Comments (5)
update-s2i-operator.zip
For the server which unable to access GitHub: update-s2i-operator.zip
I sorts the above scripts for the issue, it can resolve the issue perfectly.
The follow post as reference:
#6047
https://ask.kubesphere.io/forum/d/23239-kubesphere-jing-xiang-gou-jian-qi-s2ifu-wu-zheng-shu-guo-qi-wen-ti
from kubesphere.
- replace
secret
cat <<EOF | kubectl apply -f -
apiVersion: v1
data:
caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURjekNDQWx1Z0F3SUJBZ0lVT0lyK2FFaFhyVEI3Z01UK1RZTFRjMS9rdkowd0RRWUpLb1pJaHZjTkFRRUwKQlFBd1NERUxNQWtHQTFVRUJoTUNRMDR4Q3pBSkJnTlZCQWdNQWtoQ01Rc3dDUVlEVlFRS0RBSlJRekVmTUIwRwpBMVVFQXd3V2QyVmlhRzl2YXkxelpYSjJaWEl0YzJWeWRtbGpaVEFnRncweU5EQXlNVGt3TlRReU1qZGFHQTh5Ck1EVXhNRGN3TnpBMU5ESXlOMW93U0RFTE1Ba0dBMVVFQmhNQ1EwNHhDekFKQmdOVkJBZ01Ba2hDTVFzd0NRWUQKVlFRS0RBSlJRekVmTUIwR0ExVUVBd3dXZDJWaWFHOXZheTF6WlhKMlpYSXRjMlZ5ZG1salpUQ0NBU0l3RFFZSgpLb1pJaHZjTkFRRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFLRkVpSk9NZlF6ZnJwRE1aOHNNMmxoaFZUVnVGOFU5CjJTYXFCYTNUSU1rc0gvZmlwai8rVjZmaUhLYnh4ZGlrclIxaFZJajFrMkt0aVJRL1ZPbG1pSHdGakVyYUNtNGUKMGhsdzl5Mmt0akF0bzlXYlRaQVV0SFJhK0Q2TUlmajNjUG9QVnV0ZjYyRklYZTNNYmJSaU1SWjNEN2c2RE52SQplUGcydjJyQjZva3g0MDM0L0gxdkk2dTNGaHkvNXRQeklGYmFxU1Z1bHhZck5CUUV1MGhzanVKZVhtK0drWnlTClVuSkpMUkcza1p3Wk1CTitGWDlhRzdvMkJrdVVXT3doMnhUeGp6TFppSEJobUJHbnU1WEVKR0J1a2xaT0tIeE0KQ0lPSGtNVWo4VllIcU5RV3VLaFRvcncraFl1UU9aU2VMaGE1ZFRZczRkdlU1cTdJMjA4VXJBRUNBd0VBQWFOVApNRkV3SFFZRFZSME9CQllFRkRSVXRvYWRlUnYvYWYxamtJT0hXU3dNT3ppVk1COEdBMVVkSXdRWU1CYUFGRFJVCnRvYWRlUnYvYWYxamtJT0hXU3dNT3ppVk1BOEdBMVVkRXdFQi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUwKQlFBRGdnRUJBRnByajJrZFRoQk93bEtiQ1VNNVpMTDBzbi8rSmI2WXZtSXRFNkpiemRUc3RyaTdsWHk2NlJPNwpTaHF2aURrQVhUYTVWWTc1UFdWNjRMRXlJTW9JYyt2NkdXVSsveWtGTnZTMHJCbm9yczlzdDFyMFllRXhHM0pyCnhHNFhzUzJIbmJ5Yk5oelg3Q3pWRnFGYWh2WEJ0SkZoTGY1TVVUTkFWem0reTgxTlZBcG83bWNmL3ZZKzlmcSsKYjNpVTYvQTluby9JSlZYbWt6V1o2SUQvb0pxQTE1Y0hJaVYrZ05pbDE1dEZKVUtRTkVuMlZWVisveFo3VXJmWgpMTWhtRmZFTGdPUnIvei8vNUx1bXlCeFdOelFCUWhRbVJNSlgzM2IrR1lBbFYvTS85cEZLMHV0NGtaMjZVbkdjCk5TSFJ0VHdseldXNTk4SU40QmUxTjNDU0tEZWwvNGc9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUQyVENDQXNHZ0F3SUJBZ0lVUkthdTNvN1Z0OTZIcDl6aUZoQkd2eFVPbmFBd0RRWUpLb1pJaHZjTkFRRUwKQlFBd1NERUxNQWtHQTFVRUJoTUNRMDR4Q3pBSkJnTlZCQWdNQWtoQ01Rc3dDUVlEVlFRS0RBSlJRekVmTUIwRwpBMVVFQXd3V2QyVmlhRzl2YXkxelpYSjJaWEl0YzJWeWRtbGpaVEFnRncweU5EQXlNVGt3TlRReU1qZGFHQTh5Ck1EVXhNRGN3TnpBMU5ESXlOMW93WlRFTE1Ba0dBMVVFQmhNQ1EwNHhDekFKQmdOVkJBZ01Ba2hDTVFzd0NRWUQKVlFRS0RBSlJRekU4TURvR0ExVUVBd3d6ZDJWaWFHOXZheTF6WlhKMlpYSXRjMlZ5ZG1salpTNXJkV0psYzNCbwpaWEpsTFdSbGRtOXdjeTF6ZVhOMFpXMHVjM1pqTUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCCkNnS0NBUUVBcjFIR3BQZlVSdFFjZFdzcjcvc3ZKMWNpdGFpOEpZemVPeXg4WjZ4VXFNR0FXWGpZWkJ1ZmFFbHYKdktQSUtaaWxTK2tnOXFiRi8vMzZtOHVmcnlxMVlvQVNNbkZmZFBQNHBYNkVKbWwzdEdqbytnVlk4NVNLcWxVcwp2c0lBM25pN080U0pLZVRZQ2R1a09qaDdZcFozRkNhdGVGbDJ1TVNXOVQvTjJocHAwdElRTFJwcjBoank4NEhoCkxOQ3B2Y0dLelp3OU5mK08wc2E5S2JYTFdJbmNBNGVLc0FnOUQwc2RMd3Q4QldGbVY3L3VoVDl6Q2xoSW9yd1kKNnRwVGpSOTdTTVJhdHQzNVpxcDdWMWxFUndNd3RmeGx2N2xBOHJtVEJZSlc0alljM2FTVm1BdDRHd0ZOeGZWeApLM2xQNERRSHlCdjdDaVBHaFh6MmdTelFqTFlDNFFJREFRQUJvNEdiTUlHWU1COEdBMVVkSXdRWU1CYUFGRFJVCnRvYWRlUnYvYWYxamtJT0hXU3dNT3ppVk1Ba0dBMVVkRXdRQ01BQXdDd1lEVlIwUEJBUURBZ1R3TUJNR0ExVWQKSlFRTU1Bb0dDQ3NHQVFVRkJ3TUJNRWdHQTFVZEVRUkJNRCtDTTNkbFltaHZiMnN0YzJWeWRtVnlMWE5sY25acApZMlV1YTNWaVpYTndhR1Z5WlMxa1pYWnZjSE10YzNsemRHVnRMbk4yWTRJSWFHOXpkRzVoYldVd0RRWUpLb1pJCmh2Y05BUUVMQlFBRGdnRUJBSm9CWll6TkxzNXVDUlYyNk1VOWtZNVh3cFUzZkhXTUZBenFjbWYrZEtNVVNscEYKcS9Zb2JxOHVmMS9Gbys2bzF3bDJrWklmR1grakUrR1JqQ0kvaXVJUHhhaHZzME8wNkFKWWpTSWhWVkVFNkRqbQpvWW1XTkhpdzRkQXM1aCt6ajNJNmY0bDJscWgxaFVVUnR3anlCL0ZXclRBVFJVOUhrcGtQb0pSL3BEM0Nzd1I1Ckl2OXR1TmpBenNsbzlWZU1vK3JPZWEwS3hhT3RMU1NsWCs5N09iTC9ycXBFZml2L0ZoQ3FMWTcrQW9jcGdSdEsKTzdSYUd3bWMyWlM3aEgzOTRiVjBHVTB6NkpqVHlvdk9HUnZndGxaajVuVmVoK3pkWlNlZVdSbFFpZk5uZ3d0ZQpsMlNDMXJYUDJBblRMNUtLMWZUWjN2UU5NMlljNm1SNWVBK3VKWVk9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
tls.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcFFJQkFBS0NBUUVBcjFIR3BQZlVSdFFjZFdzcjcvc3ZKMWNpdGFpOEpZemVPeXg4WjZ4VXFNR0FXWGpZClpCdWZhRWx2dktQSUtaaWxTK2tnOXFiRi8vMzZtOHVmcnlxMVlvQVNNbkZmZFBQNHBYNkVKbWwzdEdqbytnVlkKODVTS3FsVXN2c0lBM25pN080U0pLZVRZQ2R1a09qaDdZcFozRkNhdGVGbDJ1TVNXOVQvTjJocHAwdElRTFJwcgowaGp5ODRIaExOQ3B2Y0dLelp3OU5mK08wc2E5S2JYTFdJbmNBNGVLc0FnOUQwc2RMd3Q4QldGbVY3L3VoVDl6CkNsaElvcndZNnRwVGpSOTdTTVJhdHQzNVpxcDdWMWxFUndNd3RmeGx2N2xBOHJtVEJZSlc0alljM2FTVm1BdDQKR3dGTnhmVnhLM2xQNERRSHlCdjdDaVBHaFh6MmdTelFqTFlDNFFJREFRQUJBb0lCQUczYjlYa3NYeFdmRnRJeApQUkFkTzFnUWp3eDhWcUhGR3dERGlKVkNkSzVteXJIR092cklJR1N1RjltQ1hBeE12Yy9LbjBCUUV5U3RseHVIClJtSHloa1RaOGcwdjQ5d2FnVVhhK0o1RldxQnZXUVpLMFltWkhDZE9Sa0ttdVBxdmRzdjk2aUdaYUJNTlVtUzEKUGdQeU8xNGlPbk4reEJsVi95NWhNL0ltdVFkRVZ3VVBCZ0hvSC9na3huSGQ1RUI0ZmFacm0xQURMaDQydFlodQphNUVZdTkzL0RjWm5JMmFvVThCUXNjR09FZXZwMkR3U1NuYTBPWXYrRHFKWkw2OHVyZE5DRzFWU2NBSUowVjJuCjUxM0VKQWowSzVKbXhCbCtvZEZPWVBmbUcwS1BWdUlZREpNd2ZKQkZEVjB5SmJOVFoxOXFncjlueFdsMjR3UkcKaWhVTTZOMENnWUVBMmk0bm9PZzFsczR3TURBd2k2MDA2RlZDWno4NXFHNUNza2JsUUdaNUR3T3FPTlBVTTAvZQpESXJGUFEya1I3N25KemM2eURkVFVkRkJBKzRYdkk2VHl1Lzloa0RKVENWQTRjWkVVT3dVTVBKK1hzaXFWeG9ZCkJPQUtPOEIvZkhDNm9iTUQ2NTdNMnB3V2FLUFJkY2dNMVFtdTBQYUFNdTZEbXdyQVdJbHhIV01DZ1lFQXpiV20KOEx2b1REM3MyRWxSRjRYeHZSQlBBTlhwZk1qcExnNUZLQ216SFU5amR1cXc0MTQ0RzJjLzhYZjNwUmlHOTJFegp6QXpPMFFjMGxsUUR1Y2hLbHhISUJGSXdQeGNmd2swVk1ZNnAvanJFVllHZWdwMUFHR3hMb0hBZTMwSFVOTzJsCkdIU2VPWjhrYkUrNjFaRFRJZGhxWHVJUEdsK3BFZndhTG5oT28rc0NnWUVBb3labWJkV1cxU2xrTVhTbnFKc2gKK0NaaFhIR1QvUlpPZTUrMktMMDRBM2s3SGZtUk1ibWtrdjVtVmF4UXozRzZ5c0ZyREhNS3RDRGxIRG83dDcxcQpXUk96SW1ScDRxM3M0YWZ3U0E3eFhsVEhHTHUzWFNEZkd5NHBtTnJ1dWpCVjd6cTlVTUZUOEpsTnpIdkwwdWFBCmFnSXVub1htQWJBSDY3VlRkaUY0MjM4Q2dZRUF0VEJrTzdSM052aHdiazJkeEtkeE5zTnZvdC9IeWVhNUpKemoKSXk0Zm14aDdGcG8vZGZWZVhCekVnSzdYalM2ZWFyVE9SOU9jTXhjeXBacVlzWUlPMlNPTFZ1c0JuZ0NETThScgpmM3dXbFZ3ejVOREh5bW94czVGbng0Z2FXVEdGZFoxQWh0cnBKdjNhdWlBOEE3S05sVWttNEM0amVXcDY0K0YzCk9pa3pzME1DZ1lFQXdMWjhkcDQySHBaVEg5bnUzNXh3K0FFbVZaUEtDdEFZQ00xdEc4c2p6VVM2bE9GWU4vbTkKZDdFN3VNbzYxNHRkUkNOcEJRTE1EdDBUWTlEb3ZFY1NiNWNqVDFmM0NObEFrY1QyMlEyM2dVSTIyam4wSzgzMgpIU21VTmtXK0RFZkI5OXhTRkhYNXZ6ZWFxVWxQRWN6RzVMSitYa1owd0p3WndKdkpnU0FFNFVnPQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=
kind: Secret
metadata:
annotations:
meta.helm.sh/release-name: devops
meta.helm.sh/release-namespace: kubesphere-devops-system
labels:
app.kubernetes.io/managed-by: Helm
name: s2i-webhook-server-cert
namespace: kubesphere-devops-system
type: Opaque
EOF
- replace
validating-webhook-configuration
cat <<EOF | kubectl apply -f -
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
annotations:
meta.helm.sh/release-name: devops
meta.helm.sh/release-namespace: kubesphere-devops-system
generation: 3
labels:
app.kubernetes.io/managed-by: Helm
name: validating-webhook-configuration
webhooks:
- admissionReviewVersions:
- v1
- v1beta1
clientConfig:
caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURjekNDQWx1Z0F3SUJBZ0lVT0lyK2FFaFhyVEI3Z01UK1RZTFRjMS9rdkowd0RRWUpLb1pJaHZjTkFRRUwKQlFBd1NERUxNQWtHQTFVRUJoTUNRMDR4Q3pBSkJnTlZCQWdNQWtoQ01Rc3dDUVlEVlFRS0RBSlJRekVmTUIwRwpBMVVFQXd3V2QyVmlhRzl2YXkxelpYSjJaWEl0YzJWeWRtbGpaVEFnRncweU5EQXlNVGt3TlRReU1qZGFHQTh5Ck1EVXhNRGN3TnpBMU5ESXlOMW93U0RFTE1Ba0dBMVVFQmhNQ1EwNHhDekFKQmdOVkJBZ01Ba2hDTVFzd0NRWUQKVlFRS0RBSlJRekVmTUIwR0ExVUVBd3dXZDJWaWFHOXZheTF6WlhKMlpYSXRjMlZ5ZG1salpUQ0NBU0l3RFFZSgpLb1pJaHZjTkFRRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFLRkVpSk9NZlF6ZnJwRE1aOHNNMmxoaFZUVnVGOFU5CjJTYXFCYTNUSU1rc0gvZmlwai8rVjZmaUhLYnh4ZGlrclIxaFZJajFrMkt0aVJRL1ZPbG1pSHdGakVyYUNtNGUKMGhsdzl5Mmt0akF0bzlXYlRaQVV0SFJhK0Q2TUlmajNjUG9QVnV0ZjYyRklYZTNNYmJSaU1SWjNEN2c2RE52SQplUGcydjJyQjZva3g0MDM0L0gxdkk2dTNGaHkvNXRQeklGYmFxU1Z1bHhZck5CUUV1MGhzanVKZVhtK0drWnlTClVuSkpMUkcza1p3Wk1CTitGWDlhRzdvMkJrdVVXT3doMnhUeGp6TFppSEJobUJHbnU1WEVKR0J1a2xaT0tIeE0KQ0lPSGtNVWo4VllIcU5RV3VLaFRvcncraFl1UU9aU2VMaGE1ZFRZczRkdlU1cTdJMjA4VXJBRUNBd0VBQWFOVApNRkV3SFFZRFZSME9CQllFRkRSVXRvYWRlUnYvYWYxamtJT0hXU3dNT3ppVk1COEdBMVVkSXdRWU1CYUFGRFJVCnRvYWRlUnYvYWYxamtJT0hXU3dNT3ppVk1BOEdBMVVkRXdFQi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUwKQlFBRGdnRUJBRnByajJrZFRoQk93bEtiQ1VNNVpMTDBzbi8rSmI2WXZtSXRFNkpiemRUc3RyaTdsWHk2NlJPNwpTaHF2aURrQVhUYTVWWTc1UFdWNjRMRXlJTW9JYyt2NkdXVSsveWtGTnZTMHJCbm9yczlzdDFyMFllRXhHM0pyCnhHNFhzUzJIbmJ5Yk5oelg3Q3pWRnFGYWh2WEJ0SkZoTGY1TVVUTkFWem0reTgxTlZBcG83bWNmL3ZZKzlmcSsKYjNpVTYvQTluby9JSlZYbWt6V1o2SUQvb0pxQTE1Y0hJaVYrZ05pbDE1dEZKVUtRTkVuMlZWVisveFo3VXJmWgpMTWhtRmZFTGdPUnIvei8vNUx1bXlCeFdOelFCUWhRbVJNSlgzM2IrR1lBbFYvTS85cEZLMHV0NGtaMjZVbkdjCk5TSFJ0VHdseldXNTk4SU40QmUxTjNDU0tEZWwvNGc9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
service:
name: webhook-server-service
namespace: kubesphere-devops-system
path: /validate-devops-kubesphere-io-v1alpha1-s2ibuilder
port: 443
failurePolicy: Fail
matchPolicy: Equivalent
name: vs2ibuilder.kb.io
namespaceSelector: {}
objectSelector: {}
rules:
- apiGroups:
- devops.kubesphere.io
apiVersions:
- v1alpha1
operations:
- CREATE
- UPDATE
resources:
- s2ibuilders
scope: '*'
sideEffects: None
timeoutSeconds: 10
- admissionReviewVersions:
- v1
- v1beta1
clientConfig:
caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURjekNDQWx1Z0F3SUJBZ0lVT0lyK2FFaFhyVEI3Z01UK1RZTFRjMS9rdkowd0RRWUpLb1pJaHZjTkFRRUwKQlFBd1NERUxNQWtHQTFVRUJoTUNRMDR4Q3pBSkJnTlZCQWdNQWtoQ01Rc3dDUVlEVlFRS0RBSlJRekVmTUIwRwpBMVVFQXd3V2QyVmlhRzl2YXkxelpYSjJaWEl0YzJWeWRtbGpaVEFnRncweU5EQXlNVGt3TlRReU1qZGFHQTh5Ck1EVXhNRGN3TnpBMU5ESXlOMW93U0RFTE1Ba0dBMVVFQmhNQ1EwNHhDekFKQmdOVkJBZ01Ba2hDTVFzd0NRWUQKVlFRS0RBSlJRekVmTUIwR0ExVUVBd3dXZDJWaWFHOXZheTF6WlhKMlpYSXRjMlZ5ZG1salpUQ0NBU0l3RFFZSgpLb1pJaHZjTkFRRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFLRkVpSk9NZlF6ZnJwRE1aOHNNMmxoaFZUVnVGOFU5CjJTYXFCYTNUSU1rc0gvZmlwai8rVjZmaUhLYnh4ZGlrclIxaFZJajFrMkt0aVJRL1ZPbG1pSHdGakVyYUNtNGUKMGhsdzl5Mmt0akF0bzlXYlRaQVV0SFJhK0Q2TUlmajNjUG9QVnV0ZjYyRklYZTNNYmJSaU1SWjNEN2c2RE52SQplUGcydjJyQjZva3g0MDM0L0gxdkk2dTNGaHkvNXRQeklGYmFxU1Z1bHhZck5CUUV1MGhzanVKZVhtK0drWnlTClVuSkpMUkcza1p3Wk1CTitGWDlhRzdvMkJrdVVXT3doMnhUeGp6TFppSEJobUJHbnU1WEVKR0J1a2xaT0tIeE0KQ0lPSGtNVWo4VllIcU5RV3VLaFRvcncraFl1UU9aU2VMaGE1ZFRZczRkdlU1cTdJMjA4VXJBRUNBd0VBQWFOVApNRkV3SFFZRFZSME9CQllFRkRSVXRvYWRlUnYvYWYxamtJT0hXU3dNT3ppVk1COEdBMVVkSXdRWU1CYUFGRFJVCnRvYWRlUnYvYWYxamtJT0hXU3dNT3ppVk1BOEdBMVVkRXdFQi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUwKQlFBRGdnRUJBRnByajJrZFRoQk93bEtiQ1VNNVpMTDBzbi8rSmI2WXZtSXRFNkpiemRUc3RyaTdsWHk2NlJPNwpTaHF2aURrQVhUYTVWWTc1UFdWNjRMRXlJTW9JYyt2NkdXVSsveWtGTnZTMHJCbm9yczlzdDFyMFllRXhHM0pyCnhHNFhzUzJIbmJ5Yk5oelg3Q3pWRnFGYWh2WEJ0SkZoTGY1TVVUTkFWem0reTgxTlZBcG83bWNmL3ZZKzlmcSsKYjNpVTYvQTluby9JSlZYbWt6V1o2SUQvb0pxQTE1Y0hJaVYrZ05pbDE1dEZKVUtRTkVuMlZWVisveFo3VXJmWgpMTWhtRmZFTGdPUnIvei8vNUx1bXlCeFdOelFCUWhRbVJNSlgzM2IrR1lBbFYvTS85cEZLMHV0NGtaMjZVbkdjCk5TSFJ0VHdseldXNTk4SU40QmUxTjNDU0tEZWwvNGc9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
service:
name: webhook-server-service
namespace: kubesphere-devops-system
path: /validate-devops-kubesphere-io-v1alpha1-s2ibuildertemplate
port: 443
failurePolicy: Fail
matchPolicy: Equivalent
name: s2ibuildertemplate.kb.io
namespaceSelector: {}
objectSelector: {}
rules:
- apiGroups:
- devops.kubesphere.io
apiVersions:
- v1alpha1
operations:
- CREATE
- UPDATE
resources:
- s2ibuildertemplates
scope: '*'
sideEffects: None
timeoutSeconds: 10
- admissionReviewVersions:
- v1
- v1beta1
clientConfig:
caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURjekNDQWx1Z0F3SUJBZ0lVT0lyK2FFaFhyVEI3Z01UK1RZTFRjMS9rdkowd0RRWUpLb1pJaHZjTkFRRUwKQlFBd1NERUxNQWtHQTFVRUJoTUNRMDR4Q3pBSkJnTlZCQWdNQWtoQ01Rc3dDUVlEVlFRS0RBSlJRekVmTUIwRwpBMVVFQXd3V2QyVmlhRzl2YXkxelpYSjJaWEl0YzJWeWRtbGpaVEFnRncweU5EQXlNVGt3TlRReU1qZGFHQTh5Ck1EVXhNRGN3TnpBMU5ESXlOMW93U0RFTE1Ba0dBMVVFQmhNQ1EwNHhDekFKQmdOVkJBZ01Ba2hDTVFzd0NRWUQKVlFRS0RBSlJRekVmTUIwR0ExVUVBd3dXZDJWaWFHOXZheTF6WlhKMlpYSXRjMlZ5ZG1salpUQ0NBU0l3RFFZSgpLb1pJaHZjTkFRRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFLRkVpSk9NZlF6ZnJwRE1aOHNNMmxoaFZUVnVGOFU5CjJTYXFCYTNUSU1rc0gvZmlwai8rVjZmaUhLYnh4ZGlrclIxaFZJajFrMkt0aVJRL1ZPbG1pSHdGakVyYUNtNGUKMGhsdzl5Mmt0akF0bzlXYlRaQVV0SFJhK0Q2TUlmajNjUG9QVnV0ZjYyRklYZTNNYmJSaU1SWjNEN2c2RE52SQplUGcydjJyQjZva3g0MDM0L0gxdkk2dTNGaHkvNXRQeklGYmFxU1Z1bHhZck5CUUV1MGhzanVKZVhtK0drWnlTClVuSkpMUkcza1p3Wk1CTitGWDlhRzdvMkJrdVVXT3doMnhUeGp6TFppSEJobUJHbnU1WEVKR0J1a2xaT0tIeE0KQ0lPSGtNVWo4VllIcU5RV3VLaFRvcncraFl1UU9aU2VMaGE1ZFRZczRkdlU1cTdJMjA4VXJBRUNBd0VBQWFOVApNRkV3SFFZRFZSME9CQllFRkRSVXRvYWRlUnYvYWYxamtJT0hXU3dNT3ppVk1COEdBMVVkSXdRWU1CYUFGRFJVCnRvYWRlUnYvYWYxamtJT0hXU3dNT3ppVk1BOEdBMVVkRXdFQi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUwKQlFBRGdnRUJBRnByajJrZFRoQk93bEtiQ1VNNVpMTDBzbi8rSmI2WXZtSXRFNkpiemRUc3RyaTdsWHk2NlJPNwpTaHF2aURrQVhUYTVWWTc1UFdWNjRMRXlJTW9JYyt2NkdXVSsveWtGTnZTMHJCbm9yczlzdDFyMFllRXhHM0pyCnhHNFhzUzJIbmJ5Yk5oelg3Q3pWRnFGYWh2WEJ0SkZoTGY1TVVUTkFWem0reTgxTlZBcG83bWNmL3ZZKzlmcSsKYjNpVTYvQTluby9JSlZYbWt6V1o2SUQvb0pxQTE1Y0hJaVYrZ05pbDE1dEZKVUtRTkVuMlZWVisveFo3VXJmWgpMTWhtRmZFTGdPUnIvei8vNUx1bXlCeFdOelFCUWhRbVJNSlgzM2IrR1lBbFYvTS85cEZLMHV0NGtaMjZVbkdjCk5TSFJ0VHdseldXNTk4SU40QmUxTjNDU0tEZWwvNGc9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
service:
name: webhook-server-service
namespace: kubesphere-devops-system
path: /validate-devops-kubesphere-io-v1alpha1-s2irun
port: 443
failurePolicy: Fail
matchPolicy: Equivalent
name: vs2irun.kb.io
namespaceSelector: {}
objectSelector: {}
rules:
- apiGroups:
- devops.kubesphere.io
apiVersions:
- v1alpha1
operations:
- CREATE
- UPDATE
resources:
- s2iruns
scope: '*'
sideEffects: None
timeoutSeconds: 10
EOF
- replace
mutating-webhook-configuration
cat <<EOF | kubectl apply -f -
apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
metadata:
annotations:
meta.helm.sh/release-name: devops
meta.helm.sh/release-namespace: kubesphere-devops-system
generation: 2
labels:
app.kubernetes.io/managed-by: Helm
name: mutating-webhook-configuration
webhooks:
- admissionReviewVersions:
- v1
- v1beta1
clientConfig:
caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURjekNDQWx1Z0F3SUJBZ0lVT0lyK2FFaFhyVEI3Z01UK1RZTFRjMS9rdkowd0RRWUpLb1pJaHZjTkFRRUwKQlFBd1NERUxNQWtHQTFVRUJoTUNRMDR4Q3pBSkJnTlZCQWdNQWtoQ01Rc3dDUVlEVlFRS0RBSlJRekVmTUIwRwpBMVVFQXd3V2QyVmlhRzl2YXkxelpYSjJaWEl0YzJWeWRtbGpaVEFnRncweU5EQXlNVGt3TlRReU1qZGFHQTh5Ck1EVXhNRGN3TnpBMU5ESXlOMW93U0RFTE1Ba0dBMVVFQmhNQ1EwNHhDekFKQmdOVkJBZ01Ba2hDTVFzd0NRWUQKVlFRS0RBSlJRekVmTUIwR0ExVUVBd3dXZDJWaWFHOXZheTF6WlhKMlpYSXRjMlZ5ZG1salpUQ0NBU0l3RFFZSgpLb1pJaHZjTkFRRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFLRkVpSk9NZlF6ZnJwRE1aOHNNMmxoaFZUVnVGOFU5CjJTYXFCYTNUSU1rc0gvZmlwai8rVjZmaUhLYnh4ZGlrclIxaFZJajFrMkt0aVJRL1ZPbG1pSHdGakVyYUNtNGUKMGhsdzl5Mmt0akF0bzlXYlRaQVV0SFJhK0Q2TUlmajNjUG9QVnV0ZjYyRklYZTNNYmJSaU1SWjNEN2c2RE52SQplUGcydjJyQjZva3g0MDM0L0gxdkk2dTNGaHkvNXRQeklGYmFxU1Z1bHhZck5CUUV1MGhzanVKZVhtK0drWnlTClVuSkpMUkcza1p3Wk1CTitGWDlhRzdvMkJrdVVXT3doMnhUeGp6TFppSEJobUJHbnU1WEVKR0J1a2xaT0tIeE0KQ0lPSGtNVWo4VllIcU5RV3VLaFRvcncraFl1UU9aU2VMaGE1ZFRZczRkdlU1cTdJMjA4VXJBRUNBd0VBQWFOVApNRkV3SFFZRFZSME9CQllFRkRSVXRvYWRlUnYvYWYxamtJT0hXU3dNT3ppVk1COEdBMVVkSXdRWU1CYUFGRFJVCnRvYWRlUnYvYWYxamtJT0hXU3dNT3ppVk1BOEdBMVVkRXdFQi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUwKQlFBRGdnRUJBRnByajJrZFRoQk93bEtiQ1VNNVpMTDBzbi8rSmI2WXZtSXRFNkpiemRUc3RyaTdsWHk2NlJPNwpTaHF2aURrQVhUYTVWWTc1UFdWNjRMRXlJTW9JYyt2NkdXVSsveWtGTnZTMHJCbm9yczlzdDFyMFllRXhHM0pyCnhHNFhzUzJIbmJ5Yk5oelg3Q3pWRnFGYWh2WEJ0SkZoTGY1TVVUTkFWem0reTgxTlZBcG83bWNmL3ZZKzlmcSsKYjNpVTYvQTluby9JSlZYbWt6V1o2SUQvb0pxQTE1Y0hJaVYrZ05pbDE1dEZKVUtRTkVuMlZWVisveFo3VXJmWgpMTWhtRmZFTGdPUnIvei8vNUx1bXlCeFdOelFCUWhRbVJNSlgzM2IrR1lBbFYvTS85cEZLMHV0NGtaMjZVbkdjCk5TSFJ0VHdseldXNTk4SU40QmUxTjNDU0tEZWwvNGc9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
service:
name: webhook-server-service
namespace: kubesphere-devops-system
path: /mutate-devops-kubesphere-io-v1alpha1-s2ibuilder
port: 443
failurePolicy: Fail
matchPolicy: Equivalent
name: s2ibuilder.kb.io
namespaceSelector: {}
objectSelector: {}
reinvocationPolicy: Never
rules:
- apiGroups:
- devops.kubesphere.io
apiVersions:
- v1alpha1
operations:
- CREATE
- UPDATE
resources:
- s2ibuilders
scope: '*'
sideEffects: None
timeoutSeconds: 10
EOF
- restart
s2ioperator
$ kubectl -n kubesphere-devops-system rollout restart sts s2ioperator
from kubesphere.
: )
Thank you for your detailed answers, It works for me entirely.
Now I can build my web document container automatically again, haha.
For curiosity, could you please answer me the problems as follow?
The method seems works by replace the TLS certificate of s2i-operator service. But if each cluster replace validating CA with the provided one in your reply, will it causes some security issue? Besides, when will the new TLS certificate expire?
To sum up, shall I regenerate a new CA and sign a longer period TLS certificate in order to avoid the above issues?
from kubesphere.
: ) Thank you for your detailed answers, It works for me entirely.
Now I can build my web document container automatically again, haha.
For curiosity, could you please answer me the problems as follow?
The method seems works by replace the TLS certificate of s2i-operator service. But if each cluster replace validating CA with the provided one in your reply, will it causes some security issue? Besides, when will the new TLS certificate expire?
To sum up, shall I regenerate a new CA and sign a longer period TLS certificate in order to avoid the above issues?
You can use the following script to generate your own CA certificate.
#!/bin/bash
set -e
usage() {
cat <<EOF
Generate certificate suitable for use with an sidecar-injector webhook service.
This script uses k8s' CertificateSigningRequest API to a generate a
certificate signed by k8s CA suitable for use with sidecar-injector webhook
services. This requires permissions to create and approve CSR. See
https://kubernetes.io/docs/tasks/tls/managing-tls-in-a-cluster for
detailed explantion and additional instructions.
The server key/cert k8s CA cert are stored in a k8s secret.
usage: ${0} [OPTIONS]
The following flags are required.
--service Service name of webhook.
--namespace Namespace where webhook service and secret reside.
EOF
exit 1
}
while [[ $# -gt 0 ]]; do
case ${1} in
--service)
service="$2"
shift
;;
--namespace)
namespace="$2"
shift
;;
*)
usage
;;
esac
shift
done
[ -z ${service} ] && service=webhook-service
[ -z ${namespace} ] && namespace=default
if [ ! -x "$(command -v openssl)" ]; then
echo "openssl not found"
exit 1
fi
csrName=${service}.${namespace}
CERTSDIR="config/certs"
if [ ! -d ${CERTSDIR} ]; then
mkdir -p ${CERTSDIR}
fi
cat > v3.ext <<-EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1=${service}.${namespace}.svc
DNS.2=hostname
EOF
echo "creating certs in certsdir ${CERTSDIR} "
# create cakey
openssl genrsa -out ${CERTSDIR}/ca.key 2048
# create ca.crt
openssl req -x509 -new -nodes -key ${CERTSDIR}/ca.key -subj "/C=CN/ST=HB/O=QC/CN=${service}" -sha256 -days 10000 -out ${CERTSDIR}/ca.crt
# create server.key
openssl genrsa -out ${CERTSDIR}/server.key 2048
# create server.crt
openssl req -new -sha256 -key ${CERTSDIR}/server.key -subj "/C=CN/ST=HB/O=QC/CN=${service}.${namespace}.svc" -out ${CERTSDIR}/server.csr
openssl x509 -req -in ${CERTSDIR}/server.csr -extfile v3.ext -CA ${CERTSDIR}/ca.crt -CAkey ${CERTSDIR}/ca.key -CAcreateserial -out ${CERTSDIR}/server.crt -days 10000 -sha256
Run the following command.
./cert.sh --service webhook-server-service --namespace kubesphere-devops-system
The file mappings are as follows
ca.crt -> caBundle
server.key -> tls.key
server.crt -> tls.crt
from kubesphere.
Thanks @C4a15Wh This led me to resolving my problem!
from kubesphere.
Related Issues (20)
- kubesphere abbreviation for "ClusterConfiguration" - "cc" is conflicting with "clustercidrs" - "v1alpha1.networking.k8s.io" HOT 1
- Can not according the UI create job and deployment
- minikube install kubesphere error bad gateway 502
- v3.1.1 ks-console crashbackoff very often HOT 10
- cannot be deleted after the managed member cluster is reinstalled
- TOTALLY NEW UBUNTU 22.04 64bit, CANNOT INSTALL KubeSphere BY INSTALL INSTRUCTIONS
- when add the aws loadbance HOT 1
- 流水线运行速度今天莫名的很慢
- 【GitOPS】In multi-cluster mode, only the main cluster can be selected for continuous deployment. HOT 1
- The certificate for https://get-kk.kubesphere.io/ has expired, so I'm unable to download KK. HOT 2
- in devops-jenkins, k8s pod template can't be edited and saved
- AppStore(OpenPitrix) no longer be able to install new applications. HOT 2
- OpenPitrix (App Store) cannot find resources (404 not found) HOT 3
- In kubesphere-devops, pipeline ignores github credentials for cloning github organization repos HOT 1
- 3.4.1 Version configured with metering but not effective HOT 1
- I have enabled multiple clusters, but the CD page only displays the host cluster HOT 1
- 生产环境日志下面没有容器 HOT 8
- The current Jenkinsfile is not a standard declarative Jenkinsfile, and the graphical display is not available. HOT 1
- Using the newly created container group IP pool, the source IP will be lost when accessing the service.
- kubesphere automatically deleted all SVC
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from kubesphere.