olivierboudet
commented
2 years ago It should not be necessary, do you have an error ?
Closed ben-wangz closed 2 years ago
olivierboudet
commented
2 years ago It should not be necessary, do you have an error ?
ben-wangz
commented
2 years ago yes, there will be an error if the issuer and alidns-webhook not in the same namespace.
you may replay it according to the commands below. And pay attention to:
alidns-webhook tries to read the secret in the namespace of test: load secret "test/alidns-webhook-secrets"basic-components-plus and namespace test. it cannot be loaded for the permissions.
[root@node-01 ~]# cat alidns.webhook.values.yaml
image:
repository: localhost:5000/ghcr.io/devmachine-fr/cert-manager-alidns-webhook/cert-manager-alidns-webhook
tag: 0.2.0
pullPolicy: IfNotPresent
privateRegistry:
enabled: false
dockerRegistrySecret: alibaba-container-registry
certManager:
namespace: basic-components
serviceAccountName: my-cert-manager
groupName: acme.geekcity.tech
[root@node-01 ~]# kubectl -n test get secret
NAME TYPE DATA AGE
alidns-webhook-secrets Opaque 2 47s
default-token-mfmlc kubernetes.io/service-account-token 3 49s
[root@node-01 ~]# kubectl -n basic-components-plus get secret
NAME TYPE DATA AGE
alidns-webhook-secrets Opaque 2 82s
default-token-nxtcc kubernetes.io/service-account-token 3 104s
my-alidns-webhook-ca kubernetes.io/tls 3 39s
my-alidns-webhook-token-95rb6 kubernetes.io/service-account-token 3 40s
my-alidns-webhook-webhook-tls kubernetes.io/tls 3 35s
sh.helm.release.v1.my-alidns-webhook.v1 helm.sh/release.v1 1 40s
[root@node-01 ~]# cat alidns.webhook.staging.issuer.yaml
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: alidns-webhook-letsencrypt
spec:
acme:
email: ben.wangz@foxmail.com
privateKeySecretRef:
name: alidns-webhook-letsencrypt
server: https://acme-staging-v02.api.letsencrypt.org/directory
solvers:
- dns01:
webhook:
config:
accessTokenSecretRef:
key: access-token
name: alidns-webhook-secrets
regionId: cn-beijing
secretKeySecretRef:
key: secret-key
name: alidns-webhook-secrets
groupName: acme.geekcity.tech
solverName: alidns-solver
[root@node-01 ~]# cat test.certificate.yaml
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: cm-plus-test
spec:
secretName: cm-plus.test.geekcity.tech-tls
dnsNames:
- cm-plus.test.geekcity.tech
issuerRef:
name: alidns-webhook-letsencrypt
kind: Issuer
group: cert-manager.io
[root@node-01 ~]# kubectl -n test apply -f alidns.webhook.staging.issuer.yaml
issuer.cert-manager.io/alidns-webhook-letsencrypt created
[root@node-01 ~]# kubectl -n test apply -f test.certificate.yaml
certificate.cert-manager.io/cm-plus-test created
...(just after a few seconds)
[root@node-01 ~]# kubectl -n test describe Challenge cm-plus-test-5jmq6-975627868-3544924144
...
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Started 57s cert-manager Challenge scheduled for processing
Warning PresentError 31s (x4 over 56s) cert-manager Error presenting challenge: failed to load secret "test/alidns-webhook-secrets": secrets "alidns-webhook-secrets" is forbidden: User "system:serviceaccount:basic-components-plus:my-alidns-webhook" cannot get resource "secrets" in API group "" in the namespace "test"I assume it is because the issuer and the alidns-webhook-secrets are not in the same namespace.
Could you try to create the secret in the test namespace ?
ben-wangz
commented
2 years ago yes, that was a problem. and in the previous case i showed, another secret is created in the test namespace.
olivierboudet
commented
2 years ago Oh ok I did not saw it. Thank you, I will try to fix this asap.
olivierboudet
commented
2 years ago Could you try version 0.6.1 ?
should issuer and
alidns-webhookdeployed in the same namespace? if not, i guess, theServiceAccountcreated may not have permissions to read the secret configured indns01.webhook.config