Is there an existing issue for this?
Current Behavior
Fleet continuously reports MutatingWebhookConfiguration and ValidatingWebhookConfiguration resources as Modified when their clientConfig.caBundle field is populated dynamically by the owning controller (for example, cert-manager). As a result, the Bundle never reaches a fully Ready state despite the application being healthy.
Example Bundle status:
summary:
desiredReady: 1
modified: 1
The reported diff consists only of the injected CA bundle, for example:
{
"webhooks": [
{
"clientConfig": {
"caBundle": "<generated certificate>"
}
}
]
}
No other resources are modified.
Expected Behavior
Fleet should recognize webhooks[*].clientConfig.caBundle as a dynamically managed field on admission webhook configurations and avoid reporting it as configuration drift.
The Bundle should transition to Ready once all resources are successfully reconciled.
Steps To Reproduce
Create a GitRepo that deploys cert-manager using Helm.
defaultNamespace: cert-manager
helm:
repo: https://charts.jetstack.io
chart: cert-manager
version: v1.20.3
releaseName: cert-manager
values:
crds:
enabled: true
After deployment completes:
- cert-manager generates its serving certificate.
- cert-manager updates both webhook configurations by populating webhooks[].clientConfig.caBundle.
- Fleet continuously reports the Bundle as Modified.
Environment
Fleet version: fleet:109.0.1+up0.15.1
Rancher: 2.14.1
RKE/RKE2/K3S version: v1.33.5+rke2r1
Logs
Anything else?
Workaround
Configure a BundleDiff to ignore:
webhooks[*].clientConfig.caBundle
This resolves the issue but requires manual configuration for every affected application.
Additional Info
JIRA: SURE-11766
Is there an existing issue for this?
Current Behavior
Fleet continuously reports
MutatingWebhookConfigurationandValidatingWebhookConfigurationresources as Modified when theirclientConfig.caBundlefield is populated dynamically by the owning controller (for example, cert-manager). As a result, the Bundle never reaches a fully Ready state despite the application being healthy.Example Bundle status:
The reported diff consists only of the injected CA bundle, for example:
No other resources are modified.
Expected Behavior
Fleet should recognize
webhooks[*].clientConfig.caBundleas a dynamically managed field on admission webhook configurations and avoid reporting it as configuration drift.The Bundle should transition to Ready once all resources are successfully reconciled.
Steps To Reproduce
Create a GitRepo that deploys cert-manager using Helm.
defaultNamespace: cert-manager
After deployment completes:
Environment
Logs
Anything else?
Workaround
Configure a BundleDiff to ignore:
webhooks[*].clientConfig.caBundleThis resolves the issue but requires manual configuration for every affected application.
Additional Info
JIRA: SURE-11766