Compatibility
Below you will find details on various compatibility issues and quirks that you may be effected by in your environment.
GKE
When Google configure the control plane for private clusters, they automatically configure VPC peering between your Kubernetes cluster’s network and a separate Google managed project.
In order to restrict what Google are able to access within your cluster, the
firewall rules configured restrict access to your Kubernetes pods. This will
mean that you will experience the webhook to not work and experience errors such
as Internal error occurred: failed calling admission webhook ... the server is
currently unable to handle the request.
In order to use the webhook component with a GKE private cluster, you must configure an additional firewall rule to allow the GKE control plane access to your webhook pod.
You can read more information on how to add firewall rules for the GKE control plane nodes in the GKE docs.
Alternatively, you can read how to disable the webhook component.
Disabling Webhook
If you are having issues with the webhook and cannot use it at this time, you can optionally disable the webhook altogether.
Doing this may expose your cluster to miss-configuration problems that in some cases could cause cert-manager to stop working altogether (i.e. if invalid types are set for fields on cert-manager resources).
How you disable the webhook depends on your deployment method.
With Helm
The Helm chart exposes an option that can be used to disable the webhook.
To do so with an existing installation, you can run:
$ helm upgrade cert-manager \
--reuse-values \
--set webhook.enabled=falseIf you have not installed cert-manager yet, you can add the --set
webhook.enabled=false to the helm install command used to install
cert-manager.
With static manifests
Because we cannot specify options when installing the static manifests to conditionally disable different components, we also ship a copy of the deployment files that do not include the webhook.
Instead of installing with
cert-manager.yaml
file, you should instead use the
cert-manager-no-webhook.yaml
file located in the deploy directory.
This is a destructive operation, as it will remove the
CustomResourceDefinition resources, causing your configured Issuers,
Certificates etc to be deleted.
You should first backup your configuration before running the following commands.
To re-install cert-manager without the webhook, run:
$ kubectl delete -f https://github.com/jetstack/cert-manager/releases/download/v0.13.1/cert-manager.yaml
$ kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v0.13.1/cert-manager-no-webhook.yamlOnce you have re-installed cert-manager, you should then restore your configuration.