cert-manager: missing "caBundle" in ValidatingWebhookConfiguration

I try to apply manifest but validating webhook can not be created. With --validate=false it works fine

$ kubectl apply -f https://raw.githubusercontent.com/jetstack/cert-manager/master/deploy/manifests/cert-manager.yaml
serviceaccount/cert-manager-webhook created
serviceaccount/cert-manager configured
clusterrole.rbac.authorization.k8s.io/cert-manager configured
clusterrolebinding.rbac.authorization.k8s.io/cert-manager configured
clusterrole.rbac.authorization.k8s.io/cert-manager-view created
clusterrole.rbac.authorization.k8s.io/cert-manager-edit created
clusterrolebinding.rbac.authorization.k8s.io/cert-manager-webhook:auth-delegator created
rolebinding.rbac.authorization.k8s.io/cert-manager-webhook:webhook-authentication-reader created
clusterrole.rbac.authorization.k8s.io/cert-manager-webhook:webhook-requester created
service/cert-manager-webhook created
deployment.apps/cert-manager-webhook created
deployment.apps/cert-manager configured
cronjob.batch/cert-manager-webhook-ca-sync created
job.batch/cert-manager-webhook-ca-sync created
configmap/cert-manager-webhook-ca-sync created
serviceaccount/cert-manager-webhook-ca-sync created
clusterrole.rbac.authorization.k8s.io/cert-manager-webhook-ca-sync created
clusterrolebinding.rbac.authorization.k8s.io/cert-manager-webhook-ca-sync created
apiservice.apiregistration.k8s.io/v1beta1.admission.certmanager.k8s.io created
issuer.certmanager.k8s.io/cert-manager-webhook-selfsign created
certificate.certmanager.k8s.io/cert-manager-webhook-ca created
issuer.certmanager.k8s.io/cert-manager-webhook-ca created
certificate.certmanager.k8s.io/cert-manager-webhook-webhook-tls created
error: error validating "https://raw.githubusercontent.com/jetstack/cert-manager/master/deploy/manifests/cert-manager.yaml": error validating data: [ValidationError(ValidatingWebhookConfiguration.webhooks[0].clientConfig): missing required field "caBundle" in io.k8s.api.admissionregistration.v1beta1.WebhookClientConfig, ValidationError(ValidatingWebhookConfiguration.webhooks[1].clientConfig): missing required field "caBundle" in io.k8s.api.admissionregistration.v1beta1.WebhookClientConfig, ValidationError(ValidatingWebhookConfiguration.webhooks[2].clientConfig): missing required field "caBundle" in io.k8s.api.admissionregistration.v1beta1.WebhookClientConfig]; if you choose to ignore these errors, turn validation off with --validate=false

About this issue

  • Original URL
  • State: closed
  • Created 6 years ago
  • Reactions: 15
  • Comments: 21 (1 by maintainers)

Most upvoted comments

Thanks @rrichardson Adding empty string for caBundle helps:

diff --git a/deploy/manifests/cert-manager.yaml b/deploy/manifests/cert-manager.yaml
index 7a2d3a63..d965256c 100644
--- a/deploy/manifests/cert-manager.yaml
+++ b/deploy/manifests/cert-manager.yaml
@@ -595,6 +595,7 @@ webhooks:
         name: kubernetes
         namespace: default
         path: /apis/admission.certmanager.k8s.io/v1beta1/certificates
+      caBundle: ""
   - name: issuers.admission.certmanager.k8s.io
     namespaceSelector:
       matchExpressions:
@@ -622,6 +623,7 @@ webhooks:
         name: kubernetes
         namespace: default
         path: /apis/admission.certmanager.k8s.io/v1beta1/issuers
+      caBundle: ""
   - name: clusterissuers.admission.certmanager.k8s.io
     namespaceSelector:
       matchExpressions:
@@ -649,4 +651,4 @@ webhooks:
         name: kubernetes
         namespace: default
         path: /apis/admission.certmanager.k8s.io/v1beta1/clusterissuers
-
+      caBundle: ""
+6
r0bj on Dec 17, 2018

Solved upgrading Helm to 2.14.1 (both client and server)

Reference:

+4
nico282 on Jun 18, 2019

Still happening, also when using helm as per docs

helm install \ --name cert-manager \ --namespace cert-manager \ --version v0.7.2 \ jetstack/cert-manager

disabling webhooks helps

+4
andrei-dascalu on May 19, 2019

/reopen

I’m seeing this as well on

Client Version: version.Info{Major:"1", Minor:"14", GitVersion:"v1.14.2", GitCommit:"66049e3b21efe110454d67df4fa62b08ea79a19b", GitTreeState:"clean", BuildDate:"2019-05-16T16:23:09Z", GoVersion:"go1.12.5", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"12", GitVersion:"v1.12.7", GitCommit:"6f482974b76db3f1e0f5d24605a9d1d38fad9a2b", GitTreeState:"clean", BuildDate:"2019-03-25T02:41:57Z", GoVersion:"go1.10.8", Compiler:"gc", Platform:"linux/amd64"}```
```$ helm version
2019/05/29 02:32:48.168301 main.go:220: WARNING: cannot create syslog logger
Client: &version.Version{SemVer:"v2.14.0", GitCommit:"05811b84a3f93603dd6c2fcfe57944dfa7ab7fd0", GitTreeState:"clean"}
Server: &version.Version{SemVer:"v2.14.0", GitCommit:"05811b84a3f93603dd6c2fcfe57944dfa7ab7fd0", GitTreeState:"clean"}
+1
WebSpider on May 29, 2019
Read more comments on GitHub
← cert-manager: message: Certificate does not exist
cert-manager: Multi-domain wildcard certificate validation fails when using DNS delegation →