Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[prometheus-operator-admission-webhook] issuerRef needs to be an object #5284

Merged
merged 4 commits into from
Feb 6, 2025
Merged

[prometheus-operator-admission-webhook] issuerRef needs to be an object #5284

merged 4 commits into from
Feb 6, 2025
+8 −3

Conversation

shin71
Copy link
Contributor

@shin71 shin71 commented Feb 6, 2025
edited
Loading

Problem

issuerRef was failing schema validation . It was expecting a string instead of an object

scope of the PR

changes the type from string to object in the values.schema.json

Problem origin

trying this

certManager:
  enabled: true
  ## issuerRef references an existing issuer for the webhook certificate.
  ## An issuer represents a certificate issuing authority.
  ## If not set, new issuers will be created.
  ## ref. https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.Issuer
  issuerRef:
    name: rootca-for-sandbox-issuer
    kind: ClusterIssuer
  ## rootCert allows setting certificate's lifetime when creating an issuer, defaults to 5y
  rootCert: {}
    # duration: "43800h0m0s"
  ## webhookCert allows setting webhook certificate's lifetime, defaults to 1y
  webhookCert: {}
    # duration: "8760h0m0s"

Result on applying

shivansh.singla@NRHN958E MSYS ~/Desktop/terraform-req/prometheus (main)
$ helm upgrade --install prometheus-operator-admission-webhook prometheus-community/prometheus-operator-admission-webhook --values webhook-values.yaml
coalesce.go:289: warning: destination for prometheus-operator-admission-webhook.certManager.issuerRef is a table. Ignoring non-table value ()
Error: UPGRADE FAILED: values don't meet the specifications of the schema(s) in the following chart(s):
prometheus-operator-admission-webhook:
- certManager.issuerRef: Invalid type. Expected: string, given: object

so tried giving just a string with cluster-issuer name

certManager:
  enabled: true
  ## issuerRef references an existing issuer for the webhook certificate.
  ## An issuer represents a certificate issuing authority.
  ## If not set, new issuers will be created.
  ## ref. https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.Issuer
  issuerRef: "root-ca-for-sandbox-issuer"

I didn't receive a schema validation error
but It generated the wrong template

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: prometheus-operator-admission-webhook-cert
  namespace: monitoring
spec:
  secretName: prometheus-operator-admission-webhook-cert
  duration: "8760h0m0s"
  issuerRef:
    root-ca-for-sandbox-issuer
  dnsNames:
  - prometheus-operator-admission-webhook
  - prometheus-operator-admission-webhook.monitoring
  - prometheus-operator-admission-webhook.monitoring.svc

I also get an error from webhook of cert-manager

shivansh.singla@NRHN958E MSYS ~/Desktop/terraform-req/prometheus (main)
$ helm upgrade --install prometheus-operator-admission-webhook prometheus-community/prometheus-operator-admission-webhook --values webhook-values.yaml
Error: UPGRADE FAILED: failed to create resource: Certificate.cert-manager.io "prometheus-operator-admission-webhook-cert" is invalid: spec.issuerRef: Invalid value: "string": spec.issuerRef in body must be of type object: "string"

Temporary Solution

values.yaml

certManager:
  enabled: true
  ## issuerRef references an existing issuer for the webhook certificate.
  ## An issuer represents a certificate issuing authority.
  ## If not set, new issuers will be created.
  ## ref. https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.Issuer
  issuerRef:
    name: rootca-for-sandbox-issuer
    kind: ClusterIssuer
  ## rootCert allows setting certificate's lifetime when creating an issuer, defaults to 5y
  rootCert: {}
    # duration: "43800h0m0s"
  ## webhookCert allows setting webhook certificate's lifetime, defaults to 1y
  webhookCert: {}
    # duration: "8760h0m0s"

Template generated with skip-schema-validation flag

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: prometheus-operator-admission-webhook-cert
  namespace: monitoring
spec:
  secretName: prometheus-operator-admission-webhook-cert
  duration: "8760h0m0s"
  issuerRef:
    kind: ClusterIssuer
    name: rootca-for-sandbox-issuer
  dnsNames:
  - prometheus-operator-admission-webhook
  - prometheus-operator-admission-webhook.monitoring
  - prometheus-operator-admission-webhook.monitoring.svc

apply with skip-schema-validation

shivansh.singla@NRHN958E MSYS ~/Desktop/terraform-req/prometheus (main)
$ helm upgrade --install prometheus-operator-admission-webhook prometheus-community/prometheus-operator-admission-webhook --values webhook-values.yaml --skip-schema-validation
coalesce.go:289: warning: destination for prometheus-operator-admission-webhook.certManager.issuerRef is a table. Ignoring non-table value ()
Release "prometheus-operator-admission-webhook" has been upgraded. Happy Helming!
NAME: prometheus-operator-admission-webhook
LAST DEPLOYED: Thu Feb  6 16:48:00 2025
NAMESPACE: default
STATUS: deployed
REVISION: 11
TEST SUITE: None
NOTES:
See https://prometheus-operator.dev/docs/user-guides/webhook/ for more information on the admission webhook.

1. Get the webhook's URL by running these commands:

  export POD_NAME="$(kubectl get pods --namespace monitoring -l "app.kubernetes.io/name=prometheus-operator-admission-webhook,app.kubernetes.io/instance=prometheus-operator-admission-webhook" -o jsonpath="{.items[0].metadata.name}")"



  export POD_NAME="$(kubectl get pods --namespace monitoring -l "app.kubernetes.io/name=prometheus-operator-admission-webhook,app.kubernetes.io/instance=prometheus-operator-admission-webhook" -o jsonpath="{.items[0].metadata.name}")"
  export CONTAINER_PORT="$(kubectl get pod --namespace monitoring $POD_NAME -o jsonpath="{.spec.containers[0].ports[0].containerPort}")"

2. Set port forwarding:

   kubectl --namespace monitoring port-forward $POD_NAME 8080:$CONTAINER_PORT

3. Verify the admission-webhook's deployment by checking its health endpoint by command

   curl -k https://127.0.0.1:8080/healthz

   JSON-formatted "status: up" is expected at that point.

permanent solution

Permanent solution is to change the type from string to object for issuerRef in values.schema.json which is also the scope of the PR

shin71 added 2 commits February 6, 2025 16:52
@shin71
Update values.schema.json
0739abb 
The issuerRef has to be an object 

Signed-off-by: Shivansh Singla <88245670+shin71@users.noreply.github.com>
@shin71
Update Chart.yaml
43772cd 
Signed-off-by: Shivansh Singla <88245670+shin71@users.noreply.github.com>
@shin71 shin71 requested a review from zeritti as a code owner February 6, 2025 11:43
zeritti
zeritti requested changes Feb 6, 2025
View reviewed changes
Copy link
Contributor

@zeritti zeritti left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you, @shin71, for your PR. Please, change also type of certManager.issuerRef in values.yaml to an object.

@shin71
Update values.yaml
0c1b410 
defining issuerRef in values.yaml

Signed-off-by: Shivansh Singla <88245670+shin71@users.noreply.github.com>
@shin71
Copy link
Contributor Author

shin71 commented Feb 6, 2025

Thank you, @shin71, for your PR. Please, change also type of certManager.issuerRef in values.yaml to an object.

changed

@shin71
Update values.yaml
dceb03c 
Signed-off-by: Shivansh Singla <88245670+shin71@users.noreply.github.com>
zeritti
zeritti approved these changes Feb 6, 2025
View reviewed changes
Copy link
Contributor

@zeritti zeritti left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you, LGTM.

@zeritti zeritti merged commit 5527175 into prometheus-community:main Feb 6, 2025
5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@zeritti zeritti zeritti approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@shin71 @zeritti