Failed calling webhook x509: certificate relies on legacy Common Name field #406
Description
Describe the bug
Our test GKE cluster is configured to use the RAPID release channel, and was today upgraded to 1.19.7-gke.1302. Now we are getting the following errors while attempting to deploy applications containing config connector resources using helm:
client.go:205: [debug] error updating the resource "cnrm-push-engine-***********-firebase-datastore-user":
cannot patch "cnrm-push-engine-***********-firebase-datastore-user" with kind IAMPolicyMember: Internal error occurred: failed calling webhook "iam-validation.cnrm.cloud.google.com": Post "https://cnrm-validating-webhook.cnrm-system.svc:443/iam-validation?timeout=30s": x509: certificate relies on legacy Common Name field, use SANs or temporarily enable Common Name matching with GODEBUG=x509ignoreCN=0
client.go:205: [debug] error updating the resource "cnrm-push-engine-***********-firebase-firebasenotifications-admin":
cannot patch "cnrm-push-engine-***********-firebase-firebasenotifications-admin" with kind IAMPolicyMember: Internal error occurred: failed calling webhook "iam-validation.cnrm.cloud.google.com": Post "https://cnrm-validating-webhook.cnrm-system.svc:443/iam-validation?timeout=30s": x509: certificate relies on legacy Common Name field, use SANs or temporarily enable Common Name matching with GODEBUG=x509ignoreCN=0
client.go:205: [debug] error updating the resource "cnrm-push-engine-***********-firebase-firebaseinappmessaging-admin":
cannot patch "cnrm-push-engine-***********-firebase-firebaseinappmessaging-admin" with kind IAMPolicyMember: Internal error occurred: failed calling webhook "deny-unknown-fields.cnrm.cloud.google.com": Post "https://cnrm-validating-webhook.cnrm-system.svc:443/deny-unknown-fields?timeout=30s": x509: certificate relies on legacy Common Name field, use SANs or temporarily enable Common Name matching with GODEBUG=x509ignoreCN=0
client.go:205: [debug] error updating the resource "cnrm-push-engine-***********-firebase-firebase-sdkadminserviceagent":
cannot patch "cnrm-push-engine-***********-firebase-firebase-sdkadminserviceagent" with kind IAMPolicyMember: Internal error occurred: failed calling webhook "iam-validation.cnrm.cloud.google.com": Post "https://cnrm-validating-webhook.cnrm-system.svc:443/iam-validation?timeout=30s": x509: certificate relies on legacy Common Name field, use SANs or temporarily enable Common Name matching with GODEBUG=x509ignoreCN=0
client.go:205: [debug] error updating the resource "cnrm-wi-push-engine":
cannot patch "cnrm-wi-push-engine" with kind IAMPolicyMember: Internal error occurred: failed calling webhook "deny-immutable-field-updates.cnrm.cloud.google.com": Post "https://cnrm-validating-webhook.cnrm-system.svc:443/deny-immutable-field-updates?timeout=30s": x509: certificate relies on legacy Common Name field, use SANs or temporarily enable Common Name matching with GODEBUG=x509ignoreCN=0
client.go:205: [debug] error updating the resource "cnrm-push-engine":
cannot patch "cnrm-push-engine" with kind IAMServiceAccount: Internal error occurred: failed calling webhook "deny-unknown-fields.cnrm.cloud.google.com": Post "https://cnrm-validating-webhook.cnrm-system.svc:443/deny-unknown-fields?timeout=30s": x509: certificate relies on legacy Common Name field, use SANs or temporarily enable Common Name matching with GODEBUG=x509ignoreCN=0
upgrade.go:367: [debug] warning: Upgrade "push-engine-test" failed: cannot patch "cnrm-push-engine-***********-firebase-datastore-user" with kind IAMPolicyMember: Internal error occurred: failed calling webhook "iam-validation.cnrm.cloud.google.com": Post "https://cnrm-validating-webhook.cnrm-system.svc:443/iam-validation?timeout=30s": x509: certificate relies on legacy Common Name field, use SANs or temporarily enable Common Name matching with GODEBUG=x509ignoreCN=0 && cannot patch "cnrm-push-engine-***********-firebase-firebasenotifications-admin" with kind IAMPolicyMember: Internal error occurred: failed calling webhook "iam-validation.cnrm.cloud.google.com": Post "https://cnrm-validating-webhook.cnrm-system.svc:443/iam-validation?timeout=30s": x509: certificate relies on legacy Common Name field, use SANs or temporarily enable Common Name matching with GODEBUG=x509ignoreCN=0 && cannot patch "cnrm-push-engine-***********-firebase-firebaseinappmessaging-admin" with kind IAMPolicyMember: Internal error occurred: failed calling webhook "deny-unknown-fields.cnrm.cloud.google.com": Post "https://cnrm-validating-webhook.cnrm-system.svc:443/deny-unknown-fields?timeout=30s": x509: certificate relies on legacy Common Name field, use SANs or temporarily enable Common Name matching with GODEBUG=x509ignoreCN=0 && cannot patch "cnrm-push-engine-***********-firebase-firebase-sdkadminserviceagent" with kind IAMPolicyMember: Internal error occurred: failed calling webhook "iam-validation.cnrm.cloud.google.com": Post "https://cnrm-validating-webhook.cnrm-system.svc:443/iam-validation?timeout=30s": x509: certificate relies on legacy Common Name field, use SANs or temporarily enable Common Name matching with GODEBUG=x509ignoreCN=0 && cannot patch "cnrm-wi-push-engine" with kind IAMPolicyMember: Internal error occurred: failed calling webhook "deny-immutable-field-updates.cnrm.cloud.google.com": Post "https://cnrm-validating-webhook.cnrm-system.svc:443/deny-immutable-field-updates?timeout=30s": x509: certificate relies on legacy Common Name field, use SANs or temporarily enable Common Name matching with GODEBUG=x509ignoreCN=0 && cannot patch "cnrm-push-engine" with kind IAMServiceAccount: Internal error occurred: failed calling webhook "deny-unknown-fields.cnrm.cloud.google.com": Post "https://cnrm-validating-webhook.cnrm-system.svc:443/deny-unknown-fields?timeout=30s": x509: certificate relies on legacy Common Name field, use SANs or temporarily enable Common Name matching with GODEBUG=x509ignoreCN=0
upgrade.go:385: [debug] Upgrade failed and atomic is set, rolling back to last successful releaseThis seems related to #335, where @maqiuyujoyce reported that a fix was commited
ConfigConnector Version
1.37.0
To Reproduce
- Upgrade GKE cluster to 1.19+ (Now default in
RAPIDchannel) - Helm upgrade on releases with config connector resources.