dopingus / cert-manager-webhook-dynu Goto Github PK
View Code? Open in Web Editor NEWUnofficial cert-manager webhook for dynu
License: Apache License 2.0
Unofficial cert-manager webhook for dynu
License: Apache License 2.0
It takes me a while to obtain the certificate and several times it gives an error, when using letsencrypt with other tools such as certbot I have solved this by increasing the TTL, but here I cannot find how to set it or if it is implemented, apparently it is fixed at 60s
Thanks
Hi,
thanks for the webhook, I noticed that when I try to get new certificates, I get this error:
Error presenting challenge: the server is currently unable to handle the request (post dynu.com.github.dopingus.cert-manager-webhook-dynu)
I'm sure that last week it worked. The fields "groupName" and "solverName" in the "ClusterIssuer" are set like this:
groupName: com.github.dopingus.cert-manager-webhook-dynu
solverName: dynu
Should I have to change something or is it a temporary error?
Thanks in Advance,
supermario18b
When i create a clusterisssuer (show bellow) it's not creating the secret (dynu-secret-prod), i don't find any error messages and the clusterissuer appears as READY and with the status The ACME account was registered with the ACME server. Any Ideas on how can i troubleshoot this ? why it's not creating the secret ?
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-dynu-agtbr-prod
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: [email protected]
privateKeySecretRef:
name: acme-privkey-prod
solvers:
Thanks.
By adding USER (e.g. USER 100) to the dockerfile. image will not run as root.
If needed, add
RUN chgrp -R 0 /some/directory \
&& chmod -R g+rwX /some/directory
This is the message you get, when deploying on OpenShift (helm install ...)
would violate PodSecurity "restricted:latest": allowPrivilegeEscalation != false (container "dynu-webhook" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "dynu-webhook" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "dynu-webhook" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "dynu-webhook" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
Install/Deployment works fine.
When I try to create my certificate I saw that challenge it creates is pending with the reason : the server could not find the requested resource (post dynu.com.github.dopingus.cert-manager-webhook-dynu).
Any idea on how can I troubleshot this ?
Thanks.
I have installed cert-manager 1.9.1
dynu latest version on arm.
dynu-webhook log
I0829 19:50:00.984703 1 requestheader_controller.go:169] Starting RequestHeaderAuthRequestController
I0829 19:50:00.984990 1 shared_informer.go:255] Waiting for caches to sync for RequestHeaderAuthRequestController
I0829 19:50:00.984761 1 configmap_cafile_content.go:202] "Starting controller" name="client-ca::kube-system::extension-apiserver-authentication::requestheader-client-ca-file"
I0829 19:50:00.985142 1 shared_informer.go:255] Waiting for caches to sync for client-ca::kube-system::extension-apiserver-authentication::requestheader-client-ca-file
I0829 19:50:00.984774 1 configmap_cafile_content.go:202] "Starting controller" name="client-ca::kube-system::extension-apiserver-authentication::client-ca-file"
I0829 19:50:00.986033 1 shared_informer.go:255] Waiting for caches to sync for client-ca::kube-system::extension-apiserver-authentication::client-ca-file
I0829 19:50:00.986042 1 dynamic_serving_content.go:132] "Starting controller" name="serving-cert::/tls/tls.crt::/tls/tls.key"
I0829 19:50:00.985992 1 tlsconfig.go:240] "Starting DynamicServingCertificateController"
I0829 19:50:00.985932 1 secure_serving.go:210] Serving securely on [::]:10250
I0829 19:50:00.987461 1 apf_controller.go:317] Starting API Priority and Fairness config controller
W0829 19:50:00.997963 1 reflector.go:324] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: failed to list *v1beta2.FlowSchema: flowschemas.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:cert-manager:cert-manager-dynu-webhook" cannot list resource "flowschemas" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope
E0829 19:50:00.998303 1 reflector.go:138] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: Failed to watch *v1beta2.FlowSchema: failed to list *v1beta2.FlowSchema: flowschemas.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:cert-manager:cert-manager-dynu-webhook" cannot list resource "flowschemas" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope
W0829 19:50:01.004129 1 reflector.go:324] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: failed to list *v1beta2.PriorityLevelConfiguration: prioritylevelconfigurations.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:cert-manager:cert-manager-dynu-webhook" cannot list resource "prioritylevelconfigurations" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope
E0829 19:50:01.004464 1 reflector.go:138] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: Failed to watch *v1beta2.PriorityLevelConfiguration: failed to list *v1beta2.PriorityLevelConfiguration: prioritylevelconfigurations.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:cert-manager:cert-manager-dynu-webhook" cannot list resource "prioritylevelconfigurations" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope
I0829 19:50:01.086246 1 shared_informer.go:262] Caches are synced for client-ca::kube-system::extension-apiserver-authentication::requestheader-client-ca-file
I0829 19:50:01.086270 1 shared_informer.go:262] Caches are synced for RequestHeaderAuthRequestController
I0829 19:50:01.086342 1 shared_informer.go:262] Caches are synced for client-ca::kube-system::extension-apiserver-authentication::client-ca-file
W0829 19:50:02.154477 1 reflector.go:324] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: failed to list *v1beta2.PriorityLevelConfiguration: prioritylevelconfigurations.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:cert-manager:cert-manager-dynu-webhook" cannot list resource "prioritylevelconfigurations" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope
E0829 19:50:02.154663 1 reflector.go:138] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: Failed to watch *v1beta2.PriorityLevelConfiguration: failed to list *v1beta2.PriorityLevelConfiguration: prioritylevelconfigurations.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:cert-manager:cert-manager-dynu-webhook" cannot list resource "prioritylevelconfigurations" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope
SA system:serviceaccount:cert-manager:cert-manager-dynu-webhook has not sufficient rights for flowcontrol.apiserver.k8s.io
When attempting to use a deny subdomain of a registered domain, the TXT records are created in the root domain and not the sub domain. This is as a result of using the dyne API call https://api.dynu.com/v2/dns/getroot/<hostname>
to determine the DNS domain. This results in the parent DNS domain being returned as the domainName and the subdomain and hostname being combined and listed as the 'node' in the response.
There does not appear to be a way to identify subdomains in the dynu APIs and have fed this back to them via their forum. I am raising this as an issue here in case this is still being maintained instead of forking off to work around the issue.
FlowSchema and PriorityLevelConfiguration version v1beta2 are deprecated in Kubernetes 1.26. Replace it by version v1beta3.
W0621 14:31:17.302662 1 warnings.go:70] flowcontrol.apiserver.k8s.io/v1beta2 FlowSchema is deprecated in v1.26+, unavailable in v1.29+; use flowcontrol.apiserver.k8s.io/v1beta3 FlowSchema
W0621 14:38:24.235472 1 warnings.go:70] flowcontrol.apiserver.k8s.io/v1beta2 FlowSchema is deprecated in v1.26+, unavailable in v1.29+; use flowcontrol.apiserver.k8s.io/v1beta3 FlowSchema
W0621 14:38:28.109174 1 warnings.go:70] flowcontrol.apiserver.k8s.io/v1beta2 PriorityLevelConfiguration is deprecated in v1.26+, unavailable in v1.29+; use flowcontrol.apiserver.k8s.io/v1beta3 PriorityLevelConfiguration
W0621 14:43:47.186099 1 warnings.go:70] flowcontrol.apiserver.k8s.io/v1beta2 PriorityLevelConfiguration is deprecated in v1.26+, unavailable in v1.29+; use flowcontrol.apiserver.k8s.io/v1beta3 PriorityLevelConfiguration
I got issues when using this webhook in my k3s server. It would be great if anyone can confirm my steps or help to solve my issue.
helm install cert-manager-dynu-webhook/dynu-webhook
Error: INSTALLATION FAILED: must either provide a name or specify --generate-name
the problem will be solved if I add -g / --generate-name, but I am not sure will it impact to the following issue.
afterward, I capture the name (dynu-webhook-1661649439) from the helm install as the groupName value in ClusterIssuer yaml
E0828 02:32:57.174888 1 controller.go:166] cert-manager/challenges "msg"="re-queuing item due to error processing" "error"="dynu.dynu-webhook-1661649439 is forbidden: User "system:serviceaccount:cert-manager:cert-manager" cannot create resource "dynu" in API group "dynu-webhook-1661649439" at the cluster scope" "key"="default/
so sorry for my poor English. thank you
I am sorry, but I would propose a different group name.
dynu-webhook.cert-manager.io
or
dynu.webhook.cert-manager.io
Why? Here is a list of my apiservices...
$ kubectl get apiservices.apiregistration.k8s.io |grep v1a
v1alpha1.argoproj.io Local True 4d1h
v1alpha1.autoscaling.internal.knative.dev Local True 4d1h
v1alpha1.binding.operators.coreos.com Local True 11d
v1alpha1.caching.internal.knative.dev Local True 9d
v1alpha1.camel.apache.org Local True 9d
v1alpha1.cdi.kubevirt.io Local True 4d1h
v1alpha1.com.github.dopingus.cert-manager-webhook-dynu openshift-cert-manager/cert-manager-dynu-webhook True 34m
v1alpha1.config.openshift.io Local True 4d1h
v1alpha1.console.openshift.io Local True 4d1h
v1alpha1.controller.devfile.io Local True 4d1h
v1alpha1.controlplane.operator.openshift.io Local True 4d1h
v1alpha1.flows.netobserv.io Local True 4d1h
v1alpha1.integreatly.org Local True 4d1h
v1alpha1.kafka.strimzi.io Local True 4d1h
v1alpha1.keycloak.org Local True 9d
v1alpha1.kiali.io Local True 4d1h
v1alpha1.metal3.io Local True 11d
v1alpha1.migration.k8s.io Local True 4d1h
v1alpha1.monitoring.coreos.com Local True 9d
v1alpha1.monitoring.kiali.io Local True 9d
v1alpha1.networking.internal.knative.dev Local True 4d1h
v1alpha1.nfd.openshift.io Local True 11d
v1alpha1.nmstate.io Local True 4d1h
v1alpha1.operator.knative.dev Local True 9d
v1alpha1.operator.openshift.io Local True 11d
v1alpha1.operator.serverless.openshift.io Local True 4d1h
v1alpha1.operator.tekton.dev Local True 4d1h
v1alpha1.operators.coreos.com Local True 4d1h
v1alpha1.performance.openshift.io Local True 4d1h
v1alpha1.pipelines.openshift.io Local True 4d1h
v1alpha1.pipelinesascode.tekton.dev Local True 4d1h
v1alpha1.resolution.tekton.dev Local True 4d1h
v1alpha1.secscan.quay.redhat.com Local True 4d1h
v1alpha1.serving.knative.dev Local True 11d
v1alpha1.tackle.konveyor.io Local True 11d
v1alpha1.tekton.dev Local True 4d1h
v1alpha1.topology.node.k8s.io Local True 11d
v1alpha1.triggers.tekton.dev Local True 9d
v1alpha1.whereabouts.cni.cncf.io Local True 9d
v1alpha1.workspace.devfile.io Local True 4d1h
v1alpha2.operators.coreos.com Local True 4d1h
v1alpha2.workspace.devfile.io Local True 4d1h
v1alpha3.servicebinding.io Local True 4d1h
$ kubectl get apiservices.apiregistration.k8s.io |grep cert-manager
v1.acme.cert-manager.io Local True 11d
v1.cert-manager.io Local True 4d1h
v1alpha1.com.github.dopingus.cert-manager-webhook-dynu openshift-cert-manager/cert-manager-dynu-webhook True 36m
I went to test the latest update but it failed with the RABC issue. This is because Helm updates are not getting published as the Pages Build and Deployment action has not run to publish the new Helm charts
I installed cert-manager 0.16
$ oc get pod -n openshift-operators|grep cert
cert-manager-5df5845867-hhmpg 1/1 Running 0 37m
cert-manager-cainjector-7656d96747-j7gc5 1/1 Running 0 139m
cert-manager-webhook-7b8694549-mkp5n 1/1 Running 0 139m
then I installed dynu webhook (justed changed the port to 10250)
$ helm install ./deploy/dynu-webhook -g --set groupName=acme.freeddns.org
I1028 19:22:35.096307 205496 request.go:668] Waited for 1.08888261s due to client-side throttling, not priority and fairness, request: GET:https://api.ocp4.openshift.freeddns.org:6443/apis/node.k8s.io/v1?timeout=32s
NAME: dynu-webhook-1635453893
LAST DEPLOYED: Thu Oct 28 19:22:39 2021
NAMESPACE: cert-manager
STATUS: deployed
REVISION: 1
TEST SUITE: None
I created an issuer
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: letsencrypt-issuer
namespace: cert-manager
spec:
acme:
solvers:
- dns01:
cnameStrategy: Follow
webhook:
groupName: dynu-webhook-1635441752
solverName: dynu
config:
secretName: dynu-secret
zoneName: demo.openshift.freeddns.org
apiUrl: 'https://api.dynu.com/v2'
server: 'https://acme-staging-v02.api.letsencrypt.org/directory'
privateKeySecretRef:
name: letsencrypt-issuer
email: [email protected]
I created a ClusterIssuer
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-dynu-demo
spec:
acme:
# The ACME server URL
server: https://acme-v02.api.letsencrypt.org/directory # Use this for prod
# server: https://acme-staging-v02.api.letsencrypt.org/directory # Use this for staging/testing
# Email address used for ACME registration
email: [email protected] # REPLACE THIS WITH YOUR EMAIL!!!
# Name of a secret used to store the ACME account private key
privateKeySecretRef:
name: acme-secret
solvers:
- dns01:
cnameStrategy: Follow
webhook:
groupName: dynu-webhook-1635449267 # Use the groupName defined above
solverName: dynu
config:
secretName: dynu-secret # Adjust this in case you changed the secretName
zoneName: demo.openshift.freeddns.org # Add the domain which you want to create certiciates for
apiUrl: https://api.dynu.com/v2
at least on certificate
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: demo-certificate # Replace with a name of your choice
# namespace: default # Set a namespace if required
spec:
commonName: "*.demo.openshift.freeddns.org" # Wildcard Entry for your domain
dnsNames:
- demo.openshift.freeddns.org # List of all (sub)domains that you want to include in the cert
- "*.demo.openshift.freeddns.org"
issuerRef:
name: letsencrypt-dynu-demo # This should match the issuer you defined earlier
kind: ClusterIssuer
secretName: demo-secret # Secret name where the resulting certificate is saved in
Now I got an error in the cert-manager
$ oc logs cert-manager-5df5845867-hhmpg -n openshift-operators
I1028 20:56:19.221540 1 start.go:75] cert-manager "msg"="starting controller" "git-commit"="49914a057b39c887be0974c4657c095bd7724bc7" "version"="v1.6.0"
W1028 20:56:19.221644 1 client_config.go:615] Neither --kubeconfig nor --master was specified. Using the inClusterConfig. This might not work.
I1028 20:56:19.226317 1 controller.go:268] cert-manager/controller/build-context "msg"="configured acme dns01 nameservers" "nameservers"=["172.30.0.10:53"]
I1028 20:56:19.227297 1 controller.go:85] cert-manager/controller "msg"="enabled controllers: [certificaterequests-approver certificaterequests-issuer-acme certificaterequests-issuer-ca certificaterequests-issuer-selfsigned certificaterequests-issuer-vault certificaterequests-issuer-venafi certificates-issuing certificates-key-manager certificates-metrics certificates-readiness certificates-request-manager certificates-revision-manager certificates-trigger challenges clusterissuers ingress-shim issuers orders]"
...
I1028 20:56:25.141700 1 setup.go:202] cert-manager/controller/issuers "msg"="skipping re-verifying ACME account as cached registration details look sufficient" "related_resource_kind"="Secret" "related_resource_name"="letsencrypt-issuer" "related_resource_namespace"="cert-manager" "resource_kind"="Issuer" "resource_name"="letsencrypt-issuer" "resource_namespace"="cert-manager" "resource_version"="v1"
I1028 20:56:25.153308 1 setup.go:202] cert-manager/controller/clusterissuers "msg"="skipping re-verifying ACME account as cached registration details look sufficient" "related_resource_kind"="Secret" "related_resource_name"="acme-secret" "related_resource_namespace"="openshift-operators" "resource_kind"="ClusterIssuer" "resource_name"="letsencrypt-dynu-demo" "resource_namespace"="" "resource_version"="v1"
I1028 20:56:26.306406 1 dns.go:88] cert-manager/controller/challenges/Present "msg"="presenting DNS01 challenge for domain" "dnsName"="demo.openshift.freeddns.org" "domain"="demo.openshift.freeddns.org" "resource_kind"="Challenge" "resource_name"="demo-certificate-rkffs-4023394078-3266066746" "resource_namespace"="cert-manager" "resource_version"="v1" "type"="DNS-01"
E1028 20:56:26.327005 1 controller.go:163] cert-manager/controller/challenges "msg"="re-queuing item due to error processing" "error"="dynu.dynu-webhook-1635453893 is forbidden: User \"system:serviceaccount:openshift-operators:cert-manager\" cannot create resource \"dynu\" in API group \"dynu-webhook-1635453893\" at the cluster scope" "key"="cert-manager/demo-certificate-rkffs-4023394078-3266066746"
I1028 20:56:30.075482 1 setup.go:202] cert-manager/controller/clusterissuers "msg"="skipping re-verifying ACME account as cached registration details look sufficient" "related_resource_kind"="Secret" "related_resource_name"="acme-secret" "related_resource_namespace"="openshift-operators" "resource_kind"="ClusterIssuer" "resource_name"="letsencrypt-dynu-demo" "resource_namespace"="" "resource_version"="v1"
I1028 20:56:30.097824 1 setup.go:202] cert-manager/controller/issuers "msg"="skipping re-verifying ACME account as cached registration details look sufficient" "related_resource_kind"="Secret" "related_resource_name"="letsencrypt-issuer" "related_resource_namespace"="cert-manager" "resource_kind"="Issuer" "resource_name"="letsencrypt-issuer" "resource_namespace"="cert-manager" "resource_version"="v1"
I1028 20:56:31.337257 1 dns.go:88] cert-manager/controller/challenges/Present "msg"="presenting DNS01 challenge for domain" "dnsName"="demo.openshift.freeddns.org" "domain"="demo.openshift.freeddns.org" "resource_kind"="Challenge" "resource_name"="demo-certificate-rkffs-4023394078-3266066746" "resource_namespace"="cert-manager" "resource_version"="v1" "type"="DNS-01"
E1028 20:56:31.348969 1 controller.go:163] cert-manager/controller/challenges "msg"="re-queuing item due to error processing" "error"="dynu.dynu-webhook-1635453893 is forbidden: User \"system:serviceaccount:openshift-operators:cert-manager\" cannot create resource \"dynu\" in API group \"dynu-webhook-1635453893\" at the cluster scope" "key"="cert-manager/demo-certificate-rkffs-4023394078-3266066746"
But I do NOT find any resource(crd?) dynu!
Any hint?
Hi, I'm new to Kubernetes, I just installed a new cluster and I'm following the documentation to install the chart :
helm repo add cert-manager-dynu-webhook https://dopingus.github.io/cert-manager-webhook-dynu
helm repo update
helm install cert-manager-dynu-webhook cert-manager-dynu-webhook/dynu-webhook
After executing the install command i got the following error :
Error: INSTALLATION FAILED: unable to build kubernetes objects from release manifest: [unable to recognize "": no matches for kind "Certificate" in version "cert-manager.io/v1", unable to recognize "": no matches for kind "Issuer" in version "cert-manager.io/v1"]
Do I missed something ?
Thanks.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.