fabmade / cert-manager-webhook-ionos Goto Github PK

As stated in PR #7, branch named gh-pages need to be created and github pages need to be activated pointing to that branch.

Without this branch and the activation of github pages, helm releaser action is not able to create index.yaml file and the repo is not available at https://fabmade.github.io/cert-manager-webhook-ionos

hello @fabmade
I do not get on with the installation or configuration.
I have installed the helm chart and the cert manager and added the secret with my values.
I have also created the issuer and certificate.
However, I fail at this point.
What must be under groupName? The name of the domain?
Thanks for the help

Hello @fabmade,

at first. Thank you so much for you work and thx to all other contributes. It works quiet well in my newest cluster. But I have a question and see no other possibility to contact you, but the issues mechanism. I am sorry if that annoys you.

If I have multiple IONOS domains in the same cluster. Can I just install another instance of cert-manager-webhook-ionoswith different name in the same namespace and another groupName in the values?

Thanks and have a good day.

Hi! I was trying to use the ionos webhook, but sadly ran into some issues. In my understanding, the challenge does not work. The certificaterequest looks like this:

Status:
  Conditions:
    Last Transition Time:  2023-09-06T14:31:11Z
    Message:               Certificate request has been approved by cert-manager.io
    Reason:                cert-manager.io
    Status:                True
    Type:                  Approved
    Last Transition Time:  2023-09-06T14:31:11Z
    Message:               Waiting on certificate issuance from order default/docs-8tjjf-1854285973: "pending"
    Reason:                Pending
    Status:                False
    Type:                  Ready
Events:
  Type    Reason              Age   From                                                Message
  ----    ------              ----  ----                                                -------
  Normal  WaitingForApproval  39m   cert-manager-certificaterequests-issuer-selfsigned  Not signing CertificateRequest until it is Approved
  Normal  WaitingForApproval  39m   cert-manager-certificaterequests-issuer-vault       Not signing CertificateRequest until it is Approved
  Normal  WaitingForApproval  39m   cert-manager-certificaterequests-issuer-ca          Not signing CertificateRequest until it is Approved
  Normal  WaitingForApproval  39m   cert-manager-certificaterequests-issuer-venafi      Not signing CertificateRequest until it is Approved
  Normal  WaitingForApproval  39m   cert-manager-certificaterequests-issuer-acme        Not signing CertificateRequest until it is Approved
  Normal  cert-manager.io     39m   cert-manager-certificaterequests-approver           Certificate request has been approved by cert-manager.io
  Normal  OrderCreated        39m   cert-manager-certificaterequests-issuer-acme        Created Order resource default/docs-8tjjf-1854285973
  Normal  OrderPending        39m   cert-manager-certificaterequests-issuer-acme        Waiting on certificate issuance from order default/docs-8tjjf-1854285973: ""

And the actual challenge prints this error:

Status:
  Presented:   false
  Processing:  true
  Reason:      ionos.acme.fabmade.de is forbidden: User "system:serviceaccount:certmanager:certmanager-cert-manager" cannot create resource "ionos" in API group "acme.fabmade.de" at the cluster scope
  State:       pending
Events:
  Type     Reason        Age                From                     Message
  ----     ------        ----               ----                     -------
  Normal   Started       40m                cert-manager-challenges  Challenge scheduled for processing
  Warning  PresentError  19m (x9 over 40m)  cert-manager-challenges  Error presenting challenge: ionos.acme.fabmade.de is forbidden: User "system:serviceaccount:certmanager:certmanager-cert-manager" cannot create resource "ionos" in API group "acme.fabmade.de" at the cluster scope

Did anyone else experienced this issue? :) Thanks in regard!

Helm repo is still not working because index.yaml file is missing in gh-pages branch.

Error debugging

1. Before creating gh-pages branch, github action helm chart releaser failed because gh-pages branch was not created.

See error indicating it could create index.yml file because it did not find gh-pages branch. Even with this faulure the tar file containing the chart release was created: https://github.com/fabmade/cert-manager-webhook-ionos/releases/tag/cert-manager-webhook-ionos-1.0.0

2. After creating gh-pagesbranch, last execution of github action helm chart releaser did not update index.yaml file because the chart (cert-manager-webhook-ionos-1.0.0) was already generated by execution 1)

How to solve this issue:

I guess the way to solve this issue is, either increasing chart version modifying Chart.yaml file to 1.0.1, or deleting current tagged release https://github.com/fabmade/cert-manager-webhook-ionos/releases, and re-launching chart releaser github action

Hi there,

I stumbled upon following error:

[{"name":"_acme-challenge.cloud","type":"TXT","content":"4rDTIlJpsOBptsNBe8ZnoRRRTOGP78ythyz6M2iipY0","ttl":120,"prio":0,"disabled":false}]
--
I0419 07:49:17.482897 1 ionos.go:151] Found ID with ZoneName: example.com
E0419 07:49:17.581415 1 client.go:102] Error calling API status: 400 Bad Request url: https://api.hosting.ionos.com/dns/v1/zones/[Zone-ID]/records method: POST

This happens if I want to create a wildcard certificate for *.cloud.example.com
I manually tried to do the POST call with curl and getting this response:

[
  {
    "code": "INVALID_RECORD",
    "message": "Record is invalid.",
    "parameters": {
      "invalidFields": [
        "name"
      ],
      "errorRecord": {
        "name": "_acme-challenge.cloud",
        "rootName": "example.com",
        "type": "TXT",
        "content": "4rDTIlJpsOBptsNBe8ZnoRRRTOGP78ythyz6M2iipY0",
        "ttl": 120,
        "disabled": false
      }
    }
  }
]

Maybe Ionos changed their API because changing the name to _acme-challenge.cloud.example.com worked for me.
Same 400 Error happens in ionosClient.GetRecordIdByName(). The API does not like the query recordName=_acme.challenge.cloud

Hello,

Log from running instance in k8s v1.28
I0519 23:20:50.356490 1 secure_serving.go:266] Serving securely on :443 I0519 23:20:50.356612 1 requestheader_controller.go:169] Starting RequestHeaderAuthRequestController I0519 23:20:50.356644 1 shared_informer.go:240] Waiting for caches to sync for RequestHeaderAuthRequestController I0519 23:20:50.356687 1 dynamic_serving_content.go:129] "Starting controller" name="serving-cert::/tls/tls.crt::/tls/tls.key" I0519 23:20:50.356770 1 tlsconfig.go:240] "Starting DynamicServingCertificateController" I0519 23:20:50.445924 1 configmap_cafile_content.go:201] "Starting controller" name="client-ca::kube-system::extension-apiserver-authentication::requestheader-client-ca-file" I0519 23:20:50.445963 1 shared_informer.go:240] Waiting for caches to sync for client-ca::kube-system::extension-apiserver-authentication::requestheader-client-ca-file I0519 23:20:50.446007 1 apf_controller.go:299] Starting API Priority and Fairness config controller I0519 23:20:50.446075 1 configmap_cafile_content.go:201] "Starting controller" name="client-ca::kube-system::extension-apiserver-authentication::client-ca-file" I0519 23:20:50.446113 1 shared_informer.go:240] Waiting for caches to sync for client-ca::kube-system::extension-apiserver-authentication::client-ca-file E0519 23:20:50.449778 1 reflector.go:138] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: Failed to watch *v1beta1.FlowSchema: failed to list *v1beta1.FlowSchema: the server could not find the requested resource E0519 23:20:50.546413 1 reflector.go:138] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: Failed to watch *v1beta1.PriorityLevelConfiguration: failed to list *v1beta1.PriorityLevelConfiguration: the server could not find the requested resource I0519 23:20:50.946003 1 shared_informer.go:247] Caches are synced for RequestHeaderAuthRequestController I0519 23:20:51.046061 1 shared_informer.go:247] Caches are synced for client-ca::kube-system::extension-apiserver-authentication::requestheader-client-ca-file I0519 23:20:51.046145 1 shared_informer.go:247] Caches are synced for client-ca::kube-system::extension-apiserver-authentication::client-ca-file E0519 23:20:51.946349 1 reflector.go:138] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: Failed to watch *v1beta1.FlowSchema: failed to list *v1beta1.FlowSchema: the server could not find the requested resource [...] E0519 23:30:09.989050 1 reflector.go:138] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: Failed to watch *v1beta1.PriorityLevelConfiguration: failed to list *v1beta1.PriorityLevelConfiguration: the server could not find the requested resource E0519 23:30:15.720793 1 reflector.go:138] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: Failed to watch *v1beta1.FlowSchema: failed to list *v1beta1.FlowSchema: the server could not find the requested resource E0519 23:30:56.224947 1 reflector.go:138] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: Failed to watch *v1beta1.PriorityLevelConfiguration: failed to list *v1beta1.PriorityLevelConfiguration: the server could not find the requested resource E0519 23:31:02.047977 1 reflector.go:138] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: Failed to watch *v1beta1.FlowSchema: failed to list *v1beta1.FlowSchema: the server could not find the requested resource E0519 23:31:34.583678 1 reflector.go:138] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: Failed to watch *v1beta1.PriorityLevelConfiguration: failed to list *v1beta1.PriorityLevelConfiguration: the server could not find the requested resource E0519 23:31:44.746445 1 reflector.go:138] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: Failed to watch *v1beta1.FlowSchema: failed to list *v1beta1.FlowSchema: the server could not find the requested resource E0519 23:32:20.504951 1 reflector.go:138] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: Failed to watch *v1beta1.PriorityLevelConfiguration: failed to list *v1beta1.PriorityLevelConfiguration: the server could not find the requested resource E0519 23:32:22.355989 1 reflector.go:138] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: Failed to watch *v1beta1.FlowSchema: failed to list *v1beta1.FlowSchema: the server could not find the requested resource

I would guess this is related to Kubernetes dropping the v1beta1.FlowSchema resource in version 1.26 and will drop even v1beta2 in version 1.29.

For a first approach I try enable the old API by some extra args for the Kube-API server with "runtime-config" but this seems not to help.

I guess if the minimal version of Cert-Manager be referenced on, would be 1.12.1 or 1.11.3 the AFP could be turned of. This ticket is related to this.

Greetings :-)