Couchbase-operator-admission.default.svc" denied the request: validation failure list

sudhir_baru · August 6, 2020, 9:27am

I created DAC certificate as shown here
https://docs.couchbase.com/operator/2.0/tutorial-tls.html#creating-a-dynamic-admission-controller-server-certificate and created couchbase-operator-tls

I get following error .

Error from server: error when creating “couchbase-cluster.yaml”: admission webhook “couchbase-operator-admission.default.svc” denied the request: validation failure list:
Unauthorized
Error from server: error when creating “couchbase-cluster.yaml”: admission webhook “couchbase-operator-admission.default.svc” denied the request: validation failure list:
Unauthorized
Unauthorized
Unauthorized
Unauthorized

Not sure what error says

simon.murray · August 6, 2020, 10:10am

“Unauthorized” is a HTTP 401 error, so I’m assuming TLS is working or it wouldn’t even report anything back. The DAC, however, has no HTTP authorization…

First up you shouldn’t need to generate your own certificates, I’d advise using cbopcfg --no-operator --namespace foo | kubectl create -f -n foo as it does it all for you. See if that works.

If the error is still occurring, I’m guessing the 401 is happening between the DAC and the Kubernetes API. The DAC should have a secret created for it automatically with a service token in it. I’d be tempted to extract that any use it with kubectl to verify it actually works against the API.

sudhir_baru · August 6, 2020, 11:15am

Hi Thanks for getting back.
The suggested cbopcfg --no-operator --namespace foo | kubectl create -f -n foo works fine.

After this step if i run

apiVersion: v1
kind: Secret
metadata:
  name: cbsecret
type: Opaque
data:
  username: QWRtaW5pc3RyYXRvcg== # Administrator
  password: cGFzc3dvcmQ=         # password
---
apiVersion: couchbase.com/v2
kind: CouchbaseBucket
metadata:
  name: wayshipdev
---
apiVersion: couchbase.com/v2
kind: CouchbaseCluster
metadata:
  name: couchbasecluster
spec:
  image: couchbase/server:6.5.0
  security:
    adminSecret: cbsecret
  buckets:
    managed: true
  servers:
  - size: 3
    name: all_services
    services:
    - data
    - index
    - query
    - search
    - eventing
    - analytics
  networking:
    exposeAdminConsole: true
    adminConsoleServices:
    - data
    adminConsoleServiceType: LoadBalancer
    exposedFeatures:
    - xdcr
    exposedFeatureServiceType: LoadBalancer
    exposedFeatureTrafficPolicy: Local
    tls:
      static:
        serverSecret: couchbase-server-tls
        operatorSecret: couchbase-operator-tls
    dns:
      domain: wayship.io
    serviceAnnotations:
      my-annotation: my-value
  logging:
    logRetentionTime: 604800s
    logRetentionCount: 20

this yaml i’m getting error

Error from server: error when creating "couchbase-cluster.yaml": admission webhook "couchbase-operator-admission.default.svc" denied the request: validation failure list:

simon.murray · August 6, 2020, 12:14pm

Is there any more to that output? It should tell you exactly what is wrong.

sudhir_baru · August 6, 2020, 1:03pm

This is the whole output

Error from server: error when creating "couchbase-cluster.yaml": admission webhook "couchbase-operator-admission.default.svc" denied the request: validation failure list:
certificate cannot be verified for zone: x509: certificate is valid for *.couchbasecluster, *.couchbasecluster.default, *.couchbasecluster.default.svc, couchbasecluster-srv, couchbasecluster-srv.default, couchbasecluster-srv.default.svc, *.couchbasecluster-srv.default.svc.cluster.local, localhost, *.couchbasecluster.wayship.in, *.wayship.in, not host.wayship.io

sudhir_baru · August 6, 2020, 1:20pm

I did mistake in certificate creation. Solved Thanks.

simon.murray · August 6, 2020, 1:24pm

Precisely why the DAC exists TLS is hard enough at the best of times!

Glad to have helped.