Asrar Abu Khair
Back to Articles

Resolving Rke2/Kubernetes v.1.3.0 vpa-admission issue.

2 min read
asrar
Resolving Rke2/Kubernetes v.1.3.0 vpa-admission issue.

I’ve experienced error below in my RKE2 deployment.

MountVolume.SetUp failed for volume "tls-certs" : secret "vpa-tls-certs" not found

This issue related to the secret for the vpa-admission pod/web-hooks that not created in the related namespace.

To resolve this issue, i am using the certificate generation script from kubernetes github for related version.
https://github.com/kubernetes/autoscaler/blob/5bcb526e08c17ff93cc6093ee89a95730a90e45b/vertical-pod-autoscaler/pkg/admission-controller/gencerts.sh#L54-L58

I run the script above on the computer/vm that have an access to the clusters.

This also can be achived by generating and adding the secret manually through Rancher GUI. Here’s how to.
1. Modify the script above at line 25, to define your working directory. Here’s mine;

TMP_DIR="/root/vpa-admission/vpa-certs"

2. Comment on the line 58, where the command is to create secret using kubectl cli.

#echo "Uploading certs to the cluster."
#kubectl create secret --namespace=kube-system generic vpa-tls-certs --from-file=${TMP_DIR}/caKey.pem --from-file=${TMP_DIR}/caCert.pem --from-file=${TMP_DIR}/serverKey.pem --from-file=${TMP_DIR}/serverCert.pem

3. Make sure to comment line 62, to avoid cert directory deleted.

#rm -rf ${TMP_DIR}

Here’s my complete script after modified.

# Generates the a CA cert, a server key, and a server cert signed by the CA.
# reference:
# https://github.com/kubernetes/kubernetes/blob/master/plugin/pkg/admission/webhook/gencerts.sh
set -o errexit
set -o nounset
set -o pipefail

CN_BASE="vpa_webhook"
TMP_DIR="/root/vpa-admission/vpa-certs"

echo "Generating certs for the VPA Admission Controller in ${TMP_DIR}."
mkdir -p ${TMP_DIR}
cat > ${TMP_DIR}/server.conf << EOF
[req]
req_extensions = v3_req
distinguished_name = req_distinguished_name
[req_distinguished_name]
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth, serverAuth
subjectAltName = DNS:vpa-webhook.kube-system.svc
EOF

# Create a certificate authority
openssl genrsa -out ${TMP_DIR}/caKey.pem 2048
set +o errexit
openssl req -x509 -new -nodes -key ${TMP_DIR}/caKey.pem -days 100000 -out ${TMP_DIR}/caCert.pem -subj "/CN=${CN_BASE}_ca" -addext "subjectAltName = DNS:${CN_BASE}_ca"
if [[ $? -ne 0 ]]; then
  echo "ERROR: Failed to create CA certificate for self-signing. If the error is \"unknown option -addext\", update your openssl version or deploy VPA from the vpa-release-0.8 branch."
  exit 1
fi
set -o errexit

# Create a server certificate
openssl genrsa -out ${TMP_DIR}/serverKey.pem 2048
# Note the CN is the DNS name of the service of the webhook.
openssl req -new -key ${TMP_DIR}/serverKey.pem -out ${TMP_DIR}/server.csr -subj "/CN=vpa-webhook.kube-system.svc" -config ${TMP_DIR}/server.conf -addext "subjectAltName = DNS:vpa-webhook.kube-system.svc"
openssl x509 -req -in ${TMP_DIR}/server.csr -CA ${TMP_DIR}/caCert.pem -CAkey ${TMP_DIR}/caKey.pem -CAcreateserial -out ${TMP_DIR}/serverCert.pem -days 100000 -extensions SAN -extensions v3_req -extfile ${TMP_DIR}/server.conf

#echo "Uploading certs to the cluster."
#kubectl create secret --namespace=kube-system generic vpa-tls-certs --from-file=${TMP_DIR}/caKey.pem --from-file=${TMP_DIR}/caCert.pem --from-file=${TMP_DIR}/serverKey.pem --from-file=${TMP_DIR}/serverCert.pem

# Clean up after we're done.
#echo "Deleting ${TMP_DIR}."
#rm -rf ${TMP_DIR}

Share this article

Discussion

Join the discussion

Loading comments...