Comments (5)
Dopingus
commented on July 20, 2024
Hello Robert,
this looks like a permission issue with the service account used for the hook.
Looks like the used service account is not allowed to create resources at cluster scope.
Unfortunately, my clusters are all setup without (correct/useful) rbac, so my knowledge here is limited.
Can you please try to assign a clusterrole with the required permissions to service account "system:serviceaccount:openshift-operators:cert-manager"? (I am not sure which permissions are needed exactly though)
Regarding the crd: I'm also not sure which CRD is used to manage these API groups. (EDIT: apiGroups refers to apiGroups in ClusterRoles)
This issue here looks similar to your error: cert-manager/cert-manager#3432
I also ran into problems when using Issuer. Maybe this resource is causing an issue.
There is no Issuer resource (apart from the ones deployed by cert-manager) running in my clusters.
After researching a bit more the cause seems to be the following Cluster Role: dynu-webhook:domain-solver
I suspect that this role might have been created incorrectly/incompletely from the Helm template.
Can you please attach the definition of that cluster role please?
from cert-manager-webhook-dynu.
rbaumgar
commented on July 20, 2024
after applying cluster-admin role to SA cert-manager I get another error
I1029 07:11:41.917257 1 setup.go:202] cert-manager/controller/clusterissuers "msg"="skipping re-verifying ACME account as cached registration details look sufficient" "related_resource_kind"="Secret" "related_resource_name"="acme-secret" "related_resource_namespace"="openshift-operators" "resource_kind"="ClusterIssuer" "resource_name"="letsencrypt-dynu-demo" "resource_namespace"="" "resource_version"="v1"
I1029 07:11:41.933442 1 setup.go:202] cert-manager/controller/issuers "msg"="skipping re-verifying ACME account as cached registration details look sufficient" "related_resource_kind"="Secret" "related_resource_name"="letsencrypt-issuer" "related_resource_namespace"="cert-manager" "resource_kind"="Issuer" "resource_name"="letsencrypt-issuer" "resource_namespace"="cert-manager" "resource_version"="v1"
I1029 07:11:43.361469 1 dns.go:88] cert-manager/controller/challenges/Present "msg"="presenting DNS01 challenge for domain" "dnsName"="demo.openshift.freeddns.org" "domain"="demo.openshift.freeddns.org" "resource_kind"="Challenge" "resource_name"="demo-certificate-8q5pp-4023394078-3266066746" "resource_namespace"="cert-manager" "resource_version"="v1" "type"="DNS-01"
E1029 07:11:43.368712 1 controller.go:163] cert-manager/controller/challenges "msg"="re-queuing item due to error processing" "error"="the server could not find the requested resource (post dynu.dynu-webhook-1635453893)" "key"="cert-manager/demo-certificate-8q5pp-4023394078-3266066746"
I1029 07:11:53.376339 1 dns.go:88] cert-manager/controller/challenges/Present "msg"="presenting DNS01 challenge for domain" "dnsName"="demo.openshift.freeddns.org" "domain"="demo.openshift.freeddns.org" "resource_kind"="Challenge" "resource_name"="demo-certificate-8q5pp-4023394078-3266066746" "resource_namespace"="cert-manager" "resource_version"="v1" "type"="DNS-01"
E
a POST request to https://{{hostname}}:{{port}}/apis/acme.freeddns.org/v1alpha1/dynu gives
{
"kind": "Status",
"apiVersion": "v1",
"metadata": {},
"status": "Failure",
"message": "the object provided is unrecognized (must be of type ChallengePayload): couldn't get version/kind; json parse error: unexpected end of JSON input (<empty>)",
"reason": "BadRequest",
"code": 400
}
So it looks like the webhook is working but with a little different name (?)...
from cert-manager-webhook-dynu.
rbaumgar
commented on July 20, 2024
So I was able to fix the problem with the name by changing the groupname in the issuer/clusterissuer to the name specified in the helm install...
But still have an error in the cainjector pod:
E1101 22:15:48.510753 1 sources.go:201] cert-manager/secret/customresourcedefinition/generic-inject-reconciler "msg"="unable to fetch associated secret" "error"="Secret \"cert-manager-webhook-ca\" not found" "resource_kind"="CustomResourceDefinition" "resource_name"="certificaterequests.cert-manager.io" "resource_namespace"="" "resource_version"="v1" "secret"={"Namespace":"cert-manager","Name":"cert-manager-webhook-ca"}
I1101 22:15:48.510788 1 controller.go:166] cert-manager/secret/customresourcedefinition/generic-inject-reconciler "msg"="could not find any ca data in data source for target" "resource_kind"="CustomResourceDefinition" "resource_name"="certificaterequests.cert-manager.io" "resource_namespace"="" "resource_version"="v1"
Shouldn't point this to my existing secrets?
dynu-webhook-1635504520-ca True dynu-webhook-1635504520-ca 3d20h
dynu-webhook-1635504520-webhook-tls True dynu-webhook-1635504520-webhook-tls 3d20h
from cert-manager-webhook-dynu.
rbaumgar
commented on July 20, 2024
problem solved. wrong groupName in the ClusterIssuer, correct one from the "helm install..."
from cert-manager-webhook-dynu.
Dopingus
commented on July 20, 2024
Thanks for sticking with it until you fixed it!
from cert-manager-webhook-dynu.
Related Issues (15)
- web hook does not support subdomains HOT 3
- Pages build action not running HOT 3
- [QUESTION] Installation error ? HOT 1
- new group name
- add USER to dockerfile
- The server could not find the requested resource (post dynu.com.github.dopingus.cert-manager-webhook-dynu)
- Clusterisssuer does not create secret.
- Is it possible to set the TTL? HOT 7
- webhook producess many warnings on Kubernetes 1.26 HOT 2
- server not able to handle the request HOT 5
- Challenges failed - the server is currently unable to handle the request
- build new version recommended HOT 1
- re-queuing item due to error processing" "error"="dynu.dynu-webhook-1661649439 is forbidden HOT 8
- dynu with cert-manager 1.9.1 on arm: RBACs problem HOT 9
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from cert-manager-webhook-dynu.