Following Quick Start, after setting up validation webhooks, API certificate is from untrusted authority, will not allow CR creation.

[birdiesanders]

Bug Report

What did you do?
I have followed the tutorial to the point where I have the webhooks for validating the cluster size. When attempting to apply the CR spec, the server replies with an internal error, stating that the certificate is signed by an unknown authority, and will not allow the application of said spec.
What did you expect to see?
It is expected that the operator will allow the CR spec to be applied, and create the demo memcached deployment.

What did you see instead? Under which circumstances?
X509: certificate signed by unknown authority

This is presented no matter what I do.

Environment

• operator-sdk version:

operator-sdk version: "v0.19.0", commit: "8e28aca60994c5cb1aec0251b85f0116cc4c9427"

• go version:

version: "go1.13.10 linux/amd64"

• Kubernetes version information:

kubernetes version: "v1.18.2" - k3s

• Kubernetes cluster kind:
  k3s 3 node
• Are you writing your operator in ansible, helm, or go?
  go
  Possible Solution

Additional context
The kustomize generated specs for the certificate creation took the variables as literals, so I had to manually change them to get the certificates to become valid for the operator internal URL at all.

[camilamacedo86]

Hi @birdiesanders,

We are working to make these docs better. To work with webhooks you need to have the cert-manager installed locally. Please follow this guide to install cert-mamager into cluster prior to deployment.

[birdiesanders]

I have the cert-manager installed and it works fine for provisioning LE carts.

[birdiesanders]

So, even though I had the requirement of cert-manager in place before my submission of this ticket, it has now been chalked up to a documentation issue and I am going to get no help in resolving the issue I am having?

[camilamacedo86]

Hi @birdiesanders.

I re-read all your comments. So, could you please provide the foollowing information?

1 - Did you apply the cert-manager exactly as described in here or you did other steps?
2 - Could you please provide the steps to reproduce your issue and the full stack of the issue faced?

Regards:

The kustomize generated specs for the certificate creation took the variables as literals, so I had to manually change them to get the certificates to become valid for the operator internal URL at all.

3. Could you please add how it was and what was changed? Also, could confirm that after your change it work for you or are you still facing the issue X509: certificate signed by unknown authority?

Also, it might be related to your environment. See k3s-io/k3s#1148.

[camilamacedo86]

Hi @birdiesanders,

I think you figure out the root cause of your problem already since it has been open for while waiting for further information

Also, it shows not be related to the SDK. In this way, I am closing this one. However, please feel free to ping us if you still needing help with it.