Recovering deleted ValidatingWebhookConfiguration "validator.pksapi.io " in TKGI

search cancel

Recovering deleted ValidatingWebhookConfiguration "validator.pksapi.io " in TKGI

book

Article ID: 370754

calendar_today

Updated On:

Products

VMware Tanzu Kubernetes Grid Integrated Edition VMware Tanzu Kubernetes Grid Integrated (TKGi) VMware Tanzu Kubernetes Grid Integrated Edition (Core) VMware Tanzu Kubernetes Grid Integrated Edition 1.x VMware Tanzu Kubernetes Grid Integrated EditionStarter Pack (Core)

Issue/Introduction

TKGI documentation for testing environments and debugging purposes only recommends deleting ValidatingWebhookConfiguration validator.pksapi.io. If the CRD is not backed up running errands won't be able to restore this object post deletion.

Environment

All TKGI environments with Sink resources enabled.

Cause

Accidental deletion of validator.pksapi.io
Deletion of validator.pksapi.io for debugging purposes but no backup taken for restoration

Resolution

To recover recreate the ValidatingWebhookConfiguration using the yaml below by performing a kubectl apply on the impacted cluster.

apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
  name: validator.pksapi.io
  labels:
    metrics: "true"
    logs: "true"
    safeToDelete: "true"
webhooks:
  - name: metric.validator.pksapi.io
    rules:
      - apiGroups:
          - "pksapi.io"
        apiVersions:
          - v1beta1
        operations:
          - CREATE
          - UPDATE
        resources:
          - clustermetricsinks
          - metricsinks
    failurePolicy: Fail
    sideEffects: None
    clientConfig:
      service:
        name: validator
        namespace: pks-system
        path: /metricsink
      caBundle: ""
    admissionReviewVersions: [v1beta1]
  - name: log.validator.pksapi.io
    rules:
      - apiGroups:
          - "pksapi.io"
        apiVersions:
          - v1beta1
        operations:
          - CREATE
          - UPDATE
        resources:
          - clusterlogsinks
          - logsinks
    failurePolicy: Fail
    sideEffects: None
    clientConfig:
      service:
        name: validator
        namespace: pks-system
        path: /logsink
      caBundle: ""
    admissionReviewVersions: [v1beta1]

This CRD is missing caBundle parameter under clientConfig. The caBundle is generated as part of the validator deployment via init containers. To regenerate the caBundle

kubectl rollout restart deployment -n pks-system validator

# Verify the caBundle is added
kubectl get validatingwebhookconfiguration.admissionregistration.k8s.io/validator.pksapi.io -o yaml

Feedback

thumb_up Yes

thumb_down No