Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-43710

devworkspace-operator installation failed due to InvalidCABundle

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Not a Bug
    • Icon: Major Major
    • None
    • 4.18
    • OLM
    • None
    • Rejected
    • False
    • Hide

      None

      Show
      None

      Description of problem:

      devworkspace-operator installation failed due to InvalidCABundle.

1, ip is failed with error message
   error validating existing CRs against new CRD''s schema for "devworkspaces.workspace.devfile.io

2, status "Established" of crd is False, error message is "The conversion webhook CABundle is invalid"

      Version-Release number of selected component (if applicable):

          4.18.0-0.nightly-2024-10-22-175936

      How reproducible:

          always

      Steps to Reproduce:

          1. create sub
xzha@xzha1-mac nginx76668 % oc get sub devworkspace-operator -o yaml
apiVersion: operators.coreos.com/v1alpha1
kind: Subscription
metadata:
  name: devworkspace-operator
  namespace: openshift-operators
spec:
  channel: fast
  installPlanApproval: Automatic
  name: devworkspace-operator
  source: redhat-operators
  sourceNamespace: openshift-marketplace
  startingCSV: devworkspace-operator.v0.31.0     

2. check sub status
 - lastTransitionTime: "2024-10-23T02:37:40Z"
    message: 'error validating existing CRs against new CRD''s schema for "devworkspaces.workspace.devfile.io":
      Internal error occurred: error resolving resource'
    reason: InstallComponentFailed
    status: "True"
    type: InstallPlanFailed

xzha@xzha1-mac nginx76668 % oc get crd devworkspaces.workspace.devfile.io -o=jsonpath-as-json='{.status}'               
[
    {
        "acceptedNames": {
            "kind": "DevWorkspace",
            "listKind": "DevWorkspaceList",
            "plural": "devworkspaces",
            "shortNames": [
                "dw"
            ],
            "singular": "devworkspace"
        },
        "conditions": [
            {
                "lastTransitionTime": "2024-10-23T02:36:33Z",
                "message": "no conflicts found",
                "reason": "NoConflicts",
                "status": "True",
                "type": "NamesAccepted"
            },
            {
                "lastTransitionTime": "2024-10-23T02:36:33Z",
                "message": "The conversion webhook CABundle is invalid",
                "reason": "InvalidCABundle",
                "status": "False",
                "type": "Established"
            }
        ],
        "storedVersions": [
            "v1alpha2"
        ]
    }
]

3.

      Actual results:

        install failed

      Expected results:

          install success

      Additional info:

      Starting with Kubernetes 1.31, CRDs which have an invalid cert as the value of spec.conversion.webhook.clientConfig.caBundle are being rejected by the API.

https://github.com/kubernetes/kubernetes/pull/124061

              lmohanty@redhat.com Lalatendu Mohanty
              rhn-support-xzha Xia Zhao
              Xia Zhao Xia Zhao
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated:
                Resolved: