imroc / cert-manager-webhook-dnspod Goto Github PK
View Code? Open in Web Editor NEWcert-manager webhook resolver for DNSPod
License: Apache License 2.0
cert-manager webhook resolver for DNSPod
License: Apache License 2.0
ingress annotation cert-manager.io/cluster-issuer: dnspod can not create a Certificate automatically
This line will log secret id and secret key.
cert-manager-webhook-dnspod/main.go
Line 124 in 9d6f159
could you please remove it?
controller.go:129] OpenAPI AggregationController: action for item v1alpha1.acme.imroc.cc: Rate Limited Requeue.
controller.go:116] loading OpenAPI spec for "v1alpha1.acme.imroc.cc" failed with: OpenAPI spec does not exist
controller.go:129] OpenAPI AggregationController: action for item v1alpha1.acme.imroc.cc: Rate Limited Requeue.
controller.go:116] loading OpenAPI spec for "v1alpha1.acme.imroc.cc" failed with: OpenAPI spec does not exist
controller.go:129] OpenAPI AggregationController: action for item v1alpha1.acme.imroc.cc: Rate Limited Requeue.
controller.go:116] loading OpenAPI spec for "v1alpha1.acme.imroc.cc" failed with: OpenAPI spec does not exist
controller.go:129] OpenAPI AggregationController: action for item v1alpha1.acme.imroc.cc: Rate Limited Requeue.
controller.go:116] loading OpenAPI spec for "v1alpha1.acme.imroc.cc" failed with: OpenAPI spec does not exist
controller.go:129] OpenAPI AggregationController: action for item v1alpha1.acme.imroc.cc: Rate Limited Requeue.
controller.go:116] loading OpenAPI spec for "v1alpha1.acme.imroc.cc" failed with: OpenAPI spec does not exist
controller.go:129] OpenAPI AggregationController: action for item v1alpha1.acme.imroc.cc: Rate Limited Requeue.
controller.go:116] loading OpenAPI spec for "v1alpha1.acme.imroc.cc" failed with: OpenAPI spec does not exist
controller.go:129] OpenAPI AggregationController: action for item v1alpha1.acme.imroc.cc: Rate Limited Requeue.
Other community discussions about this issue:
Thank you for all your work on this repository. and the blog https://imroc.cc/ very nice ^^
imroc/cert-manager-webhook-dnspod:latest 能否提供 arm64 版本的镜像?感谢~
防止 *.domain.com 泛解析设置成 ddns.domain.com 的时候,干扰证书申请的时候的解析。
默认的时候,会 拉取 _acme-challenge.domain.com 的 cname记录。导致不会读取 _acme-challenge.domain.com的txt记录,变成读取 ddns.domain.com的txt记录去了。
看了下 cert-manager的文档,需要添加 cnameStrategy=None 来配置下?
你好, 今天 renew 证书, 报以下错误, 请帮忙看一下如何解决, 谢谢!
cert-manager报错:
"reason": "PresentError",
"message": "Error presenting challenge: the server is currently unable to handle the request (post dnspod.acme.imroc.cc)",
cert-manager-webhook-dnspod报错:
I0430 12:46:46.670500 1 main.go:123] create dnspod client successfully
E0430 12:46:47.333874 1 main.go:204] Failed to get domain id cn.: no domain found in zone cn.
版本如下:
I specified my clusterIssuer in values.yaml
and deployed it by
$ helm install dnspod-hooker roc/cert-manager-webhook-dnspod --namespace cert-manager -f values.yaml
$ cat values.yaml
....
clusterIssuer:
enabled: true
name: dnspod
ttl: 600
staging: false
secretId: <A Number>
secretKey: <My Secret Key>
email: <My Email>
....
But when I try to issue a certificate by following, I failed.
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: wildcard-cert
namespace: prod
spec:
secretName: wildcard-cert
issuerRef:
name: dnspod
kind: ClusterIssuer
dnsNames:
- "*.jerrita.cn"
Here's detail for this challenge.
Spec:
Authorization URL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/53147134200
Dns Name: jerrita.cn
Issuer Ref:
Kind: ClusterIssuer
Name: dnspod
Key: C70GxiBffL7og1f9NkP0SpcMRW4UJHoxxRvPXXHOoPA
Solver:
dns01:
Webhook:
Config:
Secret Id: 257754
Secret Key Ref:
Key: secret-key
Name: dnspod-hooker-cert-manager-webhook-dnspod-secret
Ttl: 600
Group Name: acme.jerrita.cn
Solver Name: dnspod
Token: ITuoHBla960WGR6lWMSONGEJpZtZhWRQhPr1a7auEb0
Type: DNS-01
URL: https://acme-v02.api.letsencrypt.org/acme/chall-v3/53147134200/m88caQ
Wildcard: true
Status:
Presented: false
Processing: true
Reason: error decoding solver config: json: cannot unmarshal number into Go struct field customDNSProviderConfig.secretId of type string
State: pending
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Started 7m54s cert-manager Challenge scheduled for processing
Warning PresentError 2m45s (x7 over 7m53s) cert-manager Error presenting challenge: error decoding solver config: json: cannot unmarshal number into Go struct field customDNSProviderConfig.secretId of type string
How to solve it?
Always trying to cleaning up dns challenge after generated certs, even if the dns record is successfully removed.
Logs are filled up with the follow error message:
E0826 09:36:38.149573 1 sync.go:282] cert-manager/challenges/finalizer "msg"="error cleaning up challenge" "error"="dnspod API call has failed: [TencentCloudSDKError] Code=ResourceNotFound.NoDataOfRecord, Message=记录列表为空。, RequestId=2781a7f8-3d0c-43e5-8b09-e07f7547b847" "dnsName"="chiyuki.studio" "resource_kind"="Challenge" "resource_name"="cert-chiyuki-studio-msfcc-3859969589-3025972435" "resource_namespace"="traefik" "resource_version"="v1" "type"="DNS-01"
Status:
Presented: false
Processing: true
Reason: the server is currently unable to handle the request (post dnspod.acme.imroc.cc)
State: pending
Events:
Type Reason Age From Message
Normal Started 2m36s cert-manager-challenges Challenge scheduled for processing
Warning PresentError 5s (x6 over 2m30s) cert-manager-challenges Error presenting challenge: the server is currently unable to handle the request (post dnspod.acme.imroc.cc)
安装成功之后,证书能够正常颁发,但是k8s server服务日志里一直在循环报这种错,有解决办法吗:
10月 19 02:05:58 k3s-master k3s[203492]: I1019 02:05:58.411724 203492 alloc.go:327] "allocated clusterIPs" service="cert-manager/cert-manager-webhook-dnspod" clusterIPs=map[IPv4:10.43.239.218]
10月 19 02:05:58 k3s-master k3s[203492]: I1019 02:05:58.469074 203492 event.go:294] "Event occurred" object="cert-manager/cert-manager-webhook-dnspod" fieldPath="" kind="Deployment" apiVersion="apps/v1" type="Normal" reason="ScalingReplicaSet" message="Scaled up replica set cert-mana>
10月 19 02:05:58 k3s-master k3s[203492]: E1019 02:05:58.515048 203492 available_controller.go:524] v1alpha1.acme.imroc.cc failed with: Operation cannot be fulfilled on apiservices.apiregistration.k8s.io "v1alpha1.acme.imroc.cc": the object has been modified; please apply your changes>
10月 19 02:05:58 k3s-master k3s[203492]: I1019 02:05:58.517278 203492 event.go:294] "Event occurred" object="cert-manager/cert-manager-webhook-dnspod-77586fdc8f" fieldPath="" kind="ReplicaSet" apiVersion="apps/v1" type="Normal" reason="SuccessfulCreate" message="Created pod: cert-man>
10月 19 02:05:58 k3s-master k3s[203492]: I1019 02:05:58.569516 203492 controller.go:611] quota admission added evaluator for: issuers.cert-manager.io
10月 19 02:05:59 k3s-master k3s[203492]: W1019 02:05:59.491333 203492 handler_proxy.go:105] no RequestInfo found in the context
10月 19 02:05:59 k3s-master k3s[203492]: E1019 02:05:59.491417 203492 controller.go:116] loading OpenAPI spec for "v1alpha1.acme.imroc.cc" failed with: failed to retrieve openAPI spec, http error: ResponseCode: 503, Body: service unavailable
10月 19 02:05:59 k3s-master k3s[203492]: , Header: map[Content-Type:[text/plain; charset=utf-8] X-Content-Type-Options:[nosniff]]
10月 19 02:05:59 k3s-master k3s[203492]: I1019 02:05:59.491443 203492 controller.go:129] OpenAPI AggregationController: action for item v1alpha1.acme.imroc.cc: Rate Limited Requeue.
10月 19 02:05:59 k3s-master k3s[203492]: W1019 02:05:59.491337 203492 handler_proxy.go:105] no RequestInfo found in the context
10月 19 02:05:59 k3s-master k3s[203492]: E1019 02:05:59.491493 203492 controller.go:113] loading OpenAPI spec for "v1alpha1.acme.imroc.cc" failed with: Error, could not get list of group versions for APIService
10月 19 02:05:59 k3s-master k3s[203492]: I1019 02:05:59.492968 203492 controller.go:126] OpenAPI AggregationController: action for item v1alpha1.acme.imroc.cc: Rate Limited Requeue.
10月 19 02:06:01 k3s-master systemd[97538]: run-containerd-runc-k8s.io-da508401a9e63fd060813899b0108af1f976c609aa5914c31042957391251ff1-runc.KlEPgj.mount: Succeeded.
-- Subject: Unit succeeded
-- Defined-By: systemd
-- Support: http://www.ubuntu.com/support
--
-- The unit UNIT has successfully entered the 'dead' state.
10月 19 02:06:01 k3s-master systemd[1]: run-containerd-runc-k8s.io-da508401a9e63fd060813899b0108af1f976c609aa5914c31042957391251ff1-runc.KlEPgj.mount: Succeeded.
-- Subject: Unit succeeded
-- Defined-By: systemd
-- Support: http://www.ubuntu.com/support
--
-- The unit run-containerd-runc-k8s.io-da508401a9e63fd060813899b0108af1f976c609aa5914c31042957391251ff1-runc.KlEPgj.mount has successfully entered the 'dead' state.
10月 19 02:06:02 k3s-master k3s[203492]: E1019 02:06:02.144646 203492 available_controller.go:524] v1alpha1.acme.imroc.cc failed with: failing or missing response from https://10.42.2.27:443/apis/acme.imroc.cc/v1alpha1: bad status from https://10.42.2.27:443/apis/acme.imroc.cc/v1alph>
10月 19 02:06:02 k3s-master k3s[203492]: E1019 02:06:02.149630 203492 available_controller.go:524] v1alpha1.acme.imroc.cc failed with: failing or missing response from https://10.42.2.27:443/apis/acme.imroc.cc/v1alpha1: bad status from https://10.42.2.27:443/apis/acme.imroc.cc/v1alph>
10月 19 02:06:02 k3s-master k3s[203492]: E1019 02:06:02.155627 203492 available_controller.go:524] v1alpha1.acme.imroc.cc failed with: failing or missing response from https://10.42.2.27:443/apis/acme.imroc.cc/v1alpha1: bad status from https://10.42.2.27:443/apis/acme.imroc.cc/v1alph>
10月 19 02:06:03 k3s-master k3s[203492]: E1019 02:06:03.164646 203492 controller.go:116] loading OpenAPI spec for "v1alpha1.acme.imroc.cc" failed with: OpenAPI spec does not exist
10月 19 02:06:03 k3s-master k3s[203492]: I1019 02:06:03.164696 203492 controller.go:129] OpenAPI AggregationController: action for item v1alpha1.acme.imroc.cc: Rate Limited Requeue.
I followed the steps in https://imroc.cc/k8s/trick/cert-manager-webhook-dnspod/ , but got an error below.
error decoding solver config: json: cannot unmarshal number into Go struct field customDNSProviderConfig.secretId of type string
And found the value of secretId in clusterissuers.cert-manager.io/dnspod is not a string type.
hi, thank you for supplying a updated version. but when I use the cert-manager v1.12.4, I got the following error when applying a certificate:
so I have to create a clusterrole with the permission and bind it with serviceaccount "cert-manager-controller". I don't know if this helm chart forget to create the clusterrole, or this is a bug ?
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: cert-manager-controller:dnspod
rules:
- apiGroups:
- acme.mydomain.com
resources:
- dnspod
verbs:
- create
- get
- list
- watch
- delete
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: cert-manager-controller-dnspod
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cert-manager-controller:dnspod
subjects:
- apiGroup: ""
kind: ServiceAccount
name: cert-manager-controller
namespace: cert-manager
user "system:serviceaccount:monitoring:cert-manager" does not have permissions to set approved/denied conditions for issuer {dnspod ClusterIssuer cert-manager.io}"
目前我使用下来通过dnspod提供的域名.cn能正常签发、.top不能签发。
有没有好的方式支持.top域名。
另外有没有支持顶级域名的清单。
k8s v1.26.0
cert-manager v1.10.1
kubectl describe certificates
Name: apisix-crt
Namespace: default
Labels: <none>
Annotations: <none>
API Version: cert-manager.io/v1
Kind: Certificate
Metadata:
Creation Timestamp: 2023-01-03T07:02:49Z
Generation: 1
Managed Fields:
API Version: cert-manager.io/v1
Fields Type: FieldsV1
fieldsV1:
f:status:
.:
f:conditions:
.:
k:{"type":"Ready"}:
.:
f:lastTransitionTime:
f:message:
f:observedGeneration:
f:reason:
f:status:
f:type:
Manager: cert-manager-certificates-readiness
Operation: Update
Subresource: status
Time: 2023-01-03T07:02:49Z
API Version: cert-manager.io/v1
Fields Type: FieldsV1
fieldsV1:
f:status:
f:conditions:
k:{"type":"Issuing"}:
.:
f:lastTransitionTime:
f:message:
f:observedGeneration:
f:reason:
f:status:
f:type:
Manager: cert-manager-certificates-trigger
Operation: Update
Subresource: status
Time: 2023-01-03T07:02:49Z
API Version: cert-manager.io/v1
Fields Type: FieldsV1
fieldsV1:
f:metadata:
f:annotations:
.:
f:kubectl.kubernetes.io/last-applied-configuration:
f:spec:
.:
f:dnsNames:
f:issuerRef:
.:
f:group:
f:kind:
f:name:
f:secretName:
Manager: kubectl-client-side-apply
Operation: Update
Time: 2023-01-03T07:02:49Z
API Version: cert-manager.io/v1
Fields Type: FieldsV1
fieldsV1:
f:status:
f:nextPrivateKeySecretName:
Manager: cert-manager-certificates-key-manager
Operation: Update
Subresource: status
Time: 2023-01-03T07:02:50Z
Resource Version: 3913908
UID: 5d17353e-f1af-48cb-9398-02da4c05038b
Spec:
Dns Names:
apisix.yappam.com
*.apisix.yappam.com
Issuer Ref:
Group: cert-manager.io
Kind: ClusterIssuer
Name: dnspod
Secret Name: apisix-crt
Status:
Conditions:
Last Transition Time: 2023-01-03T07:02:49Z
Message: Issuing certificate as Secret does not exist
Observed Generation: 1
Reason: DoesNotExist
Status: False
Type: Ready
Last Transition Time: 2023-01-03T07:02:49Z
Message: Issuing certificate as Secret does not exist
Observed Generation: 1
Reason: DoesNotExist
Status: True
Type: Issuing
Next Private Key Secret Name: apisix-crt-l4fvj
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Issuing 8s cert-manager-certificates-trigger Issuing certificate as Secret does not exist
Normal Generated 7s cert-manager-certificates-key-manager Stored new private key in temporary Secret resource "apisix-crt-l4fvj"
Normal Requested 6s cert-manager-certificates-request-manager Created new CertificateRequest resource "apisix-crt-2xqvn"
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.