Skip to content

Commit d7a542e

Browse files
christian-heuselclaude
christian-heusel
and
claude
committed
fix(kserve): fix inject-ca-from annotations for kubeflow namespace
kserve_kubeflow.yaml v0.17.0 hardcodes cert-manager.io/inject-ca-from: kserve/<cert-name> on all webhook configurations and relevant CRDs, but the Certificate resources live in the kubeflow namespace. cert-manager's ca-injector uses this annotation to populate the webhook caBundle, so with the wrong namespace reference the caBundle is never set and TLS verification fails with "certificate signed by unknown authority". Patch all 12 affected resources (1 MutatingWebhookConfiguration, 3 CRDs, 8 ValidatingWebhookConfigurations) to use kubeflow/<cert-name> instead. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> Signed-off-by: Christian Heusel <christian@heusel.eu>
1 parent ebaab27 commit d7a542e

1 file changed

Lines changed: 90 additions & 0 deletions

File tree

applications/kserve/kserve/kustomization.yaml

Lines changed: 90 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -6,6 +6,96 @@ resources:
66
- kserve-cluster-resources.yaml
77

88
patches:
9+
# Fix cert-manager inject-ca-from annotations: kserve_kubeflow.yaml v0.17.0 hardcodes
10+
# "kserve/<cert-name>" in the inject-ca-from annotation on all webhook configs and CRDs,
11+
# but the Certificate resources live in the "kubeflow" namespace. cert-manager's ca-injector
12+
# uses this annotation to populate the webhook caBundle, so without this fix TLS verification
13+
# fails with "certificate signed by unknown authority".
14+
- patch: |
15+
apiVersion: admissionregistration.k8s.io/v1
16+
kind: MutatingWebhookConfiguration
17+
metadata:
18+
name: inferenceservice.serving.kserve.io
19+
annotations:
20+
cert-manager.io/inject-ca-from: kubeflow/serving-cert
21+
- patch: |
22+
apiVersion: apiextensions.k8s.io/v1
23+
kind: CustomResourceDefinition
24+
metadata:
25+
name: inferenceservices.serving.kserve.io
26+
annotations:
27+
cert-manager.io/inject-ca-from: kubeflow/serving-cert
28+
- patch: |
29+
apiVersion: apiextensions.k8s.io/v1
30+
kind: CustomResourceDefinition
31+
metadata:
32+
name: llminferenceservices.serving.kserve.io
33+
annotations:
34+
cert-manager.io/inject-ca-from: kubeflow/llmisvc-serving-cert
35+
- patch: |
36+
apiVersion: apiextensions.k8s.io/v1
37+
kind: CustomResourceDefinition
38+
metadata:
39+
name: llminferenceserviceconfigs.serving.kserve.io
40+
annotations:
41+
cert-manager.io/inject-ca-from: kubeflow/llmisvc-serving-cert
42+
- patch: |
43+
apiVersion: admissionregistration.k8s.io/v1
44+
kind: ValidatingWebhookConfiguration
45+
metadata:
46+
name: clusterservingruntime.serving.kserve.io
47+
annotations:
48+
cert-manager.io/inject-ca-from: kubeflow/serving-cert
49+
- patch: |
50+
apiVersion: admissionregistration.k8s.io/v1
51+
kind: ValidatingWebhookConfiguration
52+
metadata:
53+
name: inferencegraph.serving.kserve.io
54+
annotations:
55+
cert-manager.io/inject-ca-from: kubeflow/serving-cert
56+
- patch: |
57+
apiVersion: admissionregistration.k8s.io/v1
58+
kind: ValidatingWebhookConfiguration
59+
metadata:
60+
name: inferenceservice.serving.kserve.io
61+
annotations:
62+
cert-manager.io/inject-ca-from: kubeflow/serving-cert
63+
- patch: |
64+
apiVersion: admissionregistration.k8s.io/v1
65+
kind: ValidatingWebhookConfiguration
66+
metadata:
67+
name: servingruntime.serving.kserve.io
68+
annotations:
69+
cert-manager.io/inject-ca-from: kubeflow/serving-cert
70+
- patch: |
71+
apiVersion: admissionregistration.k8s.io/v1
72+
kind: ValidatingWebhookConfiguration
73+
metadata:
74+
name: trainedmodel.serving.kserve.io
75+
annotations:
76+
cert-manager.io/inject-ca-from: kubeflow/serving-cert
77+
- patch: |
78+
apiVersion: admissionregistration.k8s.io/v1
79+
kind: ValidatingWebhookConfiguration
80+
metadata:
81+
name: llminferenceservice.serving.kserve.io
82+
annotations:
83+
cert-manager.io/inject-ca-from: kubeflow/llmisvc-serving-cert
84+
- patch: |
85+
apiVersion: admissionregistration.k8s.io/v1
86+
kind: ValidatingWebhookConfiguration
87+
metadata:
88+
name: llminferenceserviceconfig.serving.kserve.io
89+
annotations:
90+
cert-manager.io/inject-ca-from: kubeflow/llmisvc-serving-cert
91+
- patch: |
92+
apiVersion: admissionregistration.k8s.io/v1
93+
kind: ValidatingWebhookConfiguration
94+
metadata:
95+
name: localmodelcache.serving.kserve.io
96+
annotations:
97+
cert-manager.io/inject-ca-from: kubeflow/localmodel-serving-cert
98+
999
# Fix Certificate SANs: kserve_kubeflow.yaml contains a second set of Certificate resources
10100
# (added in v0.17.0) that still reference the upstream kserve namespace instead of kubeflow.
11101
# These duplicates override the correct kubeflow-scoped ones, causing TLS SAN mismatches

0 commit comments

Comments
 (0)