UPGRADE FAILED: Internal error occurred: failed calling webhook "validate.nginx.ingress.kubernetes.io": Post : x509: certificate signed by unknown authority
this is the exact error which comes when I am using helm upgrade.
tried to apply the previous local values file to helm upgrade. did not work
Running the following command fixed the problem. I am unable to find the root cause of the same
kubectl delete -A ValidatingWebhookConfiguration ingress-nginx-admission
Related
※I am a beginner, so if you have any information you need, please comment.
Based on the yaml file, I am trying to publish a sample app that has already been launched in Pod via Ingress.
$kubectl apply -f ./overlays/stg/bookinfo-ingress.yaml
■Errormessage
Error from server (InternalError): error when creating "./overlays/stg/bookinfo-ingress.yaml": Internal error occurred: failed calling webhook "validate.nginx.ingress.kubernetes.io": failed to call webhook: Post "https://ingress-nginx-controller-admission.ingress-nginx.svc:443/networking/v1/ingresses?timeout=10s": x509: certificate signed by unknown authority
Just created a managed 2-node Kubernetes (ver. 1.22.8) cluster on DigitalOcean (DO).
After installing WordPress using Bitnami Helm chart, and then installing a WP plugin, the site became unreachable.
Looking into DO K8s dashboard in the deployment section, the wordpress deployment shows the following error:
0/2 nodes are available: 2 pod has unbound immediate PersistentVolumeClaims.
AttachVolume.Attach failed for volume "pvc-c859847e-f250-4e71-9ed3-63c92cc01f50" : rpc error: code = DeadlineExceeded desc = context deadline exceeded
MountVolume.MountDevice failed for volume "pvc-c859847e-f250-4e71-9ed3-63c92cc01f50" : rpc error: code = Internal desc = formatting disk failed: exit status 1 cmd: 'mkfs.ext4 -F /dev/disk/by-id/scsi-0DO_Volume_pvc-c859847e-f250-4e71-9ed3-63c92cc01f50' output: "mke2fs 1.45.5 (07-Jan-2020)\nThe file /dev/disk/by-id/scsi-0DO_Volume_pvc-c859847e-f250-4e71-9ed3-63c92cc01f50 does not exist and no size was specified.\n"
Readiness probe failed: HTTP probe failed with statuscode: 404
As I'm quite new to K8s, I don't know much how to troubleshoot this.
Any help would be much appreciated.
UPDATE
I was able to reproduce the error and found what triggers it.
WordPress Bitnami charts installs several WP plugins by default. As soon as I try to delete them, the error shows up and the persistent volume gets corrupted...
Is this maybe a bug or it's standard behavior?
I am running nginx-ingress v0.44.0 on Kubernetes version v1.20.2, install ingress using helm chat ingress-nginx-3.23.0. nginx taking the traffic from the log file I see this error message.
E0209 23:21:41.300842 6 token_source.go:152] Unable to rotate token: failed to read token file "/var/run/secrets/kubernetes.io/serviceaccount/token": open /var/run/secrets/kubernetes.io/serviceaccount/token: permission denied
E0209 23:21:41.316286 6 token_source.go:152] Unable to rotate token: failed to read token file "/var/run/secrets/kubernetes.io/serviceaccount/token": open /var/run/secrets/kubernetes.io/serviceaccount/token: permission denied
Nignx is running uid 101 but serviceaccount directory owned by root user.
How to fix this error message?
Thanks
It's kinda odd, as I've tested I haven't experienced such a error.
You could use securityContext, set
fsGroup: 101 or
runAsUser/runAsGroup
But still the ingress-nginx sets appropriate securityContext (for example to bind on 80/443), so it should work.
As #sfgroups mentioned solution is to make nignx not running uid 101 but 0.
Add flag to installation command: --set controller.image.runAsUser=0.
Read: helm-nginx-ingress-installation.
Currently, we are trying to setup neutron for our cloud server. Since everyone is new to this, we are struggling a bit. When we entered this command:
openstack network create --share --external \
--provider-physical-network provider \
--provider-network-type flat provider
And it throws this error:
Error while executing command: HttpException: 503, The Keystone service is temporarily unavailable.: 503 Service Unavailable: The server is currently unavailable. Please try again at a later time.
We are following openstack docs guide to a T.
Does anyone know what causes this error and how to fix it?
Thanks.
I fixed it, it was a problem with MariaDB. When we updated it from 10.1 to 10.3, I couldn't access my DB, so when I fixed that error it works now.
I followed https://www.theurbanpenguin.com/installing-devstack-on-ubuntu-16-04/ tutorial to install devstack(queens release) on my Ubuntu 16.04 server.
After the installation was done I ran the following commands
export OS_USERNAME=admin
export OS_TENANT_NAME=admin
export OS_PASSWORD=<password>
export OS_AUTH_URL=http://server-ip:5000/v2.0
openstack image create --public --disk-format qcow2 --container-format bare --file /home/cse3/ubuntu_images/ubuntu-14.04-server-cloudimg-amd64-disk1.img ubuntu
But whenever I open http://server-ip:5000/v2.0 in my browser I am getting unable to connect error.
When I create an image from the command line I get the following message
Failed to discover available identity versions when contacting http://server-ip:5000/v2.0. Attempting to parse version from URL.
Unable to establish connection to http://server-ip:5000/v2.0/tokens: HTTPConnectionPool(host='server-ip', port=5000): Max retries exceeded with url: /v2.0/tokens (Caused by NewConnectionError('<urllib3.connection.HTTPConnection object at 0x7f84ebecabd0>: Failed to establish a new connection: [Errno 111] Connection refused',))
Can anyone suggest what steps need to be followed to remove this error?
After installing the Devstack, you should be able to view the OpenStack dashboard at http://server-ip if the server-ip is a public IP. The AUTH_URL is for you to authorize the API when you are using the SDK or the client library. And this is actually how the dashboard (Horizon) works with the Keystone identity service.
If the server_ip is not a public IP, you need to set up a proxy port in your server and your browser.
It's because the identity API changed from
export OS_AUTH_URL=http://server-ip:5000/v2.0
to
export OS_AUTH_URL=http://server-ip/identity
You can get more from the OpenStack Doc
Check your httpd is running
systemctl status httpd
If it is exited or not started .
Enable the httpd
systemctk s