search

baarde / cert-manager-webhook-ovh

OVH Webhook for Cert Manager
Apache License 2.0
94 stars 65 forks source link

Access to secret is forbidden #9

Closed Anthony-Jhoiro closed 3 years ago

Anthony-Jhoiro commented 3 years ago

Hello !

I am trying to create a cluster issuer using your repository but I keep getting this error in the challenge event when I create a certificate. 

Error presenting challenge: secrets "ovh-credentials" is forbidden: User "system:serviceaccount:cert-manager:cert-manager-webhook-ovh" cannot get resource "secrets" in API group "" in the namespace "default"

I also noticed some deprecation warnings with cert-manager v1, do you plan to update it ?

I tried to apply everything in the default workspace (like in your readme) and in the cert manager workspace. Same issue.

Thank you for your time!

My code for the cluster issuer : 

apiVersion: cert-manager.io/v1
kind:       ClusterIssuer
metadata:
    name: letsencrypt
spec:
    acme:
        # The ACME server URL
        server: https://acme-v02.api.letsencrypt.org/directory
        # Email address used for ACME registration
        email:  <email@address>
        # Name of a secret used to store the ACME account private key
        privateKeySecretRef:
            name: letsencrypt
        # Enable the HTTP-01 challenge provider
        solvers:
            -   dns01:
                    webhook:
                        groupName:  '<group_name>'
                        solverName: ovh
                        config:
                            endpoint:       ovh-eu
                            applicationKey:<application_key>
                            applicationSecretRef:
                                key:  <application_secret>
                                name: ovh-credentials
                            consumerKey:    <consumer_key>

If it helps, I use sealed secrets to store the ovh-credentials secret (but it doesn't work either without)

Anthony-Jhoiro commented 3 years ago

I have absolutely no idea how but it does work now. :man_shrugging:

MoskitoHero commented 2 years ago

I'm having the exact same issue. The cert-manager pod is stuck in an endless loop claiming that cert-manager-webhook-ovh cannot get the secret resource.

I have quadruple-checked my role, rolebinding, and I have compared it to another (working) setup on another cluster. They are exact copies.

You said you had no idea why it works now... a few months later, has anyone come up with an idea?

Raph0773 commented 2 years ago

Hi !

I've got the same issue :

E0208 16:58:06.512961 1 controller.go:163] cert-manager/challenges "msg"="re-queuing item due to error processing" "error"="secrets \"ovh-credentials\" is forbidden: User \"system:serviceaccount:default:cert-manager-webhook-ovh\" cannot get resource \"secrets\" in API group \"\" in the namespace \"cert-manager\"" "key"="***/***-crt-hnvv5-1350675799-829809866"

Can you help me ?

Thanks for your help !

MoskitoHero commented 2 years ago

I must admit that I had to check the role bindings a fifth time to realize that there was a namespace issue. The example found in the readme doesn't always work as expected if you don't specify the namespace in the RoleBinding's Subject definition.

Here is the working example for me:

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: cert-manager-webhook-ovh:secret-reader
rules:
- apiGroups: [""]
  resources: ["secrets"]
  resourceNames: ["ovh-credentials"]
  verbs: ["get", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: cert-manager-webhook-ovh:secret-reader
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: cert-manager-webhook-ovh:secret-reader
subjects:
- apiGroup: ""
  kind: ServiceAccount
  name: cert-manager-webhook-ovh
  namespace: cert-manager

edit: added example and corrected error

Raph0773 commented 2 years ago

Thanks @MoskitoHero

I tried to change it but nothing changed, error message is the same. My namespace for Cert-Manager is "cert-manager".

E0209 08:00:10.084624 1 controller.go:163] cert-manager/challenges "msg"="re-queuing item due to error processing" "error"="secrets \"ovh-credentials\" is forbidden: User \"system:serviceaccount:default:cert-manager-webhook-ovh\" cannot get resource \"secrets\" in API group \"\" in the namespace \"cert-manager\"" "key"="***/***-crt-5h4hj-1350675799-829809866"

Thanks !

Raph0773 commented 2 years ago

It's okey ! I find it !!

That's my configuration :

`apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: cert-manager-webhook-ovh:secret-reader rules:

In my configuration it's "ClusterRole" et "ClusterRoleBinding"... My bad.

Thanks again for your help !

Have a nice day !