djkormo / adcs-issuer

BSD 3-Clause "New" or "Revised" License
22 stars 11 forks source link

chart does not deploy CRDs #63

Closed mhegreberg closed 8 months ago

mhegreberg commented 9 months ago

Hello, I'm trying to test this issuer in my environment, and am having a really hard time trying to understand how to apply the CRDs to my environment.

trying to install the helm chart tells me that I need the CRDs installed.

Error: INSTALLATION FAILED: unable to build kubernetes objects from release manifest: resource mapping not found for name: "adcs-sim-adcsclusterissuer" namespace: "" from "": no matches for kind "ClusterAdcsIssuer" in version "adcs.certmanager.csf.nokia.com/v1"

I tried to make the repository like the docs said, and see if that generated the CRDs , but I get the following error:

/home/mark/source/adcs-issuer/bin/controller-gen rbac:roleName=manager-role crd webhook paths="./..." output:crd:artifacts:config=config/crd/bases
bash: line 1: /home/mark/source/adcs-issuer/bin/controller-gen: No such file or directory

I feel like I'm missing something here in order to user this issuer.

djkormo commented 9 months ago

Add your values file to recreate issue

Try to add to your file

crd:
  install: true

I'll try to make this documentation more clear.

https://djkormo.github.io/adcs-issuer/

mhegreberg commented 8 months ago

I ran this on a new cluster, right after installing cert manager.

I copied your samples values, and verified the the crd install was set to true. I still get this error

% helm install adcs-issuer djkormo-adcs-issuer/adcs-issuer --version 2.0.10 \                                                                                                                         
--namespace cert-manager --values values.yaml --dry-run

Error: INSTALLATION FAILED: unable to build kubernetes objects from release manifest: resource mapping not found for name: "adcs-sim-adcsclusterissuer" namespace: "" from "": no matches for kind "ClusterAdcsIssuer" in version "adcs.certmanager.csf.nokia.com/v1"
ensure CRDs are installed first

I appreciate the help

djkormo commented 8 months ago
helm search repo adcs-issuer
NAME                            CHART VERSION   APP VERSION     DESCRIPTION
djkormo-adcs-issuer/adcs-issuer 2.0.10          2.0.10          ADCS issuser plugin for cert-manager
helm install adcs-issuer djkormo-adcs-issuer/adcs-issuer --version 2.0.10 --namespace cert-manager --values charts/adcs-issuer/values.yaml --dry-run
Error: INSTALLATION FAILED: unable to build kubernetes objects from release manifest: resource mapping not found for name: "adcs-sim-adcsclusterissuer" namespace: "" from "": no matches for kind "ClusterAdcsIssuer" in version "adcs.certmanager.csf.nokia.com/v1"

The error comes from simulator setup. Please disable simulator

helm install adcs-issuer djkormo-adcs-issuer/adcs-issuer --version 2.0.10 --namespace cert-manager  --set simulator.enabled=false  --values charts/adcs-issuer/values.yaml --dry-run
mhegreberg commented 8 months ago

that worked! I was able to install the chart.

I was able send a test cert request, but it doesn't seem to be processing.

ts=2024-03-11T22:14:19.423400883Z level=info logger=controller.adcsrequest msg="Processing request" reconcilergroup=adcs.certmanager.csf.nokia.com reconcilerkind=AdcsRequest name=adcs-cert-test-1 namespace=web adcsrequest=web/adcs-cert-test-1
ts=2024-03-11T22:14:19.423464124Z level=error logger=controller.adcsrequest msg="Couldn't get issuer" reconcilergroup=adcs.certmanager.csf.nokia.com reconcilerkind=AdcsRequest name=adcs-cert-test-1 namespace=web adcsrequest=web/adcs-cert-test-1 issuer="{test-adcs AdcsIssuer adcs.certmanager.csf.nokia.com}" error="AdcsIssuer.adcs.certmanager.csf.nokia.com \"test-adcs\" not found" stacktrace="sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Reconcile\n\t/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.11.0/pkg/internal/controller/controller.go:114\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler\n\t/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.11.0/pkg/internal/controller/controller.go:311\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem\n\t/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.11.0/pkg/internal/controller/controller.go:266\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2\n\t/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.11.0/pkg/internal/controller/controller.go:227"
ts=2024-03-11T22:14:19.423527715Z level=error logger=controller.adcsrequest msg="Reconciler error" reconcilergroup=adcs.certmanager.csf.nokia.com reconcilerkind=AdcsRequest name=adcs-cert-test-1 namespace=web error="AdcsIssuer.adcs.certmanager.csf.nokia.com \"test-adcs\" not found" stacktrace="sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem\n\t/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.11.0/pkg/internal/controller/controller.go:266\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2\n\t/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.11.0/pkg/internal/controller/controller.go:227"

I suspected that it was because I was requesting a cert for the web namespace, but all the cert-manager and adcs stuff is in the cert-manager namespace, so I made a new cert request in the cert-manager namespace, and instead got these errors:

ts=2024-03-11T22:28:26.463452743Z level=info logger=controller.certificaterequest msg="Creating new AdcsRequest" reconcilergroup=cert-manager.io reconcilerkind=CertificateRequest name=adcs-cert-test-cm-1 namespace=cert-manager certificaterequest=cert-manager/adcs-cert-test-cm-1
ts=2024-03-11T22:28:26.481496668Z level=info logger=controller.adcsrequest msg="Processing request" reconcilergroup=adcs.certmanager.csf.nokia.com reconcilerkind=AdcsRequest name=adcs-cert-test-cm-1 namespace=cert-manager adcsrequest=cert-manager/adcs-cert-test-cm-1
ts=2024-03-11T22:28:26.525386115Z level=info logger=controller.certificaterequest msg="AdcsRequest already exists" reconcilergroup=cert-manager.io reconcilerkind=CertificateRequest name=adcs-cert-test-cm-1 namespace=cert-manager certificaterequest=cert-manager/adcs-cert-test-cm-1
ts=2024-03-11T22:28:26.525405562Z level=info logger=controller.certificaterequest msg="No change in request" reconcilergroup=cert-manager.io reconcilerkind=CertificateRequest name=adcs-cert-test-cm-1 namespace=cert-manager certificaterequest=cert-manager/adcs-cert-test-cm-1
ts=2024-03-11T22:28:27.182635344Z level=info logger=RequestCertificate msg="Starting certificate request" template="redacted-template-name" url=https://redacted-issuing-server-fqdn/certfnsh.asp
ts=2024-03-11T22:28:27.490774085Z level=info logger=RequestCertificate msg=Body template="redacted-template" body=redacted
ts=2024-03-11T22:28:27.490880785Z level=error logger=RequestCertificate msg="Couldn't obtain new certificate ID" template="redacted-template" body="redacted-404-error" error="Unknown error occured" stacktrace="github.com/nokia/adcs-issuer/issuers.(*Issuer).Issue\n\t/workspace/issuers/issuer.go:57\ngithub.com/nokia/adcs-issuer/controllers.(*AdcsRequestReconciler).Reconcile\n\t/workspace/controllers/adcsrequest_controller.go:83\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Reconcile\n\t/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.11.0/pkg/internal/controller/controller.go:114\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler\n\t/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.11.0/pkg/internal/controller/controller.go:311\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem\n\t/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.11.0/pkg/internal/controller/controller.go:266\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2\n\t/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.11.0/pkg/internal/controller/controller.go:227"
ts=2024-03-11T22:28:27.490931697Z level=error logger=controller.adcsrequest msg="Failed request will be re-tried" reconcilergroup=adcs.certmanager.csf.nokia.com reconcilerkind=AdcsRequest name=adcs-cert-test-cm-1 namespace=cert-manager adcsrequest=cert-manager/adcs-cert-test-cm-1 retryinterval=3600 error="Unknown error occured" stacktrace="sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Reconcile\n\t/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.11.0/pkg/internal/controller/controller.go:114\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler\n\t/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.11.0/pkg/internal/controller/controller.go:311\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem\n\t/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.11.0/pkg/internal/controller/controller.go:266\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2\n\t/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.11.0/pkg/internal/controller/controller.go:227"

i suspect that the url field in the AdcsIssuer is invalid. I've just pointed it to our issuing ADCS server. should this be something else?

I appreciate all the help!

jamallorock commented 8 months ago

Hi. Can you paste your vaules file and csr for the certificate?

mhegreberg commented 8 months ago

the values file I used was the default from the repo, unchanged.

here is the csr yaml:

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  annotations:
  name: adcs-cert-test-cm
  namespace: cert-manager
spec:
  commonName: test.redacted.fqdn
  dnsNames:
  - test.redacted.fqdn
  issuerRef:
    group: adcs.certmanager.csf.nokia.com
    kind: AdcsIssuer
    name: test-adcs
  secretName: adcs-cert-test-cm
djkormo commented 8 months ago

Try to turn on debug mode

        - name: ENABLE_DEBUG
          value: "true" # <--- here
mhegreberg commented 8 months ago

I did that and got the following logs:

ts=2024-03-12T17:33:52.564625053Z level=info logger=controller.certificaterequest msg="Creating new AdcsRequest" reconcilergroup=cert-manager.io reconcilerkind=CertificateRequest name=adcs-cert-test-cm-1 namespace=cert-manager certificaterequest=cert-manager/adcs-cert-test-cm-1
ts=2024-03-12T17:33:52.575324276Z level=info logger=controller.adcsrequest msg="Processing request" reconcilergroup=adcs.certmanager.csf.nokia.com reconcilerkind=AdcsRequest name=adcs-cert-test-cm-1 namespace=cert-manager adcsrequest=cert-manager/adcs-cert-test-cm-1
ts=2024-03-12T17:33:52.626528036Z level=info logger=controller.certificaterequest msg="AdcsRequest already exists" reconcilergroup=cert-manager.io reconcilerkind=CertificateRequest name=adcs-cert-test-cm-1 namespace=cert-manager certificaterequest=cert-manager/adcs-cert-test-cm-1
ts=2024-03-12T17:33:52.626545247Z level=info logger=controller.certificaterequest msg="No change in request" reconcilergroup=cert-manager.io reconcilerkind=CertificateRequest name=adcs-cert-test-cm-1 namespace=cert-manager certificaterequest=cert-manager/adcs-cert-test-cm-1
ts=2024-03-12T17:33:53.476094957Z level=info logger=newNtlm msg="NTLM verification start" username=redacted password=redacted url=https://issuingserver-fqdn
ts=2024-03-12T17:33:53.47614119Z level=info logger=newNtlm msg="NTLM verification Using NTLM"
ts=2024-03-12T17:33:53.47616339Z level=info logger=newNtlm msg="NTLM verification stop" username=redacted password=redacted url=https://issuingserver-fqdn
ts=2024-03-12T17:33:53.476195804Z level=info logger=RequestCertificate msg="Starting certificate request" template="redacted-template" url=https://issuingserver-fqdn/certfnsh.asp
ts=2024-03-12T17:33:53.476684529Z level=info logger=RequestCertificate msg="Sending request" template="redacted-template" request="{POST https://issuingserver-fqdn/certfnsh.asp HTTP/1.1 1 1 map[Authorization:[Basic redacted] Content-Type:[application/x-www-form-urlencoded] User-Agent:[Mozilla]] {CertAttrib=CertificateTemplate%3Aredacted-template&CertRequest=-----BEGIN+CERTIFICATE+REQUEST-----redacted-----END+CERTIFICATE+REQUEST-----%0A&CertificateTemplate=redacted-template&FriendlyType=Saved-Request+Certificate&Mode=newreq&SaveCert=yes&TargetStoreFlags=0} 0x7689c0 1265 [] false issuingserver-fqdn map[] map[] <nil> map[]   <nil> <nil> <nil> 0xc00004a308}"
ts=2024-03-12T17:33:53.533512549Z level=info logger=RequestCertificate msg="Sending request" template="redacted-template" error=null
ts=2024-03-12T17:33:53.533593314Z level=info logger=RequestCertificate msg="Sending request" template="redacted-template" response="{404 Not Found 404 HTTP/1.1 1 1 map[Content-Length:[1245] Content-Type:[text/html] Date:[Tue, 12 Mar 2024 17:33:53 GMT] Server:[Microsoft-IIS/10.0] X-Powered-By:[ASP.NET]] 0xc0001314c0 1245 [] false false map[] 0xc0000da800 0xc0001980b0}"
ts=2024-03-12T17:33:53.533655969Z level=info logger=RequestCertificate msg="Sending request" template="redacted-template" response="{404 Not Found 404 HTTP/1.1 1 1 map[Content-Length:[1245] Content-Type:[text/html] Date:[Tue, 12 Mar 2024 17:33:53 GMT] Server:[Microsoft-IIS/10.0] X-Powered-By:[ASP.NET]] 0xc0001314c0 1245 [] false false map[] 0xc0000da800 0xc0001980b0}"
ts=2024-03-12T17:33:53.533719953Z level=info logger=RequestCertificate msg=Body template="redacted-template" body=redacted
ts=2024-03-12T17:33:53.533764382Z level=info logger=RequestCertificate msg=Body template="redacted-template" body="<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Strict//EN\" \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd\">\r\n<html xmlns=\"http://www.w3.org/1999/xhtml\">\r\n<head>\r\n<meta http-equiv=\"Content-Type\" content=\"text/html; charset=iso-8859-1\"/>\r\n<title>404 - File or directory not found.</title>\r\n<style type=\"text/css\">\r\n<!--\r\nbody{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}\r\nfieldset{padding:0 15px 10px 15px;} \r\nh1{font-size:2.4em;margin:0;color:#FFF;}\r\nh2{font-size:1.7em;margin:0;color:#CC0000;} \r\nh3{font-size:1.2em;margin:10px 0 0 0;color:#000000;} \r\n#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:\"trebuchet MS\", Verdana, sans-serif;color:#FFF;\r\nbackground-color:#555555;}\r\n#content{margin:0 0 0 2%;position:relative;}\r\n.content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}\r\n-->\r\n</style>\r\n</head>\r\n<body>\r\n<div id=\"header\"><h1>Server Error</h1></div>\r\n<div id=\"content\">\r\n <div class=\"content-container\"><fieldset>\r\n  <h2>404 - File or directory not found.</h2>\r\n  <h3>The resource you are looking for might have been removed, had its name changed, or is temporarily unavailable.</h3>\r\n </fieldset></div>\r\n</div>\r\n</body>\r\n</html>\r\n"
ts=2024-03-12T17:33:53.533865855Z level=error logger=RequestCertificate msg="Couldn't obtain new certificate ID" template="redacted-template" body="<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Strict//EN\" \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd\">\r\n<html xmlns=\"http://www.w3.org/1999/xhtml\">\r\n<head>\r\n<meta http-equiv=\"Content-Type\" content=\"text/html; charset=iso-8859-1\"/>\r\n<title>404 - File or directory not found.</title>\r\n<style type=\"text/css\">\r\n<!--\r\nbody{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}\r\nfieldset{padding:0 15px 10px 15px;} \r\nh1{font-size:2.4em;margin:0;color:#FFF;}\r\nh2{font-size:1.7em;margin:0;color:#CC0000;} \r\nh3{font-size:1.2em;margin:10px 0 0 0;color:#000000;} \r\n#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:\"trebuchet MS\", Verdana, sans-serif;color:#FFF;\r\nbackground-color:#555555;}\r\n#content{margin:0 0 0 2%;position:relative;}\r\n.content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}\r\n-->\r\n</style>\r\n</head>\r\n<body>\r\n<div id=\"header\"><h1>Server Error</h1></div>\r\n<div id=\"content\">\r\n <div class=\"content-container\"><fieldset>\r\n  <h2>404 - File or directory not found.</h2>\r\n  <h3>The resource you are looking for might have been removed, had its name changed, or is temporarily unavailable.</h3>\r\n </fieldset></div>\r\n</div>\r\n</body>\r\n</html>\r\n" error="Unknown error occured" stacktrace="github.com/nokia/adcs-issuer/issuers.(*Issuer).Issue\n\t/workspace/issuers/issuer.go:57\ngithub.com/nokia/adcs-issuer/controllers.(*AdcsRequestReconciler).Reconcile\n\t/workspace/controllers/adcsrequest_controller.go:83\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Reconcile\n\t/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.11.0/pkg/internal/controller/controller.go:114\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler\n\t/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.11.0/pkg/internal/controller/controller.go:311\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem\n\t/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.11.0/pkg/internal/controller/controller.go:266\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2\n\t/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.11.0/pkg/internal/controller/controller.go:227"
ts=2024-03-12T17:33:53.533980412Z level=error logger=controller.adcsrequest msg="Failed request will be re-tried" reconcilergroup=adcs.certmanager.csf.nokia.com reconcilerkind=AdcsRequest name=adcs-cert-test-cm-1 namespace=cert-manager adcsrequest=cert-manager/adcs-cert-test-cm-1 retryinterval=3600 error="Unknown error occured" stacktrace="sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Reconcile\n\t/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.11.0/pkg/internal/controller/controller.go:114\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler\n\t/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.11.0/pkg/internal/controller/controller.go:311\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem\n\t/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.11.0/pkg/internal/controller/controller.go:266\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2\n\t/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.11.0/pkg/internal/controller/controller.go:227"

I suspect that merely pointing to the issuing adcs server's fqdn is not correct here. is there a specific endpoint I should be hitting? is there a feature that this issuer relies on in the adcs server I need to enable?

djkormo commented 8 months ago

Try to talk with adcs administrator. Try to use webbrowser to open https://issuingserver-fqdn/certcarc.asp

Here you have more details about endpoints from adcs

https://github.com/djkormo/adcs-issuer/blob/master/adcs/ntlm_certsrv.go

certnew_cer = "certnew.cer"
certnew_p7b = "certnew.p7b"
certcarc    = "certcarc.asp"
certfnsh    = "certfnsh.asp"

Begin with getting ca cert from it

https://github.com/djkormo/adcs-issuer/blob/master/adcs/ntlm_certsrv.go#L320

mhegreberg commented 8 months ago

I think you're right. It seems to be an issue with how adcs web services is setup at this point, not this issuer.

This has been very helpful! thank you. I'll go ahead and close this. When I get the adcs side taken care of, I'm happy to submit a PR with documentation on how to get that side configured, if that is desired.