Git Product home page Git Product logo

cert-manager-webhook-dynu's Introduction

Unofficial Cert Manager Webhook for Dynu

This is a webhook solver for Dynu.

Update

  • cert-manager v1.13.1 (240315)

Compatibility

  • tested with 0.13.0 (might also work for older versions)
  • tested with
    • cert-manager v1.6.0
    • cert-manager-operator 1.9.1 and 1.10.2
    • Kubernetes v1.21.1 / OpenShift 4.8.15
    • Kubernetes v1.24.8
    • Kubernetes v1.25.4 / OpenShift 4.12.6 + cert-manager Operator for Red Hat OpenShift 1.10.2
    • Kubernetes v1.27.10 / OpenShift 4.14.11 + cert-manager Operator for Red Hat OpenShift 1.13.1

Installation

helm repo add cert-manager-dynu-webhook \
 https://dopingus.github.io/cert-manager-webhook-dynu
helm repo update
helm install cert-manager-dynu-webhook cert-manager-dynu-webhook/dynu-webhook -n cert-manager

Certificate Issuer

  1. Generate an API Key at Dynu

  2. Create a secret to store your dynu API key. The secret needs to be in same namespace as cert-manager if using a ClusterIssuer. Issuer is namespace scoped so secret needs to be localised with issuer:

    kubectl create secret generic dynu-secret -n cert-manager --from-literal=api-key='<DYNU_API_KEY>'

    The secretName can also be changed in deploy/dynu-webhook/values.yaml in case you have to follow some convention. The secret must be created in the same namespace as the webhook.

  3. Create a Letsencrypt Account key using acme.sh:

    acme.sh --server letsencrypt --create-account-key

  4. Create a secret to store the Letsencrypt key.

    kubectl create secret generic letsencrypt-secret -n cert-manager --from-file=api-key=~/.acme.sh/ca/acme-v02.api.letsencrypt.org/directory/account.key

  5. Create a ClusterIssuer yaml file, letsencrypt-dynu-cluster-issuer.yaml:

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-dynu-<YOUR_ISSUER_NAME>
spec:
  acme:
    # The ACME server URL
    server: https://acme-v02.api.letsencrypt.org/directory              # Use this for prod
    # server: https://acme-staging-v02.api.letsencrypt.org/directory    # Use this for staging/testing


    # Email address used for ACME registration
    email: example@somedomain # REPLACE THIS WITH YOUR EMAIL!!!

    # Name of a secret used to store the ACME account private key
    privateKeySecretRef:
      name: letsencrypt-secret

    solvers:
      - dns01:
          cnameStrategy: Follow
          webhook:
            groupName: com.github.dopingus.cert-manager-webhook-dynu
            solverName: dynu
            config:
              secretName: dynu-secret # Adjust this in case you changed the secretName

  1. Create the ClusterIssuer:

    kubectl apply -f letsencrypt-dynu-cluster-issuer.yaml

Certificate

  1. Create the certificate creation file, openshift-ingress-letsencrypt-certificate.yaml:
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: ingress-letsencrypt-cert  # Replace with a name of your choice
  namespace: openshift-ingress        # Set a namespace if required
spec:
  commonName: "*.<YOUR_DOMAIN>" # Wildcard Entry for your domain
  dnsNames:
    - <YOUR_DOMAIN>         # List of all (sub)domains that you want to include in the cert
    - "*.<YOUR_DOMAIN>"     # This must match the commonName, above
  issuerRef:
    name: letsencrypt-dynu-<YOUR_ISSUER_NAME>   # This should match the issuer you defined earlier
    kind: ClusterIssuer
  secretName: ingress-letsencrypt-cert # Secret name where the resulting certificate is saved in

  1. Submit the certificate creation request:

    kubectl apply -f openshift-ingress-letsencrypt-certificate.yaml -n openshift-ingress

  2. Monitor certificate creation progress by running the following command. The process can take between 5 and 10 minutes to complete:

    watch "kubectl get events --sort-by=.metadata.creationTimestamp -n openshift-ingress | tail -n15"

  3. Alternatively, 'watch' the progress using the following command:

    watch kubectl get certificates -n openshift-ingress

Use the Certificate

  1. Patch the openshift-ingress-operator to load the new certificate:

    kubectl patch --type=merge ingresscontrollers/default --patch '{"spec":{"defaultCertificate":{"name":"ingress-certs-letsencrypt"}}}' -n openshift-ingress-operator

  2. Watch to ensure the router pod with the new cert has been started:

    watch kubectl get pod -n openshift-ingress

  3. Run the following command to verify that the pod is using the new cert (or browse to the URL and check the "lock" icon):

    openssl s_client -showcerts -servername console-openshift-console.apps.<cluster name>.<domain name> -connect console-openshift-console.apps.ocp49-022100.alchan.nasatam.support:443

Development

see webhook-example

Test

If you want to run the test

  • update testdata/dynu-secret with the correct Dynu API key (base64).
TEST_ZONE_NAME=your.domain.name. make test
go test -v .
=== RUN   TestRunsSuite
=== RUN   TestRunsSuite/Basic
=== RUN   TestRunsSuite/Basic/PresentRecord
    util.go:68: created fixture "basic-present-record"
    suite.go:37: Calling Present with ChallengeRequest: &v1alpha1.ChallengeRequest{UID:"", Action:"", Type:"", DNSName:"example.com", Key:"123d==", ResourceNamespace:"basic-present-record", ResolvedFQDN:"cert-manager-dns01-tests.your.domain.name.", ResolvedZone:"your.domain.name.", AllowAmbientCredentials:false, Config:(*v1.JSON)(0x40004e3398)}
I0801 22:23:32.050846   29444 main.go:113] call function Present: ResourceNamespace=basic-present-record, ResolvedZone=your.domain.name., ResolvedFQDN=cert-manager-dns01-tests.your.domain.name. DNSName=example.com
I0801 22:23:32.064490   29444 main.go:119] Decoded configuration {dynu-secret}
I0801 22:23:52.811140   29444 main.go:284] Added TXT record result: {"statusCode":200,"id":8718493,"domainId":9754501,"domainName":"your.domain.name","nodeName":"cert-manager-dns01-tests","hostname":"cert-manager-dns01-tests.your.domain.name","recordType":"TXT","ttl":60,"state":true,"content":"cert-manager-dns01-tests.your.domain.name. 60 IN TXT \"123d==\"","updatedOn":"2022-08-02T05:23:52.443","textData":"123d=="}
I0801 22:23:53.820236   29444 main.go:284] Added TXT record result: {"statusCode":200,"id":8718494,"domainId":9754501,"domainName":"your.domain.name","nodeName":"","hostname":"your.domain.name","recordType":"TXT","ttl":60,"state":true,"content":"your.domain.name. 60 IN TXT \"123d==\"","updatedOn":"2022-08-02T05:23:53.573","textData":"123d=="}
I0801 22:23:53.820360   29444 main.go:144] Presented txt record cert-manager-dns01-tests.your.domain.name.
I0801 22:23:58.673091   29444 main.go:196] TXT entry with content your.domain.name. 60 IN TXT "123d==" (key value 123d==)
I0801 22:23:59.301171   29444 main.go:202] Deleted TXT record result: {"statusCode":200}
I0801 22:23:59.302371   29444 main.go:196] TXT entry with content cert-manager-dns01-tests.your.domain.name. 60 IN TXT "123d==" (key value 123d==)
I0801 22:23:59.921555   29444 main.go:202] Deleted TXT record result: {"statusCode":200}
I0801 22:23:59.921671   29444 main.go:196] TXT entry with content your.domain.name. 120 IN SOA ns1.dynu.com. administrator.dynu.com. 0 3600 900 604800 300 (key value 123d==)
I0801 22:24:12.817203   29444 main.go:196] TXT entry with content your.domain.name. 120 IN SOA ns1.dynu.com. administrator.dynu.com. 0 3600 900 604800 300 (key value 123d==)
=== RUN   TestRunsSuite/Extended
=== RUN   TestRunsSuite/Extended/DeletingOneRecordRetainsOthers
    suite.go:73: skipping test as strict mode is disabled, see: https://github.com/cert-manager/cert-manager/pull/1354
--- PASS: TestRunsSuite (165.87s)
    --- PASS: TestRunsSuite/Basic (58.42s)
        --- PASS: TestRunsSuite/Basic/PresentRecord (58.42s)
    --- PASS: TestRunsSuite/Extended (0.00s)
        --- SKIP: TestRunsSuite/Extended/DeletingOneRecordRetainsOthers (0.00s)
PASS
ok      github.com/Dopingus/cert-manager-webhook-dynu   166.121s

cert-manager-webhook-dynu's People

Contributors

davlloyd avatar dopingus avatar rbaumgar avatar yocum137 avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar

Forkers

mccormist anon-software davlloyd yocum137 ahkui djonko inripa

cert-manager-webhook-dynu's Issues

new group name

I am sorry, but I would propose a different group name.

dynu-webhook.cert-manager.io
or
dynu.webhook.cert-manager.io

Why? Here is a list of my apiservices...

$ kubectl get apiservices.apiregistration.k8s.io |grep v1a
v1alpha1.argoproj.io                                     Local                                                        True        4d1h
v1alpha1.autoscaling.internal.knative.dev                Local                                                        True        4d1h
v1alpha1.binding.operators.coreos.com                    Local                                                        True        11d
v1alpha1.caching.internal.knative.dev                    Local                                                        True        9d
v1alpha1.camel.apache.org                                Local                                                        True        9d
v1alpha1.cdi.kubevirt.io                                 Local                                                        True        4d1h
v1alpha1.com.github.dopingus.cert-manager-webhook-dynu   openshift-cert-manager/cert-manager-dynu-webhook             True        34m
v1alpha1.config.openshift.io                             Local                                                        True        4d1h
v1alpha1.console.openshift.io                            Local                                                        True        4d1h
v1alpha1.controller.devfile.io                           Local                                                        True        4d1h
v1alpha1.controlplane.operator.openshift.io              Local                                                        True        4d1h
v1alpha1.flows.netobserv.io                              Local                                                        True        4d1h
v1alpha1.integreatly.org                                 Local                                                        True        4d1h
v1alpha1.kafka.strimzi.io                                Local                                                        True        4d1h
v1alpha1.keycloak.org                                    Local                                                        True        9d
v1alpha1.kiali.io                                        Local                                                        True        4d1h
v1alpha1.metal3.io                                       Local                                                        True        11d
v1alpha1.migration.k8s.io                                Local                                                        True        4d1h
v1alpha1.monitoring.coreos.com                           Local                                                        True        9d
v1alpha1.monitoring.kiali.io                             Local                                                        True        9d
v1alpha1.networking.internal.knative.dev                 Local                                                        True        4d1h
v1alpha1.nfd.openshift.io                                Local                                                        True        11d
v1alpha1.nmstate.io                                      Local                                                        True        4d1h
v1alpha1.operator.knative.dev                            Local                                                        True        9d
v1alpha1.operator.openshift.io                           Local                                                        True        11d
v1alpha1.operator.serverless.openshift.io                Local                                                        True        4d1h
v1alpha1.operator.tekton.dev                             Local                                                        True        4d1h
v1alpha1.operators.coreos.com                            Local                                                        True        4d1h
v1alpha1.performance.openshift.io                        Local                                                        True        4d1h
v1alpha1.pipelines.openshift.io                          Local                                                        True        4d1h
v1alpha1.pipelinesascode.tekton.dev                      Local                                                        True        4d1h
v1alpha1.resolution.tekton.dev                           Local                                                        True        4d1h
v1alpha1.secscan.quay.redhat.com                         Local                                                        True        4d1h
v1alpha1.serving.knative.dev                             Local                                                        True        11d
v1alpha1.tackle.konveyor.io                              Local                                                        True        11d
v1alpha1.tekton.dev                                      Local                                                        True        4d1h
v1alpha1.topology.node.k8s.io                            Local                                                        True        11d
v1alpha1.triggers.tekton.dev                             Local                                                        True        9d
v1alpha1.whereabouts.cni.cncf.io                         Local                                                        True        9d
v1alpha1.workspace.devfile.io                            Local                                                        True        4d1h
v1alpha2.operators.coreos.com                            Local                                                        True        4d1h
v1alpha2.workspace.devfile.io                            Local                                                        True        4d1h
v1alpha3.servicebinding.io                               Local                                                        True        4d1h
$ kubectl get apiservices.apiregistration.k8s.io |grep cert-manager
v1.acme.cert-manager.io                                  Local                                                        True        11d
v1.cert-manager.io                                       Local                                                        True        4d1h
v1alpha1.com.github.dopingus.cert-manager-webhook-dynu   openshift-cert-manager/cert-manager-dynu-webhook             True        36m

Clusterisssuer does not create secret.

When i create a clusterisssuer (show bellow) it's not creating the secret (dynu-secret-prod), i don't find any error messages and the clusterissuer appears as READY and with the status The ACME account was registered with the ACME server. Any Ideas on how can i troubleshoot this ? why it's not creating the secret ?

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-dynu-agtbr-prod
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: [email protected]

privateKeySecretRef:
name: acme-privkey-prod

solvers:

  • dns01:
    cnameStrategy: Follow
    webhook:
    groupName: com.github.dopingus.cert-manager-webhook-dynu
    solverName: dynu
    config:
    secretName: dynu-secret-prod

Thanks.

build new version recommended

maybe we should create a new version because the vulnerability by snyk reports
133 vulnerabilities in 120 dependencies

image

and maybe update to cert-manager 1.11, 1.12, ...

[QUESTION] Installation error ?

Hi, I'm new to Kubernetes, I just installed a new cluster and I'm following the documentation to install the chart :

helm repo add cert-manager-dynu-webhook https://dopingus.github.io/cert-manager-webhook-dynu
helm repo update
helm install cert-manager-dynu-webhook cert-manager-dynu-webhook/dynu-webhook

After executing the install command i got the following error :

Error: INSTALLATION FAILED: unable to build kubernetes objects from release manifest: [unable to recognize "": no matches for kind "Certificate" in version "cert-manager.io/v1", unable to recognize "": no matches for kind "Issuer" in version "cert-manager.io/v1"]

Do I missed something ?

Thanks.

Pages build action not running

I went to test the latest update but it failed with the RABC issue. This is because Helm updates are not getting published as the Pages Build and Deployment action has not run to publish the new Helm charts

dynu with cert-manager 1.9.1 on arm: RBACs problem

I have installed cert-manager 1.9.1
dynu latest version on arm.

dynu-webhook log

I0829 19:50:00.984703       1 requestheader_controller.go:169] Starting RequestHeaderAuthRequestController
I0829 19:50:00.984990       1 shared_informer.go:255] Waiting for caches to sync for RequestHeaderAuthRequestController
I0829 19:50:00.984761       1 configmap_cafile_content.go:202] "Starting controller" name="client-ca::kube-system::extension-apiserver-authentication::requestheader-client-ca-file"
I0829 19:50:00.985142       1 shared_informer.go:255] Waiting for caches to sync for client-ca::kube-system::extension-apiserver-authentication::requestheader-client-ca-file
I0829 19:50:00.984774       1 configmap_cafile_content.go:202] "Starting controller" name="client-ca::kube-system::extension-apiserver-authentication::client-ca-file"
I0829 19:50:00.986033       1 shared_informer.go:255] Waiting for caches to sync for client-ca::kube-system::extension-apiserver-authentication::client-ca-file
I0829 19:50:00.986042       1 dynamic_serving_content.go:132] "Starting controller" name="serving-cert::/tls/tls.crt::/tls/tls.key"
I0829 19:50:00.985992       1 tlsconfig.go:240] "Starting DynamicServingCertificateController"
I0829 19:50:00.985932       1 secure_serving.go:210] Serving securely on [::]:10250
I0829 19:50:00.987461       1 apf_controller.go:317] Starting API Priority and Fairness config controller
W0829 19:50:00.997963       1 reflector.go:324] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: failed to list *v1beta2.FlowSchema: flowschemas.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:cert-manager:cert-manager-dynu-webhook" cannot list resource "flowschemas" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope
E0829 19:50:00.998303       1 reflector.go:138] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: Failed to watch *v1beta2.FlowSchema: failed to list *v1beta2.FlowSchema: flowschemas.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:cert-manager:cert-manager-dynu-webhook" cannot list resource "flowschemas" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope
W0829 19:50:01.004129       1 reflector.go:324] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: failed to list *v1beta2.PriorityLevelConfiguration: prioritylevelconfigurations.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:cert-manager:cert-manager-dynu-webhook" cannot list resource "prioritylevelconfigurations" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope
E0829 19:50:01.004464       1 reflector.go:138] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: Failed to watch *v1beta2.PriorityLevelConfiguration: failed to list *v1beta2.PriorityLevelConfiguration: prioritylevelconfigurations.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:cert-manager:cert-manager-dynu-webhook" cannot list resource "prioritylevelconfigurations" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope
I0829 19:50:01.086246       1 shared_informer.go:262] Caches are synced for client-ca::kube-system::extension-apiserver-authentication::requestheader-client-ca-file
I0829 19:50:01.086270       1 shared_informer.go:262] Caches are synced for RequestHeaderAuthRequestController
I0829 19:50:01.086342       1 shared_informer.go:262] Caches are synced for client-ca::kube-system::extension-apiserver-authentication::client-ca-file
W0829 19:50:02.154477       1 reflector.go:324] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: failed to list *v1beta2.PriorityLevelConfiguration: prioritylevelconfigurations.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:cert-manager:cert-manager-dynu-webhook" cannot list resource "prioritylevelconfigurations" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope
E0829 19:50:02.154663       1 reflector.go:138] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: Failed to watch *v1beta2.PriorityLevelConfiguration: failed to list *v1beta2.PriorityLevelConfiguration: prioritylevelconfigurations.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:cert-manager:cert-manager-dynu-webhook" cannot list resource "prioritylevelconfigurations" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope

SA system:serviceaccount:cert-manager:cert-manager-dynu-webhook has not sufficient rights for flowcontrol.apiserver.k8s.io

cannot create resource "dynu" in API group "dynu-webhook"

I installed cert-manager 0.16

$ oc get pod -n openshift-operators|grep cert
cert-manager-5df5845867-hhmpg                          1/1     Running   0          37m
cert-manager-cainjector-7656d96747-j7gc5               1/1     Running   0          139m
cert-manager-webhook-7b8694549-mkp5n                   1/1     Running   0          139m

then I installed dynu webhook (justed changed the port to 10250)

$ helm install ./deploy/dynu-webhook  -g --set groupName=acme.freeddns.org
I1028 19:22:35.096307  205496 request.go:668] Waited for 1.08888261s due to client-side throttling, not priority and fairness, request: GET:https://api.ocp4.openshift.freeddns.org:6443/apis/node.k8s.io/v1?timeout=32s
NAME: dynu-webhook-1635453893
LAST DEPLOYED: Thu Oct 28 19:22:39 2021
NAMESPACE: cert-manager
STATUS: deployed
REVISION: 1
TEST SUITE: None

I created an issuer

apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: letsencrypt-issuer
  namespace: cert-manager
spec:
  acme:
    solvers:
      - dns01:
          cnameStrategy: Follow
          webhook:
            groupName: dynu-webhook-1635441752
            solverName: dynu
            config:
              secretName: dynu-secret
              zoneName: demo.openshift.freeddns.org
              apiUrl: 'https://api.dynu.com/v2'
    server: 'https://acme-staging-v02.api.letsencrypt.org/directory'
    privateKeySecretRef:
      name: letsencrypt-issuer
    email: [email protected]

I created a ClusterIssuer

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-dynu-demo
spec:
  acme:
    # The ACME server URL
    server: https://acme-v02.api.letsencrypt.org/directory              # Use this for prod
    # server: https://acme-staging-v02.api.letsencrypt.org/directory    # Use this for staging/testing
    # Email address used for ACME registration
    email: [email protected] # REPLACE THIS WITH YOUR EMAIL!!!
    # Name of a secret used to store the ACME account private key
    privateKeySecretRef:
      name: acme-secret

    solvers:
      - dns01:
          cnameStrategy: Follow
          webhook:
            groupName: dynu-webhook-1635449267 # Use the groupName defined above
            solverName: dynu
            config:
              secretName: dynu-secret # Adjust this in case you changed the secretName
              zoneName: demo.openshift.freeddns.org # Add the domain which you want to create certiciates for
              apiUrl: https://api.dynu.com/v2

at least on certificate

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: demo-certificate  # Replace with a name of your choice
# namespace: default        # Set a namespace if required
spec:
  commonName: "*.demo.openshift.freeddns.org" # Wildcard Entry for your domain
  dnsNames:
    - demo.openshift.freeddns.org         # List of all (sub)domains that you want to include in the cert
    - "*.demo.openshift.freeddns.org"
  issuerRef:
    name: letsencrypt-dynu-demo   # This should match the issuer you defined earlier
    kind: ClusterIssuer
  secretName: demo-secret # Secret name where the resulting certificate is saved in

Now I got an error in the cert-manager

$ oc logs cert-manager-5df5845867-hhmpg -n openshift-operators
I1028 20:56:19.221540       1 start.go:75] cert-manager "msg"="starting controller"  "git-commit"="49914a057b39c887be0974c4657c095bd7724bc7" "version"="v1.6.0"
W1028 20:56:19.221644       1 client_config.go:615] Neither --kubeconfig nor --master was specified.  Using the inClusterConfig.  This might not work.
I1028 20:56:19.226317       1 controller.go:268] cert-manager/controller/build-context "msg"="configured acme dns01 nameservers" "nameservers"=["172.30.0.10:53"] 
I1028 20:56:19.227297       1 controller.go:85] cert-manager/controller "msg"="enabled controllers: [certificaterequests-approver certificaterequests-issuer-acme certificaterequests-issuer-ca certificaterequests-issuer-selfsigned certificaterequests-issuer-vault certificaterequests-issuer-venafi certificates-issuing certificates-key-manager certificates-metrics certificates-readiness certificates-request-manager certificates-revision-manager certificates-trigger challenges clusterissuers ingress-shim issuers orders]"  
...
I1028 20:56:25.141700       1 setup.go:202] cert-manager/controller/issuers "msg"="skipping re-verifying ACME account as cached registration details look sufficient" "related_resource_kind"="Secret" "related_resource_name"="letsencrypt-issuer" "related_resource_namespace"="cert-manager" "resource_kind"="Issuer" "resource_name"="letsencrypt-issuer" "resource_namespace"="cert-manager" "resource_version"="v1" 
I1028 20:56:25.153308       1 setup.go:202] cert-manager/controller/clusterissuers "msg"="skipping re-verifying ACME account as cached registration details look sufficient" "related_resource_kind"="Secret" "related_resource_name"="acme-secret" "related_resource_namespace"="openshift-operators" "resource_kind"="ClusterIssuer" "resource_name"="letsencrypt-dynu-demo" "resource_namespace"="" "resource_version"="v1" 
I1028 20:56:26.306406       1 dns.go:88] cert-manager/controller/challenges/Present "msg"="presenting DNS01 challenge for domain" "dnsName"="demo.openshift.freeddns.org" "domain"="demo.openshift.freeddns.org" "resource_kind"="Challenge" "resource_name"="demo-certificate-rkffs-4023394078-3266066746" "resource_namespace"="cert-manager" "resource_version"="v1" "type"="DNS-01" 
E1028 20:56:26.327005       1 controller.go:163] cert-manager/controller/challenges "msg"="re-queuing item due to error processing" "error"="dynu.dynu-webhook-1635453893 is forbidden: User \"system:serviceaccount:openshift-operators:cert-manager\" cannot create resource \"dynu\" in API group \"dynu-webhook-1635453893\" at the cluster scope" "key"="cert-manager/demo-certificate-rkffs-4023394078-3266066746" 
I1028 20:56:30.075482       1 setup.go:202] cert-manager/controller/clusterissuers "msg"="skipping re-verifying ACME account as cached registration details look sufficient" "related_resource_kind"="Secret" "related_resource_name"="acme-secret" "related_resource_namespace"="openshift-operators" "resource_kind"="ClusterIssuer" "resource_name"="letsencrypt-dynu-demo" "resource_namespace"="" "resource_version"="v1" 
I1028 20:56:30.097824       1 setup.go:202] cert-manager/controller/issuers "msg"="skipping re-verifying ACME account as cached registration details look sufficient" "related_resource_kind"="Secret" "related_resource_name"="letsencrypt-issuer" "related_resource_namespace"="cert-manager" "resource_kind"="Issuer" "resource_name"="letsencrypt-issuer" "resource_namespace"="cert-manager" "resource_version"="v1" 
I1028 20:56:31.337257       1 dns.go:88] cert-manager/controller/challenges/Present "msg"="presenting DNS01 challenge for domain" "dnsName"="demo.openshift.freeddns.org" "domain"="demo.openshift.freeddns.org" "resource_kind"="Challenge" "resource_name"="demo-certificate-rkffs-4023394078-3266066746" "resource_namespace"="cert-manager" "resource_version"="v1" "type"="DNS-01" 
E1028 20:56:31.348969       1 controller.go:163] cert-manager/controller/challenges "msg"="re-queuing item due to error processing" "error"="dynu.dynu-webhook-1635453893 is forbidden: User \"system:serviceaccount:openshift-operators:cert-manager\" cannot create resource \"dynu\" in API group \"dynu-webhook-1635453893\" at the cluster scope" "key"="cert-manager/demo-certificate-rkffs-4023394078-3266066746"

But I do NOT find any resource(crd?) dynu!
Any hint?

add USER to dockerfile

By adding USER (e.g. USER 100) to the dockerfile. image will not run as root.

If needed, add

RUN chgrp -R 0 /some/directory \
  && chmod -R g+rwX /some/directory

This is the message you get, when deploying on OpenShift (helm install ...)
would violate PodSecurity "restricted:latest": allowPrivilegeEscalation != false (container "dynu-webhook" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "dynu-webhook" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "dynu-webhook" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "dynu-webhook" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")

Install/Deployment works fine.

web hook does not support subdomains

When attempting to use a deny subdomain of a registered domain, the TXT records are created in the root domain and not the sub domain. This is as a result of using the dyne API call https://api.dynu.com/v2/dns/getroot/<hostname> to determine the DNS domain. This results in the parent DNS domain being returned as the domainName and the subdomain and hostname being combined and listed as the 'node' in the response.

There does not appear to be a way to identify subdomains in the dynu APIs and have fed this back to them via their forum. I am raising this as an issue here in case this is still being maintained instead of forking off to work around the issue.

webhook producess many warnings on Kubernetes 1.26

FlowSchema and PriorityLevelConfiguration version v1beta2 are deprecated in Kubernetes 1.26. Replace it by version v1beta3.

W0621 14:31:17.302662 1 warnings.go:70] flowcontrol.apiserver.k8s.io/v1beta2 FlowSchema is deprecated in v1.26+, unavailable in v1.29+; use flowcontrol.apiserver.k8s.io/v1beta3 FlowSchema
W0621 14:38:24.235472 1 warnings.go:70] flowcontrol.apiserver.k8s.io/v1beta2 FlowSchema is deprecated in v1.26+, unavailable in v1.29+; use flowcontrol.apiserver.k8s.io/v1beta3 FlowSchema
W0621 14:38:28.109174 1 warnings.go:70] flowcontrol.apiserver.k8s.io/v1beta2 PriorityLevelConfiguration is deprecated in v1.26+, unavailable in v1.29+; use flowcontrol.apiserver.k8s.io/v1beta3 PriorityLevelConfiguration
W0621 14:43:47.186099 1 warnings.go:70] flowcontrol.apiserver.k8s.io/v1beta2 PriorityLevelConfiguration is deprecated in v1.26+, unavailable in v1.29+; use flowcontrol.apiserver.k8s.io/v1beta3 PriorityLevelConfiguration

Is it possible to set the TTL?

It takes me a while to obtain the certificate and several times it gives an error, when using letsencrypt with other tools such as certbot I have solved this by increasing the TTL, but here I cannot find how to set it or if it is implemented, apparently it is fixed at 60s

Thanks

re-queuing item due to error processing" "error"="dynu.dynu-webhook-1661649439 is forbidden

I got issues when using this webhook in my k3s server. It would be great if anyone can confirm my steps or help to solve my issue.

  1. may be something missing in helm install command

helm install cert-manager-dynu-webhook/dynu-webhook
Error: INSTALLATION FAILED: must either provide a name or specify --generate-name
the problem will be solved if I add -g / --generate-name, but I am not sure will it impact to the following issue.
afterward, I capture the name (dynu-webhook-1661649439) from the helm install as the groupName value in ClusterIssuer yaml

  1. I try to capture the logs from the cert-manager pods, but get the issue about the rbac. but I am the newbie of kube, it would be great if someone can show me how to use the "template" rbac to solve the problem.

E0828 02:32:57.174888 1 controller.go:166] cert-manager/challenges "msg"="re-queuing item due to error processing" "error"="dynu.dynu-webhook-1661649439 is forbidden: User "system:serviceaccount:cert-manager:cert-manager" cannot create resource "dynu" in API group "dynu-webhook-1661649439" at the cluster scope" "key"="default/

so sorry for my poor English. thank you

server not able to handle the request

Hi,
thanks for the webhook, I noticed that when I try to get new certificates, I get this error:

Error presenting challenge: the server is currently unable to handle the request (post dynu.com.github.dopingus.cert-manager-webhook-dynu)

I'm sure that last week it worked. The fields "groupName" and "solverName" in the "ClusterIssuer" are set like this:

groupName: com.github.dopingus.cert-manager-webhook-dynu
solverName: dynu

Should I have to change something or is it a temporary error?

Thanks in Advance,

supermario18b

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.