search

exoscale / cert-manager-webhook-exoscale

A cert-manager webhook for creating an ACME DNS01 solver webhook for Exoscale
Apache License 2.0
3 stars 3 forks source link

cert-manager cannot issue certificate using dns01 #4

Closed eddykaya closed 1 year ago

eddykaya commented 1 year ago

I have the following resources created: inside a SKS cluster

---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: ${domain_name}
spec:
  secretName: ${domain_name}-secret
  issuerRef:
    name: letsencrypt-staging
    kind: Issuer
  dnsNames:
    - ${domain_name}
---
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: letsencrypt-staging
spec:
  acme:
    email: <ome-email>
    server: https://acme-staging-v02.api.letsencrypt.org/directory
    privateKeySecretRef:
      name: example-issuer-account-key
    # Add a single challenge solver, HTTP01 using nginx
    solvers:
      - dns01:
          webhook:
            groupName: acme.exoscale.com
            solverName: exoscale
            config:
              apiKeyRef:
                key: EXOSCALE_API_KEY
                name: exoscale-api
              apiSecretRef:
                key: EXOSCALE_API_SECRET
                name: exoscale-api

Also, I have deployed cert-manager, exoscale-cert-manager-webhook, an API key as secret and an ingress controller. I have a domain registered and nameservers are configured correctly.

Problem cert-manager cannot issue a certificate. Here are the logs

Cert-Manager

 I0414 11:48:53.377777       1 dns.go:88] cert-manager/challenges/Present "msg"="presenting DNS01 challenge for domain" "dnsName"="example-project.aufschlag-barcamp.de" "domain"="example-project.aufschlag-bar 
 camp.de" "resource_kind"="Challenge" "resource_name"="example-project.aufschlag-barcamp.de-zfb27-236130982-1601768340" "resource_namespace"="admin" "resource_version"="v1" "type"="DNS-01"                     
 E0414 11:48:53.380840       1 controller.go:167] cert-manager/challenges "msg"="re-queuing item due to error processing" "error"="exoscale.acme.exoscale.com is forbidden: User \"system:serviceaccount:admin:c 
 ert-manager\" cannot create resource \"exoscale\" in API group \"acme.exoscale.com\" at the cluster scope" "key"="admin/example-project.aufschlag-barcamp.de-zfb27-236130982-1601768340"                        
 I0414 11:54:13.382177       1 dns.go:88] cert-manager/challenges/Present "msg"="presenting DNS01 challenge for domain" "dnsName"="example-project.aufschlag-barcamp.de" "domain"="example-project.aufschlag-bar 
 camp.de" "resource_kind"="Challenge" "resource_name"="example-project.aufschlag-barcamp.de-zfb27-236130982-1601768340" "resource_namespace"="admin" "resource_version"="v1" "type"="DNS-01"                     
 E0414 11:54:13.385515       1 controller.go:167] cert-manager/challenges "msg"="re-queuing item due to error processing" "error"="exoscale.acme.exoscale.com is forbidden: User \"system:serviceaccount:admin:c 
 ert-manager\" cannot create resource \"exoscale\" in API group \"acme.exoscale.com\" at the cluster scope" "key"="admin/example-project.aufschlag-barcamp.de-zfb27-236130982-1601768340"

Cert Manager webhook

 serviceaccount:admin:cert-manager-webhook-exoscale" cannot list resource "flowschemas" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope                                                         
 E0414 11:59:12.462170       1 reflector.go:138] k8s.io/client-go@v0.24.4/tools/cache/reflector.go:167: Failed to watch *v1beta2.FlowSchema: failed to list *v1beta2.FlowSchema: flowschemas.flowcontrol.apiserv 
 er.k8s.io is forbidden: User "system:serviceaccount:admin:cert-manager-webhook-exoscale" cannot list resource "flowschemas" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope                    
 W0414 11:59:30.074199       1 reflector.go:324] k8s.io/client-go@v0.24.4/tools/cache/reflector.go:167: failed to list *v1beta2.PriorityLevelConfiguration: prioritylevelconfigurations.flowcontrol.apiserver.k8 
 s.io is forbidden: User "system:serviceaccount:admin:cert-manager-webhook-exoscale" cannot list resource "prioritylevelconfigurations" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope         
 E0414 11:59:30.074224       1 reflector.go:138] k8s.io/client-go@v0.24.4/tools/cache/reflector.go:167: Failed to watch *v1beta2.PriorityLevelConfiguration: failed to list *v1beta2.PriorityLevelConfiguration: 
  prioritylevelconfigurations.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:admin:cert-manager-webhook-exoscale" cannot list resource "prioritylevelconfigurations" in API group "flowc 
 ontrol.apiserver.k8s.io" at the cluster scope                                                                                                                                                                   
 W0414 12:00:02.945013       1 reflector.go:324] k8s.io/client-go@v0.24.4/tools/cache/reflector.go:167: failed to list *v1beta2.FlowSchema: flowschemas.flowcontrol.apiserver.k8s.io is forbidden: User "system: 
 serviceaccount:admin:cert-manager-webhook-exoscale" cannot list resource "flowschemas" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope                                                         
 E0414 12:00:02.945038       1 reflector.go:138] k8s.io/client-go@v0.24.4/tools/cache/reflector.go:167: Failed to watch *v1beta2.FlowSchema: failed to list *v1beta2.FlowSchema: flowschemas.flowcontrol.apiserv 
 er.k8s.io is forbidden: User "system:serviceaccount:admin:cert-manager-webhook-exoscale" cannot list resource "flowschemas" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope

Expected outcome a certificate is issued and ready

I followed the instructions here https://www.exoscale.com/syslog/cert-manager-webhook-exoscale/

horakg commented 1 year ago

I was able to get it working with:

  1. cert-manager 1.11.1 https://github.com/cert-manager/cert-manager/releases/download/v1.11.1/cert-manager.yaml
  2. add the following clusterrole + clusterrolebinding to rbac.yaml in cert-manager-webhook-exoscale/deploy/exoscale-webhook/templates/rbac.yaml (see https://gist.github.com/horakg/25279190f8993ccfffd48da519c301eb)
  3. install cert-manager-webhook using helm
  4. follow the other steps from the blogpost
jessicatoscani commented 1 year ago

Released in v0.2.0 Feel free to reopen it if needed