate:"2018-03-26T17:27:29Z", GoVersion:"go1.9.3", Compiler:"gc", Platform:"darwin/amd64"}

[ayj]

istio/istio#4466 replaced the webhook scripts. Install is now more automatic and depends on Istio CA for cert provisioning.

cc @yusuoh

[jsenon]

Has mention by @nikhita : This was fixed in kubernetes/kubernetes#61808. This patch was cherry-picked into release-1.10 - kubernetes/kubernetes#61836.

[Vikash082]

I installed Istio today and getting same error.

[jsenon]

Have you kubectl in version 1.10?

[Vikash082]

Yes

kubectl version
Client Version: version.Info{Major:"1", Minor:"10", GitVersion:"v1.10.0", GitCommit:"fc32d2f3698e36b93322a3465f63a14e9f0eaead", GitTreeState:"clean", BuildDate:"2018-03-26T16:55:54Z", GoVersion:"go1.9.3", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"10", GitVersion:"v1.10.0", GitCommit:"fc32d2f3698e36b93322a3465f63a14e9f0eaead", GitTreeState:"clean", BuildDate:"2018-03-26T16:44:10Z", GoVersion:"go1.9.3", Compiler:"gc", Platform:"linux/amd64"}

[jsenon]

You right, it's fixed on version 1.11

[Vikash082]

will only kubectl update will fix the issue ?

[Vikash082]

Don't see any version 1.11. Meanwhile, is there any work around ?

[jsenon]

Have you tested the workaround from @mikedoug ?

[Vikash082]

Thanks, it worked fine.

[sakshigoel12]

closing as @Vikash082 mentioned it is working. Please reopen if something is pending