Uploaded image for project: 'OpenShift Pipelines'
  1. OpenShift Pipelines
  2. SRVKP-8891

tekton-operator-proxy-webhook certificate having issues auto rotating in HCP cluster

XMLWordPrintable

    • 3
    • False
    • Hide

      None

      Show
      None
    • False
    • Hide
      Fix: Updated the tekton-operator-proxy-webhook logic to exclude control-plane namespaces (kube-*, openshift-*) from admission webhook validation.

      Impact: Prevents Tekton webhook certificate issues from affecting unrelated system components (e.g., Network Operator) during namespace reconciliation.

      Details:
      - No changes to the existing certificate renewal logic.
      - Ensures better isolation between Tekton and other cluster operators.

      References:
      GitHub: tektoncd/operator#2906
      Customer Case: 04243217

      Doc Ref: https://docs.google.com/document/d/1XJ7WZ2asX9uPaboVmUyqMrxSn_aOVA0kXqOFsBMTcgs/edit?usp=sharing
      Show
      Fix: Updated the tekton-operator-proxy-webhook logic to exclude control-plane namespaces (kube-*, openshift-*) from admission webhook validation. Impact: Prevents Tekton webhook certificate issues from affecting unrelated system components (e.g., Network Operator) during namespace reconciliation. Details: - No changes to the existing certificate renewal logic. - Ensures better isolation between Tekton and other cluster operators. References: GitHub: tektoncd/operator#2906 Customer Case: 04243217 Doc Ref: https://docs.google.com/document/d/1XJ7WZ2asX9uPaboVmUyqMrxSn_aOVA0kXqOFsBMTcgs/edit?usp=sharing
    • Bug Fix

      Description of problem: 

      tekton-operator-proxy-webhook certificate having issues auto rotating in HCP cluster.

      An error like below is seen.

      ~~~

      network 4.18.14 True False True 365d Error while updating operator configuration: could not apply (/v1, Kind=Namespace) /openshift-network-console: failed to apply / update (/v1, Kind=Namespace) /openshift-network-console: Internal error occurred: failed calling webhook "namespace.operator.tekton.dev": failed to call webhook: Post "https://tekton-operator-proxy-webhook.openshift-pipelines.svc:443/namespace-validation?timeout=10s": tls: failed to verify certificate: x509: certificate has expired or is not yet valid: current time 2025-09-03T02:09:32Z is after 2025-09-02T10:03:32Z

      ~~~

      Workaround: It can be worked around by deleting the webhook and recreating it.

      Prerequisites (if any, like setup, operators/versions):

      OpenShift Pipelines 1.16.1

      Actual results: Webhook certificate expires and doesn't auto rotate in HCP

      Expected results: 

      Webhook certificate should get rotated automatically

              rh-ee-anataraj Anitha Natarajan
              rhn-support-alosingh Alok Singh
              Jayesh Garg Jayesh Garg
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated:
                Resolved: