policy-webhook-certs secrets are not getting created

[MageshSrinivasulu]

Can someone please provide details on how these secrets are getting populated? I my case its not showing. webhook-certs are working fine

policy-webhook-certs :

kubectl describe secret policy-webhook-certs
Name:         policy-webhook-certs
Labels:       app.kubernetes.io/instance=policy-controller
              app.kubernetes.io/managed-by=Helm
              app.kubernetes.io/name=policy-controller
              app.kubernetes.io/version=1.9.0
              control-plane=policy-controller-policy-webhook
              helm.sh/chart=policy-controller-0.1.25
Annotations:  meta.helm.sh/release-name: policy-controller

Type:  Opaque

Data
====

webhook-certs :

kubectl describe secret webhook-certs
Name:         webhook-certs
Labels:       app.kubernetes.io/instance=policy-controller
              app.kubernetes.io/managed-by=Helm
              app.kubernetes.io/name=policy-controller
              app.kubernetes.io/version=1.9.0
              control-plane=policy-controller-webhook
              helm.sh/chart=policy-controller-0.1.25
Annotations:  meta.helm.sh/release-name: policy-controller

Type:  Opaque

Data
====
server-cert.pem:  794 bytes
server-key.pem:   241 bytes
ca-cert.pem:      855 bytes

[hectorj2f]

@MageshSrinivasulu could you explain how you install the code? I haven’t experienced the certificates issues when using ko to apply the code in main.

On the other hand, the certificate generation is done via https://knative.dev/docs/serving/using-auto-tls/

[MageshSrinivasulu]

@hectorj2f I am just performing helm install on this https://github.com/sigstore/helm-charts/tree/main/charts/policy-controller. I didn't make any specific changes to helm values

[hectorj2f]

@MageshSrinivasulu i have faced this issue before we might be hitting a race condition. We will need to replicate it. Perhaps you could delete/install it again including the resources in that namespace. Are ypu installing it on kind ?

[MageshSrinivasulu]

@MageshSrinivasulu i have faced this issue before we might be hitting a race condition. We will need to replicate it. Perhaps you could delete/install it again including the resources in that namespace. Are ypu installing it on kind ?

@hectorj2f When you mean delete/install it's only policy-controller right ? not the other resources in that namespaces. I have tried it multiple times but it's the same.

We are installing it on AKS using Terraform

[hectorj2f]

@MageshSrinivasulu I remember discussing with you this issue in our helm-charts repo. I am sharing a gist of it here sigstore/helm-charts#217:

The certificates are not created because the leases (kubectl get leases) are not cleaned up for the webhooks. I managed to reproduce it by installing and deleting the chart.

I feel the solution could be one of these three:

* delete the namespace where you installed the policy-controller chart when uninstalling it, if possible.
* delete the leases before every re-installation.
* wait until the leases expire (approx. 10min after creation)
* create your own certs instead of relying on the auto-TLS
``

[hectorj2f]

Closing the issue for now. Feel free to re-open it.

[gustavoromerobenitez]

This issue is still present. The policy-webhook-certs secret contains no data and despite deleting the namespace and re-installing the helm chart, the issue re-appears.

The policy-webhook crashes with this error:

http: TLS handshake error from <NodeIP>:<EphemeralPort>: tls: no certificates configured

policy-controller AppVersion: 0.7.0
policy-controller Helm Chart version: 0.5.4
Kubernetes (GKE) version: 1.24.9-gke.3200