Hi, we are seeing a cert issue with webhook when r...
# ask-the-communityn
Nandakumar Raghu
09/01/2023, 1:27 PMHi, we are seeing a cert issue with webhook when running a workflow on a CronSchedule of 2 mins via a LaunchPlan. We are pulling in some k8s secrets in the tasks, looks like the webhook has something to do with that. The workflow failed for a couple of times and then recovered.
Copy code
RuntimeExecutionError: failed during plugin execution, caused by: failed to execute handle for plugin [container]: [InternalError] failed to create resource, caused by: Internal error occurred: failed calling webhook "<http://flyte-pod-webhook.flyte.org|flyte-pod-webhook.flyte.org>": failed to call webhook: Post "<https://flyte-flyte-binary-webhook.flyte.svc:443/mutate--v1-pod?timeout=10s>": tls: failed to verify certificate: x509: certificate signed by unknown authority (possibly because of "crypto/rsa: verification error" while trying to verify candidate authority certificate "<http://flyte.org|flyte.org>")h
Haytham Abuelfutuh
09/01/2023, 4:53 PM
Hi @Nandakumar Raghu, great investigative skills right there 🙂
If it's related to expiry, you would have received a different, and more specific, error I believe. So I'm inclined to say this is not.
Haytham Abuelfutuh
09/01/2023, 4:53 PM
were there many pods (that pull secrets) running at the same time? how many if you have to guess?
Haytham Abuelfutuh
09/01/2023, 4:56 PM
Which chart are you using? flyte-binary? flyte-core?
n
Nandakumar Raghu
09/01/2023, 5:04 PMI don't see any other executions at the time of this failure on the UI. This happened exactly starting 12.28 PM UTC and the last failure was at 12.28 PM UTC and then it recovered. We are using the flyte-binary chart.
Nandakumar Raghu
09/14/2023, 1:41 PM@Kevin Su - thoughts?
Nandakumar Raghu
09/18/2023, 9:53 AM@Haytham Abuelfutuh - I read in the cookbook about scaling the webhook pod, but I guess with flyte-binary, there is no separate webhook pod? The flyte binary (
flyte-flyte-binary-877b879d5-pcwzbh
Haytham Abuelfutuh
09/18/2023, 4:03 PM
3 should be plenty...
Haytham Abuelfutuh
09/18/2023, 4:04 PM
the same binary serves the webhook endpoint as well...
n
Nandakumar Raghu
09/18/2023, 5:48 PMAny idea how I can debug this? We are running batch predictions using a 2 min cron schedule and it fails for a couple of runs with this cert error and then comes back. We would like none of the runs failing 🙂
Nandakumar Raghu
09/19/2023, 6:30 PM@Haytham Abuelfutuh - Couldn't find any fix or reason for this so created a bug. Also, it would be good to be able to use cert-manager issued certs instead of self signed for production. So, created a feature request for that as well.
k
Ketan (kumare3)
10/11/2023, 12:20 PM
Aah sounds like it - cc @Haytham Abuelfutuh does webhook have leader election? Does it need it
Ketan (kumare3)
10/11/2023, 12:20 PM
@Nandakumar Raghu you can always go to a fully deployment
n
Nandakumar Raghu
10/11/2023, 12:27 PM@Ketan (kumare3) - Sorry, I don't understand what you mean by "fully deployment"
e
Eduardo Apolinario (eapolinario)
10/11/2023, 5:47 PMSingle binary was not designed to support multiple replicas.
What @Ketan (kumare3) is suggesting is that instead of deploying single-binary you should use the flyte-core helm chart that allows you to install the Flyte components separately.
13 Views