search

flant / cert-manager-webhook-regru

The webhook and the ClusterIssuer resource for automatic provisioning of reg.ru SSL certificates in Kubernetes
Apache License 2.0
33 stars 10 forks source link

Cert-manager account cannot create resource regru-dns at the cluster scope #9

Open Voldemat opened 1 year ago

Voldemat commented 1 year ago

Cluster was obtained using Yandex.Cloud Managed Kubernetes solution. Any modifications of RBAC roles didn't work.

kubectl get challenge letsencrypt-jvzb2-2152256332-2670382356 -o yaml

apiVersion: acme.cert-manager.io/v1
kind: Challenge
metadata:
  creationTimestamp: "2023-02-16T06:07:51Z"
  finalizers:
  - finalizer.acme.cert-manager.io
  generation: 1
  name: letsencrypt-jvzb2-2152256332-2670382356
  namespace: quickclick-prod
  ownerReferences:
  - apiVersion: acme.cert-manager.io/v1
    blockOwnerDeletion: true
    controller: true
    kind: Order
    name: letsencrypt-jvzb2-2152256332
    uid: f5b3b927-e3ff-4f09-b92a-cb7521949d21
  resourceVersion: "1634916"
  uid: 6182c5bc-8c09-4d26-be53-60c45578b3b8
spec:
  authorizationURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/203731144196
  dnsName: quickclick.online
  issuerRef:
    group: cert-manager.io
    kind: ClusterIssuer
    name: letsencrypt
  key: dDlzkoMWZo5NLYFs8-XpPvEmEGdikSbIOfVu3WNJW84
  solver:
    dns01:
      webhook:
        config:
          regruPasswordSecretRef:
            key: REGRU_PASSWORD
            name: regru-password
        groupName: acme.regru.ru
        solverName: regru-dns
  token: O8lRYSJ9eiWHWXUT0DR00EQxRt8RRmvsT5QbznbKqTc
  type: DNS-01
  url: https://acme-v02.api.letsencrypt.org/acme/chall-v3/203731144196/Y_IJnA
  wildcard: true
status:
  presented: false
  processing: true
  reason: 'regru-dns.acme.regru.ru is forbidden: User "system:serviceaccount:cert-manager:cert-manager"
    cannot create resource "regru-dns" in API group "acme.regru.ru" at the cluster
    scope'
  state: pending

Chunk of web hook pod logs:

W0216 14:36:52.248111       1 reflector.go:324] pkg/mod/k8s.io/client-go@v0.23.1/tools/cache/reflector.go:167: failed to list *v1beta2.FlowSchema: flowschemas.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:cert-manager:regru-webhook-regru-cluster-issuer" cannot list resource "flowschemas" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope
E0216 14:36:52.248146       1 reflector.go:138] pkg/mod/k8s.io/client-go@v0.23.1/tools/cache/reflector.go:167: Failed to watch *v1beta2.FlowSchema: failed to list *v1beta2.FlowSchema: flowschemas.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:cert-manager:regru-webhook-regru-cluster-issuer" cannot list resource "flowschemas" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope
W0216 14:37:12.841566       1 reflector.go:324] pkg/mod/k8s.io/client-go@v0.23.1/tools/cache/reflector.go:167: failed to list *v1beta2.PriorityLevelConfiguration: prioritylevelconfigurations.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:cert-manager:regru-webhook-regru-cluster-issuer" cannot list resource "prioritylevelconfigurations" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope
E0216 14:37:12.841599       1 reflector.go:138] pkg/mod/k8s.io/client-go@v0.23.1/tools/cache/reflector.go:167: Failed to watch *v1beta2.PriorityLevelConfiguration: failed to list *v1beta2.PriorityLevelConfiguration: prioritylevelconfigurations.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:cert-manager:regru-webhook-regru-cluster-issuer" cannot list resource "prioritylevelconfigurations" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope
W0216 14:37:36.658052       1 reflector.go:324] pkg/mod/k8s.io/client-go@v0.23.1/tools/cache/reflector.go:167: failed to list *v1beta2.FlowSchema: flowschemas.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:cert-manager:regru-webhook-regru-cluster-issuer" cannot list resource "flowschemas" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope
E0216 14:37:36.658085       1 reflector.go:138] pkg/mod/k8s.io/client-go@v0.23.1/tools/cache/reflector.go:167: Failed to watch *v1beta2.FlowSchema: failed to list *v1beta2.FlowSchema: flowschemas.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:cert-manager:regru-webhook-regru-cluster-issuer" cannot list resource "flowschemas" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope
W0216 14:37:50.056745       1 reflector.go:324] pkg/mod/k8s.io/client-go@v0.23.1/tools/cache/reflector.go:167: failed to list *v1beta2.PriorityLevelConfiguration: prioritylevelconfigurations.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:cert-manager:regru-webhook-regru-cluster-issuer" cannot list resource "prioritylevelconfigurations" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope
E0216 14:37:50.056784       1 reflector.go:138] pkg/mod/k8s.io/client-go@v0.23.1/tools/cache/reflector.go:167: Failed to watch *v1beta2.PriorityLevelConfiguration: failed to list *v1beta2.PriorityLevelConfiguration: prioritylevelconfigurations.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:cert-manager:regru-webhook-regru-cluster-issuer" cannot list resource "prioritylevelconfigurations" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope
W0216 14:38:11.480925       1 reflector.go:324] pkg/mod/k8s.io/client-go@v0.23.1/tools/cache/reflector.go:167: failed to list *v1beta2.FlowSchema: flowschemas.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:cert-manager:regru-webhook-regru-cluster-issuer" cannot list resource "flowschemas" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope
E0216 14:38:11.480971       1 reflector.go:138] pkg/mod/k8s.io/client-go@v0.23.1/tools/cache/reflector.go:167: Failed to watch *v1beta2.FlowSchema: failed to list *v1beta2.FlowSchema: flowschemas.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:cert-manager:regru-webhook-regru-cluster-issuer" cannot list resource "flowschemas" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope
W0216 14:38:30.946739       1 reflector.go:324] pkg/mod/k8s.io/client-go@v0.23.1/tools/cache/reflector.go:167: failed to list *v1beta2.PriorityLevelConfiguration: prioritylevelconfigurations.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:cert-manager:regru-webhook-regru-cluster-issuer" cannot list resource "prioritylevelconfigurations" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope
E0216 14:38:30.946771       1 reflector.go:138] pkg/mod/k8s.io/client-go@v0.23.1/tools/cache/reflector.go:167: Failed to watch *v1beta2.PriorityLevelConfiguration: failed to list *v1beta2.PriorityLevelConfiguration: prioritylevelconfigurations.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:cert-manager:regru-webhook-regru-cluster-issuer" cannot list resource "prioritylevelconfigurations" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope
W0216 14:38:59.318790       1 reflector.go:324] pkg/mod/k8s.io/client-go@v0.23.1/tools/cache/reflector.go:167: failed to list *v1beta2.FlowSchema: flowschemas.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:cert-manager:regru-webhook-regru-cluster-issuer" cannot list resource "flowschemas" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope
E0216 14:38:59.318823       1 reflector.go:138] pkg/mod/k8s.io/client-go@v0.23.1/tools/cache/reflector.go:167: Failed to watch *v1beta2.FlowSchema: failed to list *v1beta2.FlowSchema: flowschemas.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:cert-manager:regru-webhook-regru-cluster-issuer" cannot list resource "flowschemas" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope
W0216 14:39:06.331360       1 reflector.go:324] pkg/mod/k8s.io/client-go@v0.23.1/tools/cache/reflector.go:167: failed to list *v1beta2.PriorityLevelConfiguration: prioritylevelconfigurations.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:cert-manager:regru-webhook-regru-cluster-issuer" cannot list resource "prioritylevelconfigurations" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope
E0216 14:39:06.331395       1 reflector.go:138] pkg/mod/k8s.io/client-go@v0.23.1/tools/cache/reflector.go:167: Failed to watch *v1beta2.PriorityLevelConfiguration: failed to list *v1beta2.PriorityLevelConfiguration: prioritylevelconfigurations.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:cert-manager:regru-webhook-regru-cluster-issuer" cannot list resource "prioritylevelconfigurations" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope
W0216 14:39:41.699617       1 reflector.go:324] pkg/mod/k8s.io/client-go@v0.23.1/tools/cache/reflector.go:167: failed to list *v1beta2.PriorityLevelConfiguration: prioritylevelconfigurations.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:cert-manager:regru-webhook-regru-cluster-issuer" cannot list resource "prioritylevelconfigurations" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope
E0216 14:39:41.699647       1 reflector.go:138] pkg/mod/k8s.io/client-go@v0.23.1/tools/cache/reflector.go:167: Failed to watch *v1beta2.PriorityLevelConfiguration: failed to list *v1beta2.PriorityLevelConfiguration: prioritylevelconfigurations.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:cert-manager:regru-webhook-regru-cluster-issuer" cannot list resource "prioritylevelconfigurations" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope
W0216 14:39:53.112315       1 reflector.go:324] pkg/mod/k8s.io/client-go@v0.23.1/tools/cache/reflector.go:167: failed to list *v1beta2.FlowSchema: flowschemas.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:cert-manager:regru-webhook-regru-cluster-issuer" cannot list resource "flowschemas" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope
E0216 14:39:53.112346       1 reflector.go:138] pkg/mod/k8s.io/client-go@v0.23.1/tools/cache/reflector.go:167: Failed to watch *v1beta2.FlowSchema: failed to list *v1beta2.FlowSchema: flowschemas.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:cert-manager:regru-webhook-regru-cluster-issuer" cannot list resource "flowschemas" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope
W0216 14:40:14.262299       1 reflector.go:324] pkg/mod/k8s.io/client-go@v0.23.1/tools/cache/reflector.go:167: failed to list *v1beta2.PriorityLevelConfiguration: prioritylevelconfigurations.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:cert-manager:regru-webhook-regru-cluster-issuer" cannot list resource "prioritylevelconfigurations" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope
E0216 14:40:14.262335       1 reflector.go:138] pkg/mod/k8s.io/client-go@v0.23.1/tools/cache/reflector.go:167: Failed to watch *v1beta2.PriorityLevelConfiguration: failed to list *v1beta2.PriorityLevelConfiguration: prioritylevelconfigurations.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:cert-manager:regru-webhook-regru-cluster-issuer" cannot list resource "prioritylevelconfigurations" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope
W0216 14:40:44.408353       1 reflector.go:324] pkg/mod/k8s.io/client-go@v0.23.1/tools/cache/reflector.go:167: failed to list *v1beta2.FlowSchema: flowschemas.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:cert-manager:regru-webhook-regru-cluster-issuer" cannot list resource "flowschemas" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope
E0216 14:40:44.408388       1 reflector.go:138] pkg/mod/k8s.io/client-go@v0.23.1/tools/cache/reflector.go:167: Failed to watch *v1beta2.FlowSchema: failed to list *v1beta2.FlowSchema: flowschemas.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:cert-manager:regru-webhook-regru-cluster-issuer" cannot list resource "flowschemas" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope
W0216 14:40:56.726358       1 reflector.go:324] pkg/mod/k8s.io/client-go@v0.23.1/tools/cache/reflector.go:167: failed to list *v1beta2.PriorityLevelConfiguration: prioritylevelconfigurations.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:cert-manager:regru-webhook-regru-cluster-issuer" cannot list resource "prioritylevelconfigurations" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope
E0216 14:40:56.726393       1 reflector.go:138] pkg/mod/k8s.io/client-go@v0.23.1/tools/cache/reflector.go:167: Failed to watch *v1beta2.PriorityLevelConfiguration: failed to list *v1beta2.PriorityLevelConfiguration: prioritylevelconfigurations.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:cert-manager:regru-webhook-regru-cluster-issuer" cannot list resource "prioritylevelconfigurations" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope
W0216 14:41:31.558256       1 reflector.go:324] pkg/mod/k8s.io/client-go@v0.23.1/tools/cache/reflector.go:167: failed to list *v1beta2.FlowSchema: flowschemas.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:cert-manager:regru-webhook-regru-cluster-issuer" cannot list resource "flowschemas" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope
E0216 14:41:31.558295       1 reflector.go:138] pkg/mod/k8s.io/client-go@v0.23.1/tools/cache/reflector.go:167: Failed to watch *v1beta2.FlowSchema: failed to list *v1beta2.FlowSchema: flowschemas.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:cert-manager:regru-webhook-regru-cluster-issuer" cannot list resource "flowschemas" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope
W0216 14:41:49.052948       1 reflector.go:324] pkg/mod/k8s.io/client-go@v0.23.1/tools/cache/reflector.go:167: failed to list *v1beta2.PriorityLevelConfiguration: prioritylevelconfigurations.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:cert-manager:regru-webhook-regru-cluster-issuer" cannot list resource "prioritylevelconfigurations" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope
E0216 14:41:49.052976       1 reflector.go:138] pkg/mod/k8s.io/client-go@v0.23.1/tools/cache/reflector.go:167: Failed to watch *v1beta2.PriorityLevelConfiguration: failed to list *v1beta2.PriorityLevelConfiguration: prioritylevelconfigurations.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:cert-manager:regru-webhook-regru-cluster-issuer" cannot list resource "prioritylevelconfigurations" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope
W0216 14:42:19.766463       1 reflector.go:324] pkg/mod/k8s.io/client-go@v0.23.1/tools/cache/reflector.go:167: failed to list *v1beta2.FlowSchema: flowschemas.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:cert-manager:regru-webhook-regru-cluster-issuer" cannot list resource "flowschemas" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope
E0216 14:42:19.766503       1 reflector.go:138] pkg/mod/k8s.io/client-go@v0.23.1/tools/cache/reflector.go:167: Failed to watch *v1beta2.FlowSchema: failed to list *v1beta2.FlowSchema: flowschemas.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:cert-manager:regru-webhook-regru-cluster-issuer" cannot list resource "flowschemas" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope
W0216 14:42:45.955955       1 reflector.go:324] pkg/mod/k8s.io/client-go@v0.23.1/tools/cache/reflector.go:167: failed to list *v1beta2.PriorityLevelConfiguration: prioritylevelconfigurations.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:cert-manager:regru-webhook-regru-cluster-issuer" cannot list resource "prioritylevelconfigurations" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope
E0216 14:42:45.955983       1 reflector.go:138] pkg/mod/k8s.io/client-go@v0.23.1/tools/cache/reflector.go:167: Failed to watch *v1beta2.PriorityLevelConfiguration: failed to list *v1beta2.PriorityLevelConfiguration: prioritylevelconfigurations.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:cert-manager:regru-webhook-regru-cluster-issuer" cannot list resource "prioritylevelconfigurations" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope
TFK70 commented 1 year ago

I've faced the same issue on k3s cluster running inside multipass VM (Ubuntu 22.04) I was able to fix it by editing secrets-reader ClusterRole resource in rbac.yaml like this:

```yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: {{ include \"cert-manager-webhook-regru.fullname\" . }}:secrets-reader labels: app: {{ include \"cert-manager-webhook-regru.name\" . }} chart: {{ include \"cert-manager-webhook-regru.chart\" . }} release: {{ .Release.Name }} heritage: {{ .Release.Service }} rules: - apiGroups: - '' - 'flowcontrol.apiserver.k8s.io' resources: - '*' verbs: - 'get' - 'list' - 'watch' ```

So I've just added here flowcontrol.apiserver.k8s.io item inside apiGroups

I'm not sure if it is supposed to work like this, so I prefer to consider it as a temporary workaround and it would be cool if someone could explain this incident

Voldemat commented 1 year ago

Thank you for your advice. After editing this cluster role, error logs from pod was gone. But problem with creating resource regru-dns still remains.

Pod logs

I0221 15:18:09.976204       1 requestheader_controller.go:169] Starting RequestHeaderAuthRequestController
I0221 15:18:09.976345       1 shared_informer.go:240] Waiting for caches to sync for RequestHeaderAuthRequestController
I0221 15:18:09.976209       1 configmap_cafile_content.go:201] "Starting controller" name="client-ca::kube-system::extension-apiserver-authentication::client-ca-file"
I0221 15:18:09.976397       1 shared_informer.go:240] Waiting for caches to sync for client-ca::kube-system::extension-apiserver-authentication::client-ca-file
I0221 15:18:09.976580       1 dynamic_serving_content.go:131] "Starting controller" name="serving-cert::/tls/tls.crt::/tls/tls.key"
I0221 15:18:09.976611       1 secure_serving.go:266] Serving securely on [::]:443
I0221 15:18:09.976654       1 tlsconfig.go:240] "Starting DynamicServingCertificateController"
I0221 15:18:09.976253       1 configmap_cafile_content.go:201] "Starting controller" name="client-ca::kube-system::extension-apiserver-authentication::requestheader-client-ca-file"
I0221 15:18:09.976690       1 shared_informer.go:240] Waiting for caches to sync for client-ca::kube-system::extension-apiserver-authentication::requestheader-client-ca-file
I0221 15:18:09.976727       1 main.go:86] call function Initialize
I0221 15:18:09.977160       1 apf_controller.go:317] Starting API Priority and Fairness config controller
I0221 15:18:10.077433       1 shared_informer.go:247] Caches are synced for client-ca::kube-system::extension-apiserver-authentication::client-ca-file
I0221 15:18:10.077479       1 apf_controller.go:322] Running API Priority and Fairness config worker
I0221 15:18:10.077453       1 shared_informer.go:247] Caches are synced for RequestHeaderAuthRequestController
I0221 15:18:10.077609       1 shared_informer.go:247] Caches are synced for client-ca::kube-system::extension-apiserver-authentication::requestheader-client-ca-file
TFK70 commented 1 year ago

I can't see any error logs here, also I'm not sure about what you meant by regru-dns resource, I don't remember any resource with that name, tbh

Personally I've faced some errors after editing rbac rules as well, I've had some errors like this:

Failed to watch *v1beta3.PriorityLevelConfiguration: failed to list *v1beta3.PriorityLevelConfiguration: the server could not find the requested resource

But this errors didn't affect anything, my certificate was successfully created after some time (Also, perhaps, these errors may be caused by k3s distribution in my case, as I'm not using "vanilla k8s")

Also I may advice you to check out the spec.acme.server field in ClusterIssuer resource you're creating. Personally I was using staging url for tests (https://acme-v02-staging.api.letsencrypt.org/directory) and with that url your ACME challenge won't complete. You should try it on production url (https://acme-v02.api.letsencrypt.org/directory) if you want to see your flow fully completed

Voldemat commented 1 year ago

I think my error may be related to cluster issuer solverName, what solverName did you set?

ClusterIssuer.yaml

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: qk-issuer
  namespace: cert-manager
spec:
  acme:
    server: https://acme-v02.api.letsencrypt.org/directory
    email: vladimirdev635@gmail.com
    privateKeySecretRef:
      name: quickclick.online.cert
    solvers:
    - http01:
        ingress:
          class: nginx
    - dns01:
        webhook:
          config:
            regruPasswordSecretRef:
              name: regru-password
              key: REGRU_PASSWORD
          solverName: regru-dns
          groupName: acme.regru.ru
TFK70 commented 1 year ago

Same as you did:

```yaml apiVersion: cert-manager.io/v1 kind: ClusterIssuer metadata: creationTimestamp: "2023-02-19T21:17:10Z" generation: 1 name: regru-dns resourceVersion: "933" uid: 8654a09f-8ce0-4cdb-a419-92f10e463de5 spec: acme: email: me@tfk.name preferredChain: "" privateKeySecretRef: name: cert-manager-letsencrypt-private-key server: https://acme-v02.api.letsencrypt.org/directory solvers: - dns01: webhook: config: regruPasswordSecretRef: key: REGRU_PASSWORD name: regru-password groupName: acme.regru.ru solverName: regru-dns ```

But I can see that we have different values for privateKeySecretRef

wildGecko commented 1 year ago

@Voldemat, hello! What is quickclick.online.cert? You need set value cert-manager-letsencrypt-private-key

melazyk commented 1 year ago

The following RBAC configuration resolved this permission issues.

# I have found the same problem in cert-manager issuer
# https://github.com/vadimkim/cert-manager-webhook-hetzner/pull/37/files

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: regru-webhook-regru-cluster-issuer:flowcontrol-solver
  labels:
    app: regru-cluster-issuer
rules:
  - apiGroups:
      - "flowcontrol.apiserver.k8s.io"
    resources:
      - 'prioritylevelconfigurations'
      - 'flowschemas'
    verbs:
      - 'list'
      - 'watch'

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: regru-webhook-regru-cluster-issuer:flowcontrol-solver
  labels:
    app: regru-cluster-issuer
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: regru-webhook-regru-cluster-issuer:flowcontrol-solver
subjects:
  - apiGroup: ""
    kind: ServiceAccount
    name: regru-webhook-regru-cluster-issuer
    namespace: cert-manager