Closed ashishsinghdev closed 1 week ago
Hi @ashishsinghdev
By default, ejbca-cert-manager-issuer
will not sign CertificateRequests that aren't approved as demonstrated by the log messages in the reconciler pod.
The errors you're encountering suggest that cert-manager itself does not have permission to set the approved
condition on CertificateRequest resources. Have you taken a look at the cert-manager approver-policy documentation?
After updating Cert-manager ClusterRole to allow permissions on ejbca-issuer.keyfactor.com api group resources it works.
Note: Working for ClusterIssuers
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: cert-manager-controller-clusterissuers labels: app: cert-manager app.kubernetes.io/component: controller app.kubernetes.io/instance: cert-manager app.kubernetes.io/name: cert-manager app.kubernetes.io/version: v1.14.7 annotations: rules:
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: cert-manager-controller-approve:cert-manager-io labels: app: cert-manager app.kubernetes.io/component: cert-manager app.kubernetes.io/instance: cert-manager app.kubernetes.io/name: cert-manager app.kubernetes.io/version: v1.14.7 rules:
Hi
ClusterIssuer is in ready state and health checks are successful but while issuing certificate getting permission error when cert-manager is trying to update the status to Approved.
Any idea why helm installation is not setting correct permissions.
Cert-manager pod logs:
ejbca-cert-manager-issuer pod logs: