traxanos
commented
1 year ago same problem here
Closed zreigz closed 1 year ago
traxanos
commented
1 year ago same problem here
atsai1220
commented
1 year ago That depends on the K8s version you're running the webhook in.
aureq
commented
1 year ago I'm not sure this issue belongs in this repository (though it does affect webhooks). The webhook I maintain only relies on cert-manager own packages where I think the error messages are coming from.
"github.com/cert-manager/cert-manager/pkg/acme/webhook/apis/acme/v1alpha1"
"github.com/cert-manager/cert-manager/pkg/acme/webhook/cmd"
"github.com/cert-manager/cert-manager/pkg/issuer/acme/dns/util"
PRAJINPRAKASH
commented
1 year ago facing same issue
Client Version: v1.26.1 Kustomize Version: v4.5.7 Server Version: v1.26.1
any solution ?
traxanos
commented
1 year ago You must downgrade client.
lagunary
commented
1 year ago Hi there, Do you have info about this issue?
Thanks
michael-cico
commented
1 year ago I'm also hitting this issue.
I tried downgrading the client to 0.25.4, but go mod tidy keeps updating it to 0.26.
If I use a replace like this
replace (
k8s.io/apiextensions-apiserver => k8s.io/apiextensions-apiserver v0.25.4
k8s.io/apimachinery => k8s.io/apimachinery v0.25.4
k8s.io/client-go => k8s.io/client-go v0.25.4
)I get
k8s.io/client-go/kubernetes/typed/flowcontrol/v1beta3: module k8s.io/client-go@latest found (v0.0.0-00010101000000-000000000000, replaced by k8s.io/client-go@v0.25.4), but does not contain package k8s.io/client-go/kubernetes/typed/flowcontrol/v1beta3
gitlab-odx.oracledx.com/verrazzano/cert-manager-ocidns imports
github.com/cert-manager/cert-manager/pkg/acme/webhook/cmd imports
github.com/cert-manager/cert-manager/pkg/acme/webhook/cmd/server imports
k8s.io/apiserver/pkg/server imports
k8s.io/apiserver/pkg/util/flowcontrol imports
k8s.io/client-go/listers/flowcontrol/v1beta3: module k8s.io/client-go@latest found (v0.0.0-00010101000000-000000000000, replaced by k8s.io/client-go@v0.25.4), but does not contain package k8s.io/client-go/listers/flowcontrol/v1beta3Unless I'm downgrading it wrong?
michael-cico
commented
1 year ago Aside from the challenge API I'm only using the command to start the API server provided by CM:
cmd.RunWebhookServer(GroupName,
...
)I was able to work around this issue and pin the k8s versions at 0.25.4 by doing this:
replace (
k8s.io/apiextensions-apiserver => k8s.io/apiextensions-apiserver v0.25.4
k8s.io/apimachinery => k8s.io/apimachinery v0.25.4
k8s.io/apiserver => k8s.io/apiserver v0.25.4
k8s.io/client-go => k8s.io/client-go v0.25.4
k8s.io/component-base => k8s.io/component-base v0.25.4
)@michael-cico which version of cert-manager go package was able to get deps for these replaced packages? thanks.
irbekrm
commented
1 year ago We've disabled the APF in https://github.com/cert-manager/cert-manager/pull/6085 which should fix these issues. We're still to release a patch with this change and bump it in this project
(Additionally- we're not APF experts so if any of the folks here who implement the DNS webhook can think of a reason why it should not be disabled, please give a shout)
irbekrm
commented
1 year ago We released v1.12.1 and v1.11.3 with APF controller disabled https://github.com/cert-manager/cert-manager/releases
Do let us know if bumping to those cert-manager versions in your webhook helps.
(The solution will need to be reworked in the future when APF hits GA and can no longer be disabled using the same mechanism, but should hopefully solve the problems for now)
peytonyip
commented
1 year ago still facing same issue in k8s 1.27.3 use v1.12.3. look like the flowcontrol.apiserver.k8s.io/v1beta1 API version of FlowSchema and PriorityLevelConfiguration is no longer served as of v1.26
rome-user
commented
12 months ago I can reproduce this issue using Cert Manager v1.12.2. The webhook I am using works as intended and passes conformance tests for dns01 challenges. But I still see tons of error logs in the webhook pod itself. The patterns are as follows.
W0916 07:21:34.786064 1 reflector.go:424] pkg/mod/k8s.io/client-go@v0.26.0/tools/cache/reflector.go:169: failed to list *v1beta3.FlowSchema: flowschemas.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:cert-manager:porkbun-webhook" cannot list resource "flowschemas" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope
W0916 07:21:34.786053 1 reflector.go:424] pkg/mod/k8s.io/client-go@v0.26.0/tools/cache/reflector.go:169: failed to list *v1beta3.PriorityLevelConfiguration: prioritylevelconfigurations.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:cert-manager:porkbun-webhook" cannot list resource "prioritylevelconfigurations" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope
E0916 07:21:34.786457 1 reflector.go:140] pkg/mod/k8s.io/client-go@v0.26.0/tools/cache/reflector.go:169: Failed to watch *v1beta3.PriorityLevelConfiguration: failed to list *v1beta3.PriorityLevelConfiguration: prioritylevelconfigurations.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:cert-manager:porkbun-webhook" cannot list resource "prioritylevelconfigurations" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope
E0916 07:21:34.786520 1 reflector.go:140] pkg/mod/k8s.io/client-go@v0.26.0/tools/cache/reflector.go:169: Failed to watch *v1beta3.FlowSchema: failed to list *v1beta3.FlowSchema: flowschemas.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:cert-manager:porkbun-webhook" cannot list resource "flowschemas" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope
I have upgraded my webhook to cert-manager v1.11 and have the following errors. I had also to change RBAC to support
flowcontrol.apiserver.k8s.iogroup