search

cert-manager / aws-privateca-issuer

Addon for cert-manager that issues certificates using AWS ACM PCA.
Apache License 2.0
186 stars 77 forks source link

[Bug]: Error AWSPCAClusterIssuer.awspca.cert-manage r.io not found #339

Open jaydeland opened 2 days ago

jaydeland commented 2 days ago

Describe the expected outcome

The controller to fund the issuer

Describe the actual outcome

Cert is not signed

Steps to reproduce

apiVersion: awspca.cert-manager.io/v1beta1
kind: AWSPCAClusterIssuer
metadata:
  name: eks-vystaging-com-rsa
spec:
  arn: arn:aws:acm-pca:us-east-1:#######:certificate-authority/#######
  region: us-east-1
---
kind: Certificate
apiVersion: cert-manager.io/v1
metadata:
  name: api-eks-vystaging-com-cert
spec:
  subject:
    organizations:
    - aws
  commonName: ########
  dnsNames:
    - "*.########"
  duration: 2160h0m0s
  issuerRef:
    group: awspca.cert-manager.io
    kind: AWSPCAClusterIssuer
    name: eks-vystaging-com-rsa
  renewBefore: 360h0m0s
  secretName: poc-cluster-route53-test
  usages:
    - server auth
  privateKey:
    algorithm: "RSA"
    size: 2048

Relevant log output

{"level":"error","ts":"2024-09-20T13:54:06Z","logger":"controllers.AWSPCAClusterIssuer","msg":"Failed to request AWSPCAClusterIssuer","awspcaclusterissuer":{"name":"eks-vystaging-com-rsa"},"error":"AWSPCAClusterIssuer.awspca.cert-manage
r.io \"eks-vystaging-com-rsa\" not found","stacktrace":"github.com/cert-manager/aws-privateca-issuer/pkg/controllers.(*AWSPCAClusterIssuerReconciler).Reconcile\n\t/workspace/pkg/controllers/awspcaclusterissuer_controller.go:53\nsigs.k8s
.io/controller-runtime/pkg/internal/controller.(*Controller).Reconcile\n\t/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.18.2/pkg/internal/controller/controller.go:114\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller)
.reconcileHandler\n\t/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.18.2/pkg/internal/controller/controller.go:311\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem\n\t/go/pkg/mod/sigs.k8s.io/contr
oller-runtime@v0.18.2/pkg/internal/controller/controller.go:261\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2\n\t/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.18.2/pkg/internal/controller/controller
.go:222"}

Version

1.3.0

Have you tried the following?

Category

Authentication Issue

Severity

Severity 1

hmphome commented 2 days ago

Hello Jason,

Thank you for reporting the issue.

Could you please share the commands you have used with us?

The issuer needs to get deployed and it might take some time for it to become operations.

jaydeland commented 2 days ago

Actually, I think this is a symptom of a bigger issue as cert-manager itself is failing to find my standard clusterIssuer that already existed (I upgraded to see if that was the issue with aws privateca).

Error from server (InternalError): error when creating "temp.yaml": Internal error occurred: failed calling webhook "webhook.cert-manager.io": failed to call webhook: Post "https://cert-manager-webhook.cert-manager.svc:443/validate?timeout=30s": tls: failed to verify certificate: x509: certificate signed by unknown authority