ingress-nginx: apply ingress rule error after install ingress-nginx: x509 certificate is not valid ingress-nginx-controller-admission.ingress-nginx.svc

k8s cluster install by binary  （i  also try v1.18.0）
[root@m-etc-1 ssl-nginx-webhook]# kubectl get no
NAME      STATUS   ROLES    AGE   VERSION
m-etc-1   Ready    <none>   20h   v1.18.6
m-etc-2   Ready    <none>   20h   v1.18.6
m-etc-3   Ready    <none>   20h   v1.18.6
n-1       Ready    <none>   20h   v1.18.6
n-2       Ready    <none>   20h   v1.18.6
n-3       Ready    <none>   20h   v1.18.6
slb-1     Ready    <none>   20h   v1.18.6
slb-2     Ready    <none>   20h   v1.18.6


and calico install is ok
and coredns install is OK
and ingress-nginx install is OK  
ingress-nginx deploy file:
https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/static/provider//baremetal/deploy.yaml

[root@m-etc-1 cfg]# kubectl api-versions | grep admissionregistration.k8s.io
admissionregistration.k8s.io/v1
admissionregistration.k8s.io/v1beta1

AND:  --enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,ResourceQuota,NodeRestriction,DefaultStorageClass,DefaultTolerationSeconds,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,PersistentVolumeClaimResize,PodPreset 


[root@m-etc-1 ssl-nginx-webhook]# kubectl get all -n ingress-nginx
NAME                                       READY   STATUS      RESTARTS   AGE
pod/ingress-nginx-admission-create-v27qd   0/1     Completed   0          20h
pod/ingress-nginx-admission-patch-599bf    0/1     Completed   0          20h
pod/ingress-nginx-controller-dsg2j         1/1     Running     1          14h
pod/ingress-nginx-controller-jwjxk         1/1     Running     1          14h

NAME                                         TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)          AGE
service/ingress-nginx-controller             ClusterIP   10.244.81.145    <none>        80/TCP,443/TCP   20h
service/ingress-nginx-controller-admission   ClusterIP   10.244.170.231   <none>        443/TCP          20h

NAME                                      DESIRED   CURRENT   READY   UP-TO-DATE   AVAILABLE   NODE SELECTOR   AGE
daemonset.apps/ingress-nginx-controller   2         2         2       2            2           in=ingress      20h

NAME                                       COMPLETIONS   DURATION   AGE
job.batch/ingress-nginx-admission-create   1/1           5s         20h
job.batch/ingress-nginx-admission-patch    1/1           5s         20h

I try apply ingress rule,but I get error:
[root@m-etc-1 ~]# kubectl apply -f ingress-nginx.yml
Error from server (InternalError): error when creating "ingress-nginx.yml": Internal error occurred: failed calling webhook "validate.nginx.ingress.kubernetes.io": Post https://ingress-nginx-controller-admission.ingress-nginx.svc:443/extensions/v1beta1/ingresses?timeout=30s: x509: certificate is valid for kubernetes, kubernetes.default, kubernetes.default.svc, kubernetes.default.svc.cluster, kubernetes.default.svc.cluster.local, not ingress-nginx-controller-admission.ingress-nginx.svc

WHY???

About this issue

Original URL
State: closed
Created 4 years ago
Reactions: 7
Comments: 36

Most upvoted comments

My fix for this issue without deleting the validatingwebhookconfigurations. Inspired by https://github.com/kubernetes/ingress-nginx/issues/5968#issuecomment-700287814

CA=$(kubectl -n ingress-nginx get secret ingress-nginx-admission -ojsonpath='{.data.ca}')
kubectl patch validatingwebhookconfigurations ingress-nginx-admission --type='json' -p='[{"op": "add", "path": "/webhooks/0/clientConfig/caBundle", "value":"'$CA'"}]'

+117

damienleger on May 27, 2021

kubectl delete -A ValidatingWebhookConfiguration ingress-nginx-admission

+89

21ki on Sep 15, 2020

My fix for this issue without deleting the validatingwebhookconfigurations. Inspired by #5968 (comment)

CA=$(kubectl -n ingress-nginx get secret ingress-nginx-admission -ojsonpath='{.data.ca}')
kubectl patch validatingwebhookconfigurations ingress-nginx-admission --type='json' -p='[{"op": "add", "path": "/webhooks/0/clientConfig/caBundle", "value":"'$CA'"}]'

+13

marv254 on Aug 24, 2021

I am seeing this problem also:

Internal error occurred: failed calling webhook "validate.nginx.ingress.kubernetes.io": Post "https://ingress-nginx-controller-admission.kube-system.svc:443/extensions/v1beta1/ingresses?timeout=30s": x509: certificate signed by unknown authority

This is in minikube with Ingress-nginx installed using minikube addons enable ingress

I can ‘resolve’ it using kubectl delete -A ValidatingWebhookConfiguration ingress-nginx-admission but this does not seem like a solution, its just a hack to get it working.

+11

md-waldron on Oct 31, 2020

Borrowing from answers above, here’s what resolved this for me. Issue started when I deleted an entire namespace that had contained nginx-ingress, and then tried to reinstall everything via helm. Kept getting upon helm upgrade --install:

Error: UPGRADE FAILED: failed to create resource: Internal error occurred: failed calling webhook "validate.nginx.ingress.kubernetes.io": Post "https://foobar-ingress-nginx-controller-admission.foobar.svc:443/networking/v1beta1/ingresses?timeout=10s": x509: certificate signed by unknown authority (possibly because of "x509: ECDSA verification failure" while trying to verify candidate authority certificate "nil1")

Solution:

# Find name of the ingress-nginx-admission resource
kubectl get -A ValidatingWebhookConfiguration
# Delete it
kubectl delete -A ValidatingWebhookConfiguration <name>
# Example:
kubectl delete -A ValidatingWebhookConfiguration foobar-ingress-nginx-admission

+10

codeclown on Feb 19, 2021

@liminghua999 can you please check if the output of these two commands match?

$ kubectl -n ingress-nginx get validatingwebhookconfigurations ingress-nginx-admission -ojsonpath='{.webhooks[0].clientConfig.caBundle}'

$ kubectl -n ingress-nginx get secret ingress-nginx-admission -ojsonpath='{.data.ca}'

+10

costela on Sep 28, 2020

Should we reach a conclusion about the root cause? and how can this be avoided in the future?

mrnonz on May 7, 2022

I’m encountering this issue, and I don’t have a valid workaround, because my ingress-nginx is deployed with fluxcd, so every time I delete the ValidatingWebhookConfiguration, it is recreated.

I am not sure if it’s related, but I followed @costela’s instructions, and this command has no output:

kubectl -n ingress-nginx get validatingwebhookconfigurations ingress-nginx-admission -ojsonpath='{.webhooks[0].clientConfig.caBundle}'

This command

kubectl -n ingress-nginx get validatingwebhookconfigurations ingress-nginx-admission -ojsonpath='{.webhooks[0].clientConfig}'

shows

{"service":{"name":"ingress-nginx-controller-admission","namespace":"ingress-nginx","path":"/networking/v1beta1/ingresses","port":443}}

Is this the problem, no caBundle? Can someone help solve this?

Or is there a workaround to delete the ValidatingWebhookConfiguration from the source yaml, which I took from here? Can someone explain how exactly to do that?

timd73 on Apr 6, 2021

My fix for this issue without deleting the validatingwebhookconfigurations. Inspired by #5968 (comment)

CA=$(kubectl -n ingress-nginx get secret ingress-nginx-admission -ojsonpath='{.data.ca}')
kubectl patch validatingwebhookconfigurations ingress-nginx-admission --type='json' -p='[{"op": "add", "path": "/webhooks/0/clientConfig/caBundle", "value":"'$CA'"}]'

I faced the same issue after having kille the Ingress controller pod. When it got recreated a deployed Jaeger operator complaind not being able to call the ingress-nginx-controller-admission webhook on port 443. After I applied the patch, all was fine again.

Jeansen on Feb 24, 2023

I’ve having the same problem. And based in the comment

My fix for this issue without deleting the validatingwebhookconfigurations. Inspired by #5968 (comment)

CA=$(kubectl -n ingress-nginx get secret ingress-nginx-admission -ojsonpath='{.data.ca}')
kubectl patch validatingwebhookconfigurations ingress-nginx-admission --type='json' -p='[{"op": "add", "path": "/webhooks/0/clientConfig/caBundle", "value":"'$CA'"}]'

I’ve been investigating. I don’t use Helm, and I’ve had to configure each component individually.

There’re two Jobs for nginx-admission-webhooks, create and patch. And Based in the Image’s documentation we have a command line with their especifications:

https://github.com/jet/kube-webhook-certgen#patch

  --patch-validating              If true, patch validatingwebhookconfiguration (default true)

Doing that I’ve got a correct validatingwebhookconfiguration config.

I hope that help you.

danivendetta on Oct 15, 2021

For anyone banging their heads against this:

TLDR: Metallb/Loadbalancer was not running/working correctly causing the service not to be available. TLS/x509errors threw me on a wild goose chase.

My only indication was that the service created by nginx-ingress was not put in a ready state ( nothing apparent except ArgoCD saying it wasnt ). When investigating i saw that i had a config error in my metallb chart values. After fixing that the service finally became available, all errors disappeared and i could create ingresses again. (be sure to terminate sync-action in flux/argo if applicable and retry sync)

dbeltman on Jan 31, 2023

Inspired by @marv254 's comment.

I had a similar issue with missing caBundle in the validatingwebhookconfigurations/ingress-nginx-admission, and it was installed via ArgoCD and a customized ingress-nginx helm chart.

Since ingress-nginx-admission-patch has an annotation "helm.sh/hook": post-install, caBundle will only appear in the validatingwebhookconfigurations after the Chart is fully installed.

In my case, my custom chart contains some resources that required the admission webhook with the caBundle, and that caused Helm chart to never reaches the ‘post-install’ stage.

My solution is to add the annotation "helm.sh/hook": post-install to my custom resource as well.

beastob on Oct 6, 2021

I ran into the the same problem. I fixed it by deleting and reapplying the ingress-nginx-admission-patch job.

kristopher-bredemeier-gcx on Jun 11, 2021