The Sidecar Injector fails the injection due to a TLS Handshake error

Issue

  • The Sidecar Injector does not inject the configuration data and the Sidecar Injector pod container logs shows the following error:
TLS handshake error from <IP>:<PORT>: remote error: tls: bad certificate

Environment

Explanation

In the setup of the Sidecar Injector, one step retrieves the cluster’s CA certificate and injects it in the sidecar-injector-ca-bundle.yaml:

cat sidecar-injector.yaml | \
    ./webhook-patch-ca-bundle.sh > \
    sidecar-injector-ca-bundle.yaml

It uses the following method, looking at the extension-apiserver-authentication configmap:

kubectl get configmap -n kube-system extension-apiserver-authentication -o=jsonpath='{.data.client-ca-file}' | base64 | tr -d '\n'

In some environment - such as EKS - this shell script is retrieving the wrong certificate, or none, which causes the following exception in the sidecar injector logs when the webhook kicks off:

TLS handshake error from <IP>:<PORT>: remote error: tls: bad certificate

The above error interrupts the injection.

Related Issues

CPLT2-5479: sidecar-injector setup doesn’t work if CA is not provided in configmap

Resolution

In order to fix this problem, replace the content of the file webhook-patch-ca-bundle.sh with:

#!/bin/bash -e
set -o pipefail

ROOT=$(cd $(dirname $0)/../../; pwd)

export CA_BUNDLE=$(kubectl run sidecar-injector-get-ca --restart=Never -i --tty --image=centos -- cat /var/run/secrets/kubernetes.io/serviceaccount/ca.crt | base64 | tr -d '\n')
kubectl delete pod sidecar-injector-get-ca > /dev/null 2>&1 || true

if command -v envsubst >/dev/null 2>&1; then
    envsubst
else
    sed -e "s|\${CA_BUNDLE}|${CA_BUNDLE}|g"
fi

Then edit the sidecar-injector-ca-bundle.yaml and replace the line with caBundle:

      caBundle: "LS1q2w3e4r5t6y7u.........

by

      caBundle: "${CA_BUNDLE}"

Then run the following, using the patched webhook-patch-ca-bundle.sh:

cat sidecar-injector.yaml | \
    ./webhook-patch-ca-bundle.sh > \
    sidecar-injector-ca-bundle.yaml

And apply the changes:

kubectl apply -f sidecar-injector-ca-bundle.yaml -n sidecar-injector

Have more questions?

0 Comments

Please sign in to leave a comment.