search

cert-manager / aws-privateca-issuer

Addon for cert-manager that issues certificates using AWS ACM PCA.
Apache License 2.0
184 stars 77 forks source link

[Bug]: Connection to AWS PCA not working #299

Closed nishanthcheruku closed 6 months ago

nishanthcheruku commented 9 months ago

Describe the expected outcome

I Installed certmanager and aws private CA add-on for certificates on local Kubernetes clusters. Post that I created secret (with AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY in base64 encoding). As soon as I created cluster issuer, I see logs that the authentication is not happening. The issue remains even after certificate request.

apiVersion: v1
kind: Secret
metadata:
  name: <name>
data:
  AWS_ACCESS_KEY_ID: <base64 access-key>
  AWS_SECRET_ACCESS_KEY: <base64 secret-key>
kind: Certificate
apiVersion: cert-manager.io/v1
metadata:
  name: <name>
spec:
  commonName: <domain>
  dnsNames:
    - <required subdomain>
  duration: 2160h0m0s
  issuerRef:
    group: awspca.cert-manager.io
    kind: AWSPCAClusterIssuer
    name: <ref. to clusterissuer>
  renewBefore: 360h0m0s
  secretName: <ref. to secret>
  usages:
    - server auth
    - client auth
  privateKey:
    algorithm: "RSA"
    size: 4096

Describe the actual outcome

Certificate should get issued

Steps to reproduce

No response

Relevant log output

{"level":"error","ts":"2023-11-22T09:38:48Z","msg":"Reconciler error","controller":"awspcaclusterissuer","controllerGroup":"awspca.cert-manager.io","controllerKind":"AWSPCAClusterIssuer","AWSPCAClusterIssuer":{"name":"parentca"},"namespace":"","name":"parentca","reconcileID":"8db6ef52-0bfb-4692-979d-fcf79fde29ae","error":"operation error STS: GetCallerIdentity, failed to sign request: failed to retrieve credentials: failed to refresh cached credentials, no EC2 IMDS role found, operation error ec2imds: GetMetadata, failed to get API token, operation error ec2imds: getToken, http response error StatusCode: 400, request to EC2 IMDS failed","stacktrace":"sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler\n\t/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.16.3/pkg/internal/controller/controller.go:329\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem\n\t/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.16.3/pkg/internal/controller/controller.go:266\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2\n\t/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.16.3/pkg/internal/controller/controller.go:227"}

Version

certmanager - 1.13

Have you tried the following?

Category

Authentication Issue

Severity

Severity 3

aveega commented 9 months ago

Thank you for raising this issue with the AWS Private CA Issuer plugin. We will review your submission and respond back to you here as soon as possible.

aveega commented 9 months ago

Hi @nishanthcheruku,

Were you using your Kubernetes clusters through Terraform ? If so could you please try the following

nishanthcheruku commented 9 months ago

Hello @aveega, Thanks for the response. Cluster creation and application of manifest files are manual, i.e. without any Terraform or any other IAC.

shankara-n commented 9 months ago

Hi @nishanthcheruku,

The controller doesn't seem to have picked up the secret from your configuration. So it is definitely a configuration issue.

The provided log is not sufficient to identify the configuration issue. Additional logs could point to the exact issue.

One suggestion I have is to explicitly define the namespace, in the error log, the namespace is empty, which should mean the "default" namespace, but I'd suggest you declare it explicitly as shown in our example in the README.

bmsiegel commented 6 months ago

Going to close this issue due to non-response. Please reopen if you're experiencing the same issue or have more to add!