Skip to content

Instantly share code, notes, and snippets.

@jpbetz

jpbetz/_REPRODUCTION.md

Last active March 8, 2024 18:19
Show Gist options
  • Save jpbetz/701f27476568ec7603feeddb3b0966b0 to your computer and use it in GitHub Desktop.
Save jpbetz/701f27476568ec7603feeddb3b0966b0 to your computer and use it in GitHub Desktop.
Download ZIP
CRD with invalid conversion webhook CRBundle fails on reads and writes for versions not requiring conversion
Raw
_REPRODUCTION.md

What happens:

Create a mult-version CRD with a conversion webhook configured with an invalid CABundle:

$ kubectl apply -f crd.yaml
customresourcedefinition.apiextensions.k8s.io/replicant.stable.example.com created

Read the CRD back:

$ kubectl get crd replicant.stable.example.com -oyaml
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
...

Attempt to create a CR using the storage version:

$ kubectl apply cr1.yaml
Error from server (InternalError): error when retrieving current configuration of:
Resource: "stable.example.com/v1, Resource=replicant", GroupVersionKind: "stable.example.com/v1, Kind=Replicant"
Name: "cr1", Namespace: "default"
from server for: "cr-1.yaml": Internal error occurred: error resolving resource

$ grep "customresource_handler" /tmp/local-kube-apiserver.log
E0308 12:57:41.892888 1158130 customresource_handler.go:301] unable to load root certificates: unable to parse bytes as PEM block

What I expected:

Since creating cr-1.yaml doesn't require conversion, I would have expected either:

  1. An error response when attempting to create/update the CRD with an invalid CABundle
  2. Only an error when conversion is required to server a request
Raw
cr-1.yaml
apiVersion: stable.example.com/v1
kind: Replicant
metadata:
name: cr1
spec:
myfield: 1
Raw
crd.yaml
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: replicant.stable.example.com
spec:
group: stable.example.com
versions:
- name: v1
served: true
storage: true
schema:
openAPIV3Schema:
type: object
properties:
spec:
type: object
properties:
myfield:
type: integer
- name: v2
served: true
storage: false
schema:
openAPIV3Schema:
type: object
properties:
spec:
type: object
properties:
myfield:
type: integer
scope: Namespaced
names:
plural: replicant
singular: replicants
kind: Replicant
conversion:
strategy: Webhook
webhook:
conversionReviewVersions: [v1]
clientConfig:
service:
namespace: default
name: example-conversion-webhook-server
path: /convert
caBundle: "Cg=="
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment