Mutating Webhook does not invoke endpoint because certificate signed by unknown authority

12/16/2019

I am developing a mutating webhook with kind and as I understand, the API end-point should be https. The certificate and key of the API server should be signed with the CA of the cluster itself so as to get around issue of self-signed certificates. And, for that, the following are the recommended steps:

  1. Create key - openssl genrsa -out app.key 2048
  2. Create CSR - openssl req -new -key app.key -subj "/CN=${CSR_NAME}" -out app.csr -config csr.conf
  3. Create CSR object in kubernetes - kubectl create -f csr.yaml
  4. Approve CSR - kubectl certificate approve csr_name
  5. Extract PEM - kubectl get csr app.csr -o jsonpath='{.status.certificate}' | openssl base64 -d -A -out app.pem

Notes
1. The csr.conf has details to set-up the CSR successfully.
2. The csr.yaml is written for the kuberenetes kind CertificateSigningRequest.
3. The csr_name is defined in CertificateSigningRequest.
4. The spec.request in csr.yaml is set to cat app.csr | base64 | tr -d '\n'. 5. The app.pem and app.key are used to set-up the https end-point.

The end-point is definitely reachable but errors out as:

Internal error occurred: failed calling webhook "com.me.webhooks.demo": Post https://webhook.sidecars.svc:443/mutate?timeout=10s: x509: certificate signed by unknown authority

How do I get around the certificate signed by unknown authority issue?

References:
1. Writing a very basic kubernetes mutating admission webhook
2. Diving into Kubernetes MutatingAdmissionWebhook

-- cogitoergosum
certificate-authority
kubernetes
pem
ssl
webhooks

1 Answer

12/16/2019

It doesn't need to be signed with the cluster's CA root. It just needs to match the CA bundle in the webhook configuration.

-- coderanger
Source: StackOverflow