Helm install fails when extraObjects contains Bundles #881
Description
I'm using the latest Helm chart v0.20.3. Using Helm version v3.17.1.
I've added 2 Bundle resources to the extraObjects field in the Helm values.yaml and when I try to deploy now, I get an error:
level=WARN msg="upgrade failed" name=trust-manager error="Internal error occurred: failed calling webhook \"trust.cert-manager.io\": failed to call webhook: Post \"https://trust-manager.mynamespace.svc:443/validate-trust-cert-man
ager-io-v1alpha1-bundle?timeout=5s\": dial tcp 10.233.23.225:443: connect: connection refused && Internal error occurred: failed calling webhook \"trust.cert-manager.io\": failed to call webhook: Post \"https://trust-mana
ger.mynamespace.svc:443/validate-trust-cert-manager-io-v1alpha1-bundle?timeout=5s\": dial tcp 10.233.23.225:443: connect: connection refused"
Even though there's an error, the trust-manager pod does come up healthy afterward. Running the Helm command again deploys the Bundles successfully.
I expected this to work because I do something similar in the cert-manager Helm chart, where I use the extraObjects block to deploy a ClusterIssuer and Certificate resource.
Note: I already deploy the Bundle CRD separately before my Helm install command so that's not an issue.
Here's my customized Helm values:
crds:
enabled: false
keep: true
namespace: "mynamespace"
nameOverride: "trust-manager"
app:
trust:
namespace: "mynamespace"
secretTargets:
enabled: true
# If set to true, grant read/write permission to all secrets across the cluster. Use with caution!
# If set, ignores the authorizedSecrets list.
authorizedSecretsAll: false
# A list of secret names which trust-manager will be permitted to read and write across all namespaces.
# These are the only allowable Secrets that can be used as targets. If the list is empty (and authorizedSecretsAll is false),
# trust-manager can't write to secrets and can only read secrets in the trust namespace for use as sources.
authorizedSecrets:
- trust-bundle-all
- custom-ca-secret
extraObjects:
# Bundle that contains all certs
- apiVersion: trust.cert-manager.io/v1alpha1
kind: Bundle
metadata:
name: trust-bundle-all
spec:
sources:
- useDefaultCAs: true
- secret:
name: "extra-trusted-certs"
key: "certificates"
- secret:
name: "mongo-cert-root-ca"
key: "tls.crt"
- secret:
name: "my-tls-secret"
key: "tls.crt"
- secret:
name: "s3-tls-secret"
key: "tls.crt"
target:
secret:
key: "trust-bundle-all.crt"
metadata:
annotations:
reloader.stakater.com/search: "true"
additionalFormats:
jks:
key: "trust-bundle-all.jks"
namespaceSelector:
matchLabels:
my.org/main-namespace: 'true'
- apiVersion: trust.cert-manager.io/v1alpha1
kind: Bundle
metadata:
name: custom-ca-secret
spec:
sources:
- useDefaultCAs: true
- secret:
name: "custom-ca-raw-certs"
includeAllKeys: true
target:
secret:
key: "ca.crt"
metadata:
annotations:
reloader.stakater.com/search: "true"
additionalFormats:
jks:
key: "keycloak-spi.truststore.jks"