Knative services fail with certificateNotReady if workload_name+namespace+domain is more than 64 bytes in Tanzu Application Platform v1.4 when auto-tls is enabled
search cancel

Knative services fail with certificateNotReady if workload_name+namespace+domain is more than 64 bytes in Tanzu Application Platform v1.4 when auto-tls is enabled

book

Article ID: 297896

calendar_today

Updated On:

Products

VMware Tanzu Application Service for VMs

Issue/Introduction

- Post upgrade to Tanzu Application Platform v1.4, some Knative services may fail with READY=Unknown REASON=CertificateNotReady. 
$ kubectl get ksvc -A
NAMESPACE  NAME       URL                                  LATESTCREATED    LATESTREADY      READY   REASON
namespace1 workload_1 https://workload_1-namespace1.domain workload_1-00001 workload_1-00001 True
namespace2 workload_2 https://workload_2-namespace2.domain workload_2-00009 workload_2-00009 Unknown CertificateNotReady
- Error message spec.commonName: Too long: must have at most 64 bytes can be seen in the net-certmanager-controller log. 
$ kubectl -n knative-serving logs net-certmanager-controller-xyz
...type: 'Warning' reason: 'CreationFailed' Failed to create Cert-Manager Certificate route-4c1...94f/my-apps: admission webhook \"webhook.cert-manager.io\" denied the request: spec.commonName: Too long: must have at most 64 bytes","commit":"04919d3","knative.dev/controller":"certificate-controller"}


Environment

Product Version: 1.4

Resolution

  • This is a known issue introduced in Tanzu Application Platform v1.4
  • This known issue has been fixed in knative-v1.9.0 and Tanzu Application Platform v1.5 (Starting from v1.5.0)
  • If the customers cannot perform the TAP upgrade immediately, they have two temporary options to work around the issue. See CNR Troubleshooting guide for more info.
    • Option 1: Change the domain_template
    • Option 2: Shorten the names of Knative services or Namespaces


Powered by Wolken Software