liangrog / admission-webhook-server Goto Github PK

Hi , i am getting the below ssl handshake error. Pleaes suggest how to solve this.

installation step

helm upgrade --install admission-webhook-server  .  --recreate-pods

values.yaml

---
# Override resource name
#nameOverride

# Override url base path. Default to mutate
#basePathOverride:

# PodNodesSelector
# Override podnodeselector handler path. Default to pod-nodes-selector
#podNodesSelectorPathOverride:
# Confiruation for podnodesselector. The namespace and labels are set here following the format:
#   namespace: key=label,key=label; namespace2: key=label
#podNodesSelectorPathOverride:
# Confiruation for podnodesselector. The namespace and labels are set here following the format:
#  echoserver: deploymenttype=blue
# Note: Multiple namespaces seperate by ;
#
# Examples:
#   devel: node-role.kubernetes.io/development=true, beta.kubernetes.io/instance-type=t3.large
podNodesSelectorConfig:
  echoserver: deploymentType=blue

service:
  # the service is important. It forms part of the CN for SSL certificate.
  name: admission-webhook
  #type:
  annotations: {}

replicas: 1

strategy:
  type: RollingUpdate

image: liangrog/admission-webhook-server
imageTag: latest
imagePullPolicy: Always

http: TLS handshake error from 172.29.120.183:46270: remote error: tls: bad certificate

Here are the list of features/fixes are proposed for v1.1.0-rc:

DaemonSet:

• Distinguish daemonset pod so when daemonset get deployed to the designated namespace, only the nodes pinned to the namespace are being scheduled. The same daemonset's pods won't be schedule in other nodes causing 'pending' issue.
• Exclusion daemonset option so even daemonset can be deployed to the designated namespace but not pinned to the nodes.

Namespace configuration

• Provide option for default nodes regardless what namespace pods are deployed to. In addition, provide blacklist namespaces which will be disregarded. By Default, system namespaces such as kube-system are disregarded in this setting.
• Provide Namespace/node label configuration by adding annotation to namespace resource.
• Provide guarding only option, which will only check if nodeselector is defined with correct labelling, but not to change if misconfiguration found. It'll ailed the deployment so to enforce user to make sure nodeselector is inlined.

I installed "admission-webhook-server" by following the steps given in README.
Installation and normal functionality is working well but 1 side effect i observed is: When we create Daemonset in bound namespaces then pods for that daemonset stays in pending state.
Reason is it can not find nodeSelector label on the other nodes.

If there is any option to ignore node-binding for daemonsets then it will be really very helpful

I want it to be cluster wide.

admission-webhook-server is failing with following error :

2020/08/20 06:59:07 Registering handlers...                                                                                                                                       
2020/08/20 06:59:07 PodNodesSelector registered using path /mutate/pod-nodes-selector                                                                                             
2020/08/20 06:59:07 Starting admission webhook server...                                                                                                                          
2020/08/20 06:59:07 tls: failed to find any PEM data in certificate input

List of files generated after running ssl.sh script :

sh ssl.sh admission-webhook.tools.svc

ca.crt
ca.key
ca.srl
server.pem
tls.crt
tls.key

Namespace : tools already exist.

Following is helm installation command I used :

helm install . --name admission-webhook-server --namespace tools