4

We have a kubebuilder controller which is working as expected, now we need to create a webhooks ,

I follow the tutorial https://book.kubebuilder.io/reference/markers/webhook.html and now I want to run & debug it locally, however not sure what to do regard the certificate, is there a simple way to create it , any example will be very helpful.

BTW i've installed cert-manager and apply the following sample yaml but not sure what to do next ...

I need the simplest solution that I be able to run and debug the webhooks locally as Im doing already with the controller (Before using webhooks),

https://book.kubebuilder.io/cronjob-tutorial/running.html

Cert-manager

I've created the following inside my cluster

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: example-com
  namespace: test
spec:
  # Secret names are always required.
  secretName: example-com-tls

  # secretTemplate is optional. If set, these annotations and labels will be
  # copied to the Secret named example-com-tls. These labels and annotations will
  # be re-reconciled if the Certificate's secretTemplate changes. secretTemplate
  # is also enforced, so relevant label and annotation changes on the Secret by a
  # third party will be overwriten by cert-manager to match the secretTemplate.
  secretTemplate:
    annotations:
      my-secret-annotation-1: "foo"
      my-secret-annotation-2: "bar"
    labels:
      my-secret-label: foo

  duration: 2160h # 90d
  renewBefore: 360h # 15d
  subject:
    organizations:
      - jetstack
  # The use of the common name field has been deprecated since 2000 and is
  # discouraged from being used.
  commonName: example.com
  isCA: false
  privateKey:
    algorithm: RSA
    encoding: PKCS1
    size: 2048
  usages:
    - server auth
    - client auth
  # At least one of a DNS Name, URI, or IP address is required.
  dnsNames:
    - example.com
    - www.example.com
  uris:
    - spiffe://cluster.local/ns/sandbox/sa/example
  ipAddresses:
    - 192.168.0.5
  # Issuer references are always required.
  issuerRef:
    name: ca-issuer
    # We can reference ClusterIssuers by changing the kind here.
    # The default value is Issuer (i.e. a locally namespaced Issuer)
    kind: Issuer
    # This is optional since cert-manager will default to this value however
    # if you are using an external issuer, change this to that issuer group.
    group: cert-manager.io

Still not sure how to sync it with the kubebuilder to work locally

as when I run the operator in debug mode I got the following error:

setup problem running manager {"error": "open /var/folders/vh/_418c55133sgjrwr7n0d7bl40000gn/T/k8s-webhook-server/serving-certs/tls.crt: no such file or directory"}

What I need is the simplest way to run webhooks locally

JME
  • 881
  • 2
  • 11
  • 23
  • Refer this [document](https://book.kubebuilder.io/cronjob-tutorial/running-webhook.html) may be helpful to you – Sai Chandini Routhu Nov 26 '22 at 13:36
  • @SaiChandiniRouthu - Thanks, I tried to follow the doc but still not able to debug it, I get error : `etup problem running manager {"error": "open /var/folders/vh/_418c55133sgjrwr7n0d7bl40000gn/T/k8s-webhook-server/serving-certs/tls.crt: no such file or directory"} ` – JME Nov 27 '22 at 16:06
  • Refer this [document](https://github.com/kubernetes-sigs/kubebuilder/issues/1501) [document](https://github.com/kubernetes-sigs/controller-runtime/issues/900) may be it will helpful to resolve your issue – Sai Chandini Routhu Nov 27 '22 at 17:00
  • @SaiChandiniRouthu - thanks, but there is no provided solution there, am I missing something ? the solution is to remove the webhooks and this works for me before I needed it, now I want to test it locally, any solution will be great, thanks! – JME Nov 27 '22 at 17:11

1 Answers1

0

Let me walk you through the process from the start.

  1. create webhook like it's said in the cronJob tutorial - kubebuilder create webhook --group batch --version v1 --kind CronJob --defaulting --programmatic-validation . This will create webhooks for implementing defaulting logics and validating logics.

  2. Implement the logics as instructed - Implementing defaulting/validating webhooks

  1. Install cert-manager. I find the easiest way to install is via this commmand - kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.10.1/cert-manager.yaml
  2. Edit the config/default/kustomization.yaml file by uncommenting everything that have [WEBHOOK] or [CERTMANAGER] in their comments. Do the same for config/crd/kustomization.yaml file also.
  3. Build Your Image locally using - make docker-build IMG=<some-registry>/<project-name>:tag. Now you dont need to docker-push your image to remote repository. If you are using kind cluster, You can directly load your local image to your specified kind cluster: kind load docker-image <your-image-name>:tag --name <your-kind-cluster-name>
  4. Now you can deploy it to your cluster by - make deploy IMG=<some-registry>/<project-name>:tag.

You can also run cluster locally using make run command. But, that's a little tricky if you have enabled webooks. I would suggest you running your cluster using KIND cluster in this way. Here, you don't need to worry about injecting certificates. cert-manager will do that for you. You can check out the /config/certmanager folder to figure out how this is functioning.

Raihan Khan
  • 191
  • 5
  • Thanks I try it out and it doesnt works for me I got the same error, any idea what could be the issue? – JME Dec 05 '22 at 09:05
  • did you able to debug it? – JME Dec 05 '22 at 12:24
  • I have faced this same problem before. Check `default/kustomization.yaml` and `crd/kustomization.yaml` for [WEBHOOK] and [CERTMANAGER], You only need to uncomment some lines to get it to work. Also need to have cert-manager installed. That should've fixed your issue. Check this out : [Error /tmp/k8s-webhook-server/serving-certs/tls.crt: no such file or directory" has been faced](https://github.com/kubernetes-sigs/kubebuilder/issues/1501#issuecomment-1002478317) – Raihan Khan Dec 06 '22 at 05:39