Static manifest with-rbac-webhook.yaml busted

[jbeda]

Describe the bug:

The non-helm version that installs the webhook fails as it doesn't define the CRDs. They don't appear to be included in the manifest.

Expected behaviour:

I would expect the yaml to be applied cleanly.

Steps to reproduce the bug:

cd contrib/manifests/cert-manager
kubectl create namespace cert-manager
kubectl label namespace cert-manager certmanager.k8s.io/disable-validation=true
kubectl apply -f with-rbac-webhook.yaml

You'll get some errors like this:

unable to recognize "with-rbac-webhook.yaml": no matches for kind "Issuer" in version "certmanager.k8s.io/v1alpha1"
unable to recognize "with-rbac-webhook.yaml": no matches for kind "Certificate" in version "certmanager.k8s.io/v1alpha1"
unable to recognize "with-rbac-webhook.yaml": no matches for kind "Issuer" in version "certmanager.k8s.io/v1alpha1"
unable to recognize "with-rbac-webhook.yaml": no matches for kind "Certificate" in version "certmanager.k8s.io/v1alpha1"

Anything else we need to know?:

Environment details::
k8s v1.11.2

/kind bug

[jbeda]

Also, this static manifest doesn't create the namespace. I had to create it manually. Looks like it is created as part of the non webhook static manifests.

[munnerz]

Hey Joe, Thanks for the issue! This is definitely something not quite documented clearly enough. The webhook manifests should be taken as *additive* as opposed to a replacement for the normal ones. We really should clear this up though and expand our README to instruct people what to do, step by step. Additionally, I think you *may* (at least in kubernetes pre 1.12 or maybe even 1.13) hit issues with validation of the 'spec.caBundle' field on the ValidatingWebhookConfiguration with the webhook - I think we already have an issue tracking this, but I'm on mobile right now so not able to check! It can be resolved with '--validate=false' on the kubectl create command (disabling client side validation!) Hope that helps, we'll get this triaged and improved ASAP though as the webhook is a new piece and I am super keen to gather feedback on it!

…

On Thu, 1 Nov 2018 at 22:54, Joe Beda ***@***.***> wrote: Also, this static manifest doesn't create the namespace. I had to create it manually. Looks like it *is* created as part of the non webhook static manifests. — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#1034 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AAMbP1gscO0sXVH1LhB_6pOxAAdG6dfrks5uq3u9gaJpZM4YJ8zh> .

[jbeda]

Ah! That makes more sense then.

It is cool for sure and I'll have to try it out some time soon. Very meta to have cert-manager create a cert so that it can talk to k8s.

[munnerz]

Yep - the way it's setup right now is a little shakey. We use a CronJob/Job resource that copies the certificate into the ValidatingWebhookConfiguration and APIService resources...

I'm hoping we can come up with a better way to handle this soon, but wanted to unblock the validation work and get it out in some form to gather feedback 😄