Closed vizero1 closed 1 month ago
Please ensure you've deployed the equivalent of the signer RBAC role: https://github.com/cloudflare/origin-ca-issuer/blob/7b16c1daa5d0dcd0c376eaefa47ce430f14be455/deploy/rbac/role-approver.yaml
Is this not done with the helm chart? In general when I install the helm chart, do I need to run following commands: kubectl apply -f deploy/rbac kubectl apply -f deploy/manifests
The command kubectl apply -f deploy/crds I need to run as that is written in the Readme
It is part of the helm chart: https://github.com/cloudflare/origin-ca-issuer/blob/7b16c1daa5d0dcd0c376eaefa47ce430f14be455/deploy/charts/origin-ca-issuer/templates/issuer-clusterrole.yaml#L33. however the error suggests it's not been applied or the rolebinding is for the wrong service account.
Applied it now manually but still the same error. Just for documentation if the steps are correct or I am missing something: 1.) Install cert-manager via helm chart (will be create in the cert-manager namespace) 2.) kubectl apply -f https://raw.githubusercontent.com/cloudflare/origin-ca-issuer/v0.9.0/deploy/crds/cert-manager.k8s.cloudflare.com_originissuers.yaml kubectl apply -f https://raw.githubusercontent.com/cloudflare/origin-ca-issuer/v0.9.0/deploy/crds/cert-manager.k8s.cloudflare.com_clusteroriginissuers.yaml
3.) Install 0.5.7 helm chart of origin-ca-issuer in namespace origin-ca-issuer 4.) Create secret with command:
kubectl create secret generic \
--dry-run \
-n default service-key \
--from-literal key=v1.0-FFFFFFF-FFFFFFFF -oyaml
Save output into service-key.yaml file and run command:
kubectl apply -f service-key.yaml -f deploy/example/issuer.yaml
This will create prod-issuer in namespace default And this prod-issuer I can then reference in my ingress.
Are this steps correct or am I missing something crucial?
Please make sure the service account name matches what you've deployed in cert-manager: https://github.com/cloudflare/origin-ca-issuer/blob/7b16c1daa5d0dcd0c376eaefa47ce430f14be455/deploy/charts/origin-ca-issuer/values.yaml#L99-L101
From the error it looks like you've called the service account "cert-manager-helm-ad2b5fe3"
Thanks. That fixed it
Hi, I have a GKE cluster (standard) and try to deploy origin-ca-issuer on it. But after all my steps I get the following error: "re-queuing item due to error processing" err="admission webhook \"webhook.cert-manager.io\" denied the request: status.conditions: Forbidden: user \"system:serviceaccount:cert-manager:cert-manager-helm-ad2b5fe3\" does not have permissions to set approved/denied conditions for issuer {prod-issuer OriginIssuer cert-manager.k8s.cloudflare.com}" logger="cert-manager.controller" key="default/backend-ingress-tls-12345-1"
I use pulumi to deploy cert-manager helm chart and origin-ca-issuer helm chart with some manual step. Will give in the following my steps: To create the cert-manager I use the python library pulumi_kubernetes_cert_manager: `def deploy_cert_manager(provider): cert_manager_ns = core.v1.Namespace("cert-manager", metadata={"name": "cert-manager"})
After the installation I install the crds for clsteroriginissuer and originissuer:
Then I install the origin-ca-issuer helm chart:
Then I create the originissuer as written in the documentation:
Save the output of this command into service-key.yaml and run following command:
kubectl apply -f service-key.yaml -f deploy/example/issuer.yaml
When I check the prod-issuer I get following log:
Then I deploy my backend, service and ingress with pulumi:
My pod and service are starting but with the ingress I have problems: Error syncing to GCP: error running load balancer syncing routine: error initializing translator env: secrets "backend-ingress-tls-12345" not found
In the cert-manager container I can find following logs: Setting lastTransitionTime for CertificateRequest "backend-ingress-tls-12345-1" condition "Approved" to 2024-07-30 16:41:26.176465605 +0000 UTC m=+93.442562707
"re-queuing item due to error processing" err="admission webhook \"webhook.cert-manager.io\" denied the request: status.conditions: Forbidden: user \"system:serviceaccount:cert-manager:cert-manager-helm-32108e2d\" does not have permissions to set approved/denied conditions for issuer {prod-issuer OriginIssuer cert-manager.k8s.cloudflare.com}" logger="cert-manager.controller" key="default/backend-ingress-tls-12345-1"
"certificate resource is not owned by this object. refusing to update non-owned certificate resource for object" logger="cert-manager.controller.ingress-shim" resource_name="backend-ingress-e9afea6e" resource_namespace="default" resource_kind="" resource_version="" related_resource_name="backend-ingress-tls-12345" related_resource_namespace="default" related_resource_kind="Certificate" related_resource_version="v1"
In the cert-manager-webhook container I find following log: http: TLS handshake error from XX.XXX.XXX:36738: EOF
In the origin-ca-issuer the logs are:
Guess the crd kind error were happening during the installation and later it worked but not sure on that. Any of you know what my error is? I did it as the README has documented but still I have no luck with that. Woul appreciate help. Thanks :)