Comments (8)
There are a couple of errors in the README file, I am not sure if that is causing your first problem. First, you want to use the correct repository address when adding it:
helm repo add cert-manager-dynu-webhook https://dopingus.github.io/cert-manager-webhook-dynu
Next, use com.github.dopingus.cert-manager-webhook-dynu
as the groupName
when defining an issuer.
Which pod's log contain the second error message?
from cert-manager-webhook-dynu.
The error message is probably coming from cert-manager itself. I think this happens when the service account used by cert-manager is not able to create the required K8s resources.
I'll have to check this on my own cluster to find out which permissions are missing exactly.
Can you please add which version of K8s you're running?
from cert-manager-webhook-dynu.
There are a couple of errors in the README file, I am not sure if that is causing your first problem. First, you want to use the correct repository address when adding it:
helm repo add cert-manager-dynu-webhook https://dopingus.github.io/cert-manager-webhook-dynu
Next, use
com.github.dopingus.cert-manager-webhook-dynu
as thegroupName
when defining an issuer.Which pod's log contain the second error message?
the log is from the pod of cert-manager
same error occurred, when I check the log with below command
k logs -n cert-manager cert-manager-58dd98c6d6-8t78m -f
E0829 10:14:38.762585 1 controller.go:166] cert-manager/challenges "msg"="re-queuing item due to error processing" "error"="dynu.com.github.dopingus.cert-manager-webhook-dynu is forbidden: User "system:serviceaccount:cert-manager:cert-manager" cannot create resource "dynu" in API group "com.github.dopingus.cert-manager-webhook-dynu" at the cluster scope" "key"="default/
from cert-manager-webhook-dynu.
The error message is probably coming from cert-manager itself. I think this happens when the service account used by cert-manager is not able to create the required K8s resources.
I'll have to check this on my own cluster to find out which permissions are missing exactly. Can you please add which version of K8s you're running?
k version --output=json
{
"clientVersion": {
"major": "1",
"minor": "25",
"gitVersion": "v1.25.0",
"gitCommit": "a866cbe2e5bbaa01cfd5e969aa3e033f3282a8a2",
"gitTreeState": "clean",
"buildDate": "2022-08-23T17:44:59Z",
"goVersion": "go1.19",
"compiler": "gc",
"platform": "linux/amd64"
},
"kustomizeVersion": "v4.5.7",
"serverVersion": {
"major": "1",
"minor": "23",
"gitVersion": "v1.23.4+k3s1",
"gitCommit": "43b1cb48200d8f6af85c16ed944d68fcc96b6506",
"gitTreeState": "clean",
"buildDate": "2022-02-24T22:38:17Z",
"goVersion": "go1.17.5",
"compiler": "gc",
"platform": "linux/amd64"
}
}
from cert-manager-webhook-dynu.
I fixed the issue by amend the ClusterRoleBinding (domain-solver & secret-reader) manually.
from
- apiGroup: ""
kind: ServiceAccount
name: {{ .Values.certManager.serviceAccountName }}
namespace: {{ .Release.Namespace }}
to
- apiGroup: ""
kind: ServiceAccount
name: {{ .Values.certManager.serviceAccountName }}
namespace: cert-manager
I am not sure why get the correct namespace of cert-manager by using " {{ .Release.Namespace }} "
But I found another issue
k logs -n cert-manager cert-manager-f7749dbb4-2zxbn
E0903 01:11:50.348135 1 sync.go:190] cert-manager/challenges "msg"="propagation check failed" "error"="DNS record for "xxx.xxx.xxx" not yet propagated"
k describe challenge xxx
Spec:
Authorization URL: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/3457012774
Dns Name: xxx
Issuer Ref:
Kind: ClusterIssuer
Name: letsencrypt-staging
Key: xxx
Solver:
dns01:
Cname Strategy: Follow
Webhook:
Config:
Secret Name: dynu-secret
Group Name: com.github.dopingus.cert-manager-webhook-dynu
Solver Name: dynu
Token: xxxx
Type: DNS-01
URL: https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/3457012774/mqXYWg
Wildcard: true
Status:
Presented: true
Processing: true
Reason: Waiting for DNS-01 challenge propagation: DNS record for "xxx" not yet propagated
State: pending
Events:
masked some personal Information by xxx
from cert-manager-webhook-dynu.
I installed the web hook into the same namespace as cert-manager itself, that was why I did not have this problem.
Hardcoding the namespace does not appeal like a great idea to me. I looked back into the file's history and found the commit where the change was introduced. Can you try putting {{ .Values.certManager.namespace }}
instead of cert-manager
? If that works we can restore it the way if was before. Using this variable will be a much better solution.
Regarding the new problem, I suggest you check DNS records immediately after the webhook is invoked by cert-manager. Click on "Manage DNS records for hostname" in Dynu console next to the domain you are requesting a certificate for. I remember seeing the challenge records there for a short period until they were propagated to where Let's Encrypt could see them.
from cert-manager-webhook-dynu.
@anon-software agree with you. I made the change from the fixed namespace name, because you should never use fixed names!
from cert-manager-webhook-dynu.
I have tried to install the webhook to the same namespace of cert-manager and everything good. thank you all for your help.
from cert-manager-webhook-dynu.
Related Issues (12)
- cannot create resource "dynu" in API group "dynu-webhook" HOT 5
- web hook does not support subdomains HOT 3
- Pages build action not running HOT 3
- [QUESTION] Installation error ? HOT 1
- new group name
- add USER to dockerfile
- The server could not find the requested resource (post dynu.com.github.dopingus.cert-manager-webhook-dynu)
- Clusterisssuer does not create secret.
- Is it possible to set the TTL? HOT 7
- webhook producess many warnings on Kubernetes 1.26 HOT 2
- dynu with cert-manager 1.9.1 on arm: RBACs problem HOT 9
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from cert-manager-webhook-dynu.