2

As stated in the title, I currently have a configuration with 2 ingress-nginx v1.0.0 on gke v1.20.10.

When I deploy one alone the configuration is working and I have no issue, but when I deploy the second one the validatingwebhook and then try to deploy an ingress the 2 validatingwebhook try to evaluate the newly created ingress.

This result in this error:

**Error from server (InternalError): error when creating "ingress-example.yaml": Internal error occurred: failed calling webhook "validate.nginx-public.ingress.kubernetes.io": Post "https://ingress-nginx-controller-admission-public.ingress-nginx.svc:443/networking/v1/ingresses?timeout=10s": x509: certificate is valid for ingress-nginx-controller-admission-private, ingress-nginx-controller-admission-private.ingress-nginx.svc, not ingress-nginx-controller-admission-public.ingress-nginx.svc**

I checked and everything seems to be correctly separated, my validatingwebhook is deployed like that, the {{ ingress_type }} is a placeholder for -public or -private:

---
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
  labels:
    app.kubernetes.io/name: ingress-nginx{{ ingress_type }}
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/version: 1.0.0
    app.kubernetes.io/component: admission-webhook
  name: ingress-nginx-admission{{ ingress_type }}
webhooks:
  - name: validate.nginx{{ ingress_type }}.ingress.kubernetes.io
    matchPolicy: Equivalent
    objectSelector:
      matchLabels:
        ingress-nginx : nginx{{ ingress_type }}
    rules:
      - apiGroups:
          - networking.k8s.io
        apiVersions:
          - v1
        operations:
          - CREATE
          - UPDATE
        resources:
          - ingresses
    failurePolicy: Fail
    sideEffects: None
    admissionReviewVersions:
      - v1
    clientConfig:
      service:
        namespace: ingress-nginx
        name: ingress-nginx-controller-admission{{ ingress_type }}
        path: /networking/v1/ingresses
---
apiVersion: v1
kind: Service
metadata:
  labels:
    app.kubernetes.io/name: ingress-nginx{{ ingress_type }}
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/version: 1.0.0
    app.kubernetes.io/component: controller
  name: ingress-nginx-controller-admission{{ ingress_type }}
spec:
  type: ClusterIP
  ports:
    - name: https-webhook
      port: 443
      targetPort: webhook
      appProtocol: https
  selector:
    app.kubernetes.io/name: ingress-nginx{{ ingress_type }}

I can't seem to find a solution, there is an old github issue on that with no answer, maybe I'm doing something wrong but I just can't see it.

As asked in comment, here is the ingress-example I'm trying to deploy, this works perfectly fine with only one ingress, not with two:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: example-ingress
  annotations:
    kubernetes.io/ingress.class: nginx-private
#    external-dns.alpha.kubernetes.io/target: "IP"
  labels:
    ingress-nginx : nginx-public
spec:
  rules:
    - host: hello.MYDOMAINHERE
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: web
                port:
                  number: 8080
night-gold
  • 2,202
  • 2
  • 20
  • 31
  • I've seen in multiple posts that deleting the ValidatingWebhookConfiguration and redeploy it most of the times works. You might first try to backup the current validation. What troubleshooting steps have you tried? – Vicente Ayala Nov 04 '21 at 18:37
  • I think I did read those, but it seems to me that it's more due to mistakes leaving an old validatingwebhook or being in a case where they are creating a new one. In my case I want to keep the two validatingwebhook or have one for the 2 ingress. I tried adding the objectSelector to force the webhook to read only what I tell him but that doesn't work. – night-gold Nov 04 '21 at 21:38
  • I also tried to have the same name in the webhooks name validate.nginx.ingress.kubernetes.io . Seems like it's link to the one being created first... – night-gold Nov 04 '21 at 22:14
  • Which versions of kubernetes and Ingress-Nginx are you using in your deployment? – Vicente Ayala Nov 04 '21 at 22:40
  • @VicenteAyala I added the versions I'm currently using, I saw there is a new ingress version and will try it today. – night-gold Nov 05 '21 at 07:20
  • Can you post the YAML for the Ingress which is failing? Perhaps the content of "ingress-example.yaml"? – Gari Singh Nov 05 '21 at 09:37
  • I added the example, but It won't help as it's working fine with only one... The issue only occurs when deploying with the 2 ingress-controllers – night-gold Nov 05 '21 at 09:51

2 Answers2

1

So for those that may encounter this error.

I tried different things before finding what was wrong. You have to rename all the labels but the version of the ingress-nginx, I did not think that it would break for so little, but it does. In the end I'm using something like this:

---
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
  labels:
    app.kubernetes.io/name: ingress-nginx{{ ingress_type }}
    app.kubernetes.io/instance: ingress-nginx{{ ingress_type }}
    app.kubernetes.io/version: 1.0.0
    app.kubernetes.io/component: admission-webhook{{ ingress_type }}
  name: ingress-nginx-admission{{ ingress_type }}
webhooks:
  - name: validate.nginx{{ ingress_type }}.ingress.kubernetes.io
    matchPolicy: Equivalent
    objectSelector:
      matchLabels:
        ingress-nginx : nginx{{ ingress_type }}
    rules:
      - apiGroups:
          - networking.k8s.io
        apiVersions:
          - v1
        operations:
          - CREATE
          - UPDATE
        resources:
          - ingresses
    failurePolicy: Fail
    sideEffects: None
    admissionReviewVersions:
      - v1
    clientConfig:
      service:
        namespace: ingress-nginx
        name: ingress-nginx-controller-admission{{ ingress_type }}
        path: /networking/v1/ingresses
---
apiVersion: v1
kind: Service
metadata:
  labels:
    app.kubernetes.io/name: ingress-nginx{{ ingress_type }}
    app.kubernetes.io/instance: ingress-nginx{{ ingress_type }}
    app.kubernetes.io/version: 1.0.0
    app.kubernetes.io/component: controller{{ ingress_type }}
  name: ingress-nginx-controller-admission{{ ingress_type }}
spec:
  type: ClusterIP
  ports:
    - name: https-webhook
      port: 443
      targetPort: webhook
      appProtocol: https
  selector:
    app.kubernetes.io/name: ingress-nginx{{ ingress_type }}

I think in this case it's really important to do the same on all the resources.

night-gold
  • 2,202
  • 2
  • 20
  • 31
0

did this solution work for having Webhook validating base on the ingressClass that is specified in the ingrass.yaml object? I guess not. In my case, lets say I have : NamespaceA , IngressControllerA with ingressClassA and ValidatingWebHookA and in a different namespace NamespaceB , IngressControllerB with ingressClassB and ValidatingWebHookB

Now, if I create ingress with ingressClassA. ValidatingWebHookB seems to validating it and admitting it to IngressControllerA . Which is fine but if I remove ingressControllerB , then It wont work anymore. Complaining serviceB for the validatingWebhookB is not available. I was hoping they would be complelety separate from each other.

Nova
  • 1
  • 2
  • As it’s currently written, your answer is unclear. Please [edit] to add additional details that will help others understand how this addresses the question asked. You can find more information on how to write good answers [in the help center](/help/how-to-answer). – Ralle Mc Black Jan 30 '23 at 12:13
  • I did not answer the qustion. I was wondering if solution mentioned by them , really fixed the issue. cause I have the same problem and above answers did not help me. – Nova Jan 30 '23 at 14:06
  • The current answer is fixing the solution, at least it is still running and functionning for me. You seem to have the exact same issue I had apart from the fact that I was doing it in the same namespace. – night-gold Feb 03 '23 at 15:19