Skip to content

Fleet permanently reports admission webhooks as Modified after controller injects #5368

Description

@susesamu

Is there an existing issue for this?

  • I have searched the existing issues

Current Behavior

Fleet continuously reports MutatingWebhookConfiguration and ValidatingWebhookConfiguration resources as Modified when their clientConfig.caBundle field is populated dynamically by the owning controller (for example, cert-manager). As a result, the Bundle never reaches a fully Ready state despite the application being healthy.

Example Bundle status:

summary:
  desiredReady: 1
  modified: 1

The reported diff consists only of the injected CA bundle, for example:

{
  "webhooks": [
    {
      "clientConfig": {
        "caBundle": "<generated certificate>"
      }
    }
  ]
}

No other resources are modified.

Expected Behavior

Fleet should recognize webhooks[*].clientConfig.caBundle as a dynamically managed field on admission webhook configurations and avoid reporting it as configuration drift.

The Bundle should transition to Ready once all resources are successfully reconciled.

Steps To Reproduce

Create a GitRepo that deploys cert-manager using Helm.

defaultNamespace: cert-manager

helm:
  repo: https://charts.jetstack.io
  chart: cert-manager
  version: v1.20.3
  releaseName: cert-manager
  values:
    crds:
      enabled: true

After deployment completes:

  1. cert-manager generates its serving certificate.
  2. cert-manager updates both webhook configurations by populating webhooks[].clientConfig.caBundle.
  3. Fleet continuously reports the Bundle as Modified.

Environment

Fleet version: fleet:109.0.1+up0.15.1
Rancher: 2.14.1
RKE/RKE2/K3S version: v1.33.5+rke2r1

Logs

Anything else?

Workaround

Configure a BundleDiff to ignore:

webhooks[*].clientConfig.caBundle
This resolves the issue but requires manual configuration for every affected application.

Additional Info

JIRA: SURE-11766

Metadata

Metadata

Assignees

Type

Fields

No fields configured for Bug.

Projects

Status
👀 In review

Relationships

None yet

Development

No branches or pull requests

Issue actions