[kube-prometheus-stack] Fix admission webhook DNS name rendering#6629
Merged
jkroepke merged 3 commits intoprometheus-community:mainfrom Feb 13, 2026
Merged
[kube-prometheus-stack] Fix admission webhook DNS name rendering#6629jkroepke merged 3 commits intoprometheus-community:mainfrom
jkroepke merged 3 commits intoprometheus-community:mainfrom
Conversation
To prevent Error: YAML parse error on charts/kube-prometheus-stack/templates/prometheus-operator/admission-webhooks/job-patch/job-createSecret.yaml: error converting YAML to JSON: yaml: line 45: did not find expected key Signed-off-by: Vadim <vadimgredasov@gmail.com>
Signed-off-by: Vadim <vadimgredasov@gmail.com>
vitrix1
requested review from
GMartinez-Sisti,
QuentinBisson,
Xtigyro,
andrewgkew,
gianrubio,
gkarthiks and
jkroepke
as code owners
Member
|
Do you have a minimal reproducible example? That triggers this error? |
Contributor
Author
|
Sure! prometheus:
enabled: true
grafana:
enabled: false
alertmanager:
enabled: false
kubeStateMetrics:
enabled: false
prometheusOperator:
enabled: true
nodeExporter:
enabled: falsehelm install kps prometheus-community/kube-prometheus-stack -f values.yaml |
Member
|
Somehow, it looks good to me: ---
# Source: kube-prometheus-stack/templates/prometheus-operator/admission-webhooks/job-patch/job-createSecret.yaml
apiVersion: batch/v1
kind: Job
metadata:
name: release-name-kube-promethe-admission-create
namespace: default
annotations:
"helm.sh/hook": pre-install,pre-upgrade
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
labels:
app: kube-prometheus-stack-admission-create
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/instance: release-name
app.kubernetes.io/version: "81.6.0"
app.kubernetes.io/part-of: kube-prometheus-stack
chart: kube-prometheus-stack-81.6.0
release: "release-name"
heritage: "Helm"
app.kubernetes.io/name: kube-prometheus-stack-prometheus-operator
app.kubernetes.io/component: prometheus-operator-webhook
spec:
ttlSecondsAfterFinished: 60
template:
metadata:
name: release-name-kube-promethe-admission-create
labels:
app: kube-prometheus-stack-admission-create
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/instance: release-name
app.kubernetes.io/version: "81.6.0"
app.kubernetes.io/part-of: kube-prometheus-stack
chart: kube-prometheus-stack-81.6.0
release: "release-name"
heritage: "Helm"
app.kubernetes.io/name: kube-prometheus-stack-prometheus-operator
app.kubernetes.io/component: prometheus-operator-webhook
spec:
containers:
- name: create
image: ghcr.io/jkroepke/kube-webhook-certgen:1.7.4
imagePullPolicy: IfNotPresent
args:
- create
- --host=release-name-kube-promethe-operator,release-name-kube-promethe-operator.default.svc
- --namespace=default
- --secret-name=release-name-kube-promethe-admission
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
resources:
{}
restartPolicy: OnFailure
serviceAccountName: release-name-kube-promethe-admission
securityContext:
runAsGroup: 2000
runAsNonRoot: true
runAsUser: 2000
seccompProfile:
type: RuntimeDefault
Otherwise, it must break for each end user installation. What is special on your side? |
Contributor
Author
|
If I do this: helm template kube-prometheus-stack/ -f kube-prometheus-stack/vls.yaml --debugI get this: Here's what happens after rendering I guess the |
jkroepke
previously approved these changes
Feb 13, 2026
Signed-off-by: Jan-Otto Kröpke <mail@jkroepke.de>
jkroepke
approved these changes
Feb 13, 2026
3 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
To prevent Error: YAML parse error on charts/kube-prometheus-stack/templates/prometheus-operator/admission-webhooks/job-patch/job-createSecret.yaml: error converting YAML to JSON: yaml: line 45: did not find expected key
What this PR does / why we need it
Fixes broken DNS SAN in admission webhook cert caused by whitespace in Helm template.
Special notes for your reviewer
Without this change, the rendered DNS name contains a leading space, causing invalid SANs in the webhook TLS certificate.
cc @andrewgkew @gianrubio @gkarthiks @GMartinez-Sisti @jkroepke @Xtigyro @QuentinBisson
Special notes for your reviewer
Checklist
[prometheus-couchdb-exporter])