search

Dopingus / cert-manager-webhook-dynu

Unofficial cert-manager webhook for dynu
Apache License 2.0
7 stars 7 forks source link

cannot create resource "dynu" in API group "dynu-webhook" #1

Closed rbaumgar closed 2 years ago

rbaumgar commented 2 years ago

I installed cert-manager 0.16

$ oc get pod -n openshift-operators|grep cert
cert-manager-5df5845867-hhmpg                          1/1     Running   0          37m
cert-manager-cainjector-7656d96747-j7gc5               1/1     Running   0          139m
cert-manager-webhook-7b8694549-mkp5n                   1/1     Running   0          139m

then I installed dynu webhook (justed changed the port to 10250)

$ helm install ./deploy/dynu-webhook  -g --set groupName=acme.freeddns.org
I1028 19:22:35.096307  205496 request.go:668] Waited for 1.08888261s due to client-side throttling, not priority and fairness, request: GET:https://api.ocp4.openshift.freeddns.org:6443/apis/node.k8s.io/v1?timeout=32s
NAME: dynu-webhook-1635453893
LAST DEPLOYED: Thu Oct 28 19:22:39 2021
NAMESPACE: cert-manager
STATUS: deployed
REVISION: 1
TEST SUITE: None

I created an issuer

apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: letsencrypt-issuer
  namespace: cert-manager
spec:
  acme:
    solvers:
      - dns01:
          cnameStrategy: Follow
          webhook:
            groupName: dynu-webhook-1635441752
            solverName: dynu
            config:
              secretName: dynu-secret
              zoneName: demo.openshift.freeddns.org
              apiUrl: 'https://api.dynu.com/v2'
    server: 'https://acme-staging-v02.api.letsencrypt.org/directory'
    privateKeySecretRef:
      name: letsencrypt-issuer
    email: rbaumgar@redhat.com

I created a ClusterIssuer

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-dynu-demo
spec:
  acme:
    # The ACME server URL
    server: https://acme-v02.api.letsencrypt.org/directory              # Use this for prod
    # server: https://acme-staging-v02.api.letsencrypt.org/directory    # Use this for staging/testing
    # Email address used for ACME registration
    email: rbaumgar@redhat.com # REPLACE THIS WITH YOUR EMAIL!!!
    # Name of a secret used to store the ACME account private key
    privateKeySecretRef:
      name: acme-secret

    solvers:
      - dns01:
          cnameStrategy: Follow
          webhook:
            groupName: dynu-webhook-1635449267 # Use the groupName defined above
            solverName: dynu
            config:
              secretName: dynu-secret # Adjust this in case you changed the secretName
              zoneName: demo.openshift.freeddns.org # Add the domain which you want to create certiciates for
              apiUrl: https://api.dynu.com/v2

at least on certificate

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: demo-certificate  # Replace with a name of your choice
# namespace: default        # Set a namespace if required
spec:
  commonName: "*.demo.openshift.freeddns.org" # Wildcard Entry for your domain
  dnsNames:
    - demo.openshift.freeddns.org         # List of all (sub)domains that you want to include in the cert
    - "*.demo.openshift.freeddns.org"
  issuerRef:
    name: letsencrypt-dynu-demo   # This should match the issuer you defined earlier
    kind: ClusterIssuer
  secretName: demo-secret # Secret name where the resulting certificate is saved in

Now I got an error in the cert-manager

$ oc logs cert-manager-5df5845867-hhmpg -n openshift-operators
I1028 20:56:19.221540       1 start.go:75] cert-manager "msg"="starting controller"  "git-commit"="49914a057b39c887be0974c4657c095bd7724bc7" "version"="v1.6.0"
W1028 20:56:19.221644       1 client_config.go:615] Neither --kubeconfig nor --master was specified.  Using the inClusterConfig.  This might not work.
I1028 20:56:19.226317       1 controller.go:268] cert-manager/controller/build-context "msg"="configured acme dns01 nameservers" "nameservers"=["172.30.0.10:53"] 
I1028 20:56:19.227297       1 controller.go:85] cert-manager/controller "msg"="enabled controllers: [certificaterequests-approver certificaterequests-issuer-acme certificaterequests-issuer-ca certificaterequests-issuer-selfsigned certificaterequests-issuer-vault certificaterequests-issuer-venafi certificates-issuing certificates-key-manager certificates-metrics certificates-readiness certificates-request-manager certificates-revision-manager certificates-trigger challenges clusterissuers ingress-shim issuers orders]"  
...
I1028 20:56:25.141700       1 setup.go:202] cert-manager/controller/issuers "msg"="skipping re-verifying ACME account as cached registration details look sufficient" "related_resource_kind"="Secret" "related_resource_name"="letsencrypt-issuer" "related_resource_namespace"="cert-manager" "resource_kind"="Issuer" "resource_name"="letsencrypt-issuer" "resource_namespace"="cert-manager" "resource_version"="v1" 
I1028 20:56:25.153308       1 setup.go:202] cert-manager/controller/clusterissuers "msg"="skipping re-verifying ACME account as cached registration details look sufficient" "related_resource_kind"="Secret" "related_resource_name"="acme-secret" "related_resource_namespace"="openshift-operators" "resource_kind"="ClusterIssuer" "resource_name"="letsencrypt-dynu-demo" "resource_namespace"="" "resource_version"="v1" 
I1028 20:56:26.306406       1 dns.go:88] cert-manager/controller/challenges/Present "msg"="presenting DNS01 challenge for domain" "dnsName"="demo.openshift.freeddns.org" "domain"="demo.openshift.freeddns.org" "resource_kind"="Challenge" "resource_name"="demo-certificate-rkffs-4023394078-3266066746" "resource_namespace"="cert-manager" "resource_version"="v1" "type"="DNS-01" 
E1028 20:56:26.327005       1 controller.go:163] cert-manager/controller/challenges "msg"="re-queuing item due to error processing" "error"="dynu.dynu-webhook-1635453893 is forbidden: User \"system:serviceaccount:openshift-operators:cert-manager\" cannot create resource \"dynu\" in API group \"dynu-webhook-1635453893\" at the cluster scope" "key"="cert-manager/demo-certificate-rkffs-4023394078-3266066746" 
I1028 20:56:30.075482       1 setup.go:202] cert-manager/controller/clusterissuers "msg"="skipping re-verifying ACME account as cached registration details look sufficient" "related_resource_kind"="Secret" "related_resource_name"="acme-secret" "related_resource_namespace"="openshift-operators" "resource_kind"="ClusterIssuer" "resource_name"="letsencrypt-dynu-demo" "resource_namespace"="" "resource_version"="v1" 
I1028 20:56:30.097824       1 setup.go:202] cert-manager/controller/issuers "msg"="skipping re-verifying ACME account as cached registration details look sufficient" "related_resource_kind"="Secret" "related_resource_name"="letsencrypt-issuer" "related_resource_namespace"="cert-manager" "resource_kind"="Issuer" "resource_name"="letsencrypt-issuer" "resource_namespace"="cert-manager" "resource_version"="v1" 
I1028 20:56:31.337257       1 dns.go:88] cert-manager/controller/challenges/Present "msg"="presenting DNS01 challenge for domain" "dnsName"="demo.openshift.freeddns.org" "domain"="demo.openshift.freeddns.org" "resource_kind"="Challenge" "resource_name"="demo-certificate-rkffs-4023394078-3266066746" "resource_namespace"="cert-manager" "resource_version"="v1" "type"="DNS-01" 
E1028 20:56:31.348969       1 controller.go:163] cert-manager/controller/challenges "msg"="re-queuing item due to error processing" "error"="dynu.dynu-webhook-1635453893 is forbidden: User \"system:serviceaccount:openshift-operators:cert-manager\" cannot create resource \"dynu\" in API group \"dynu-webhook-1635453893\" at the cluster scope" "key"="cert-manager/demo-certificate-rkffs-4023394078-3266066746"

But I do NOT find any resource(crd?) dynu! Any hint?

Dopingus commented 2 years ago

Hello Robert,

this looks like a permission issue with the service account used for the hook. Looks like the used service account is not allowed to create resources at cluster scope.

Unfortunately, my clusters are all setup without (correct/useful) rbac, so my knowledge here is limited. Can you please try to assign a clusterrole with the required permissions to service account "system:serviceaccount:openshift-operators:cert-manager"? (I am not sure which permissions are needed exactly though)

Regarding the crd: I'm also not sure which CRD is used to manage these API groups. (EDIT: apiGroups refers to apiGroups in ClusterRoles)

This issue here looks similar to your error: https://github.com/jetstack/cert-manager/issues/3432

I also ran into problems when using Issuer. Maybe this resource is causing an issue. There is no Issuer resource (apart from the ones deployed by cert-manager) running in my clusters.

After researching a bit more the cause seems to be the following Cluster Role: dynu-webhook:domain-solver I suspect that this role might have been created incorrectly/incompletely from the Helm template.

Can you please attach the definition of that cluster role please?

rbaumgar commented 2 years ago

after applying cluster-admin role to SA cert-manager I get another error

I1029 07:11:41.917257       1 setup.go:202] cert-manager/controller/clusterissuers "msg"="skipping re-verifying ACME account as cached registration details look sufficient" "related_resource_kind"="Secret" "related_resource_name"="acme-secret" "related_resource_namespace"="openshift-operators" "resource_kind"="ClusterIssuer" "resource_name"="letsencrypt-dynu-demo" "resource_namespace"="" "resource_version"="v1"
I1029 07:11:41.933442       1 setup.go:202] cert-manager/controller/issuers "msg"="skipping re-verifying ACME account as cached registration details look sufficient" "related_resource_kind"="Secret" "related_resource_name"="letsencrypt-issuer" "related_resource_namespace"="cert-manager" "resource_kind"="Issuer" "resource_name"="letsencrypt-issuer" "resource_namespace"="cert-manager" "resource_version"="v1"
I1029 07:11:43.361469       1 dns.go:88] cert-manager/controller/challenges/Present "msg"="presenting DNS01 challenge for domain" "dnsName"="demo.openshift.freeddns.org" "domain"="demo.openshift.freeddns.org" "resource_kind"="Challenge" "resource_name"="demo-certificate-8q5pp-4023394078-3266066746" "resource_namespace"="cert-manager" "resource_version"="v1" "type"="DNS-01"
E1029 07:11:43.368712       1 controller.go:163] cert-manager/controller/challenges "msg"="re-queuing item due to error processing" "error"="the server could not find the requested resource (post dynu.dynu-webhook-1635453893)" "key"="cert-manager/demo-certificate-8q5pp-4023394078-3266066746"
I1029 07:11:53.376339       1 dns.go:88] cert-manager/controller/challenges/Present "msg"="presenting DNS01 challenge for domain" "dnsName"="demo.openshift.freeddns.org" "domain"="demo.openshift.freeddns.org" "resource_kind"="Challenge" "resource_name"="demo-certificate-8q5pp-4023394078-3266066746" "resource_namespace"="cert-manager" "resource_version"="v1" "type"="DNS-01"
E

a POST request to https://{{hostname}}:{{port}}/apis/acme.freeddns.org/v1alpha1/dynu gives

{
    "kind": "Status",
    "apiVersion": "v1",
    "metadata": {},
    "status": "Failure",
    "message": "the object provided is unrecognized (must be of type ChallengePayload): couldn't get version/kind; json parse error: unexpected end of JSON input (<empty>)",
    "reason": "BadRequest",
    "code": 400
}

So it looks like the webhook is working but with a little different name (?)...

rbaumgar commented 2 years ago

So I was able to fix the problem with the name by changing the groupname in the issuer/clusterissuer to the name specified in the helm install... But still have an error in the cainjector pod:

E1101 22:15:48.510753       1 sources.go:201] cert-manager/secret/customresourcedefinition/generic-inject-reconciler "msg"="unable to fetch associated secret" "error"="Secret \"cert-manager-webhook-ca\" not found" "resource_kind"="CustomResourceDefinition" "resource_name"="certificaterequests.cert-manager.io" "resource_namespace"="" "resource_version"="v1" "secret"={"Namespace":"cert-manager","Name":"cert-manager-webhook-ca"}
I1101 22:15:48.510788       1 controller.go:166] cert-manager/secret/customresourcedefinition/generic-inject-reconciler "msg"="could not find any ca data in data source for target" "resource_kind"="CustomResourceDefinition" "resource_name"="certificaterequests.cert-manager.io" "resource_namespace"="" "resource_version"="v1"

Shouldn't point this to my existing secrets?

dynu-webhook-1635504520-ca            True    dynu-webhook-1635504520-ca            3d20h
dynu-webhook-1635504520-webhook-tls   True    dynu-webhook-1635504520-webhook-tls   3d20h
rbaumgar commented 2 years ago

problem solved. wrong groupName in the ClusterIssuer, correct one from the "helm install..."

Dopingus commented 2 years ago

Thanks for sticking with it until you fixed it!