search

guilhem / freeipa-issuer

A cert-manager external issuer for FreeIPA
Apache License 2.0
31 stars 14 forks source link

ClusterIssuer not working #14

Closed ykoer closed 3 years ago

ykoer commented 3 years ago

This is the ClusterIssuer

apiVersion: certmanager.freeipa.org/v1beta1
kind: ClusterIssuer
metadata:
  name: ipa-issuer
spec:
  host: ipa.example.com
  user:
    name: freeipa-auth
    namespace: freeipa-issuer-system
    key: user
  password:
    name: freeipa-auth
    namespace: freeipa-issuer-system
    key: password

  # Optionals
  serviceName: HTTP
  addHost: true
  addService: true
  addPrincipal: true
  ca: ipa
  # Do not check certificate of IPA server connection
  insecure: true # unless you can create your own container and inject IPA server CA as trusted.
  # This fixes a bug when adding a service
  ignoreError: true

and the cert-manager.io certificate resource:

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: test-cert
  namespace: testing
spec:
  commonName: test.example.com
  secretName: test-cert
  issuerRef:
    name: ipa-issuer
    group: certmanager.freeipa.org
    kind: ClusterIssuer

I am seeing following error:

{
  "level": "error",
  "ts": 1620221162.6725845,
  "logger": "controller-runtime.manager.controller.certificaterequest",
  "msg": "failed to provisioner for Issuer resource",
  "reconciler group": "cert-manager.io",
  "reconciler kind": "CertificateRequest",
  "name": "test-cert-fbcwk",
  "namespace": "testing",
  "certificaterequest": "testing/test-cert-fbcwk",
  "error": "provisioner / not found",
  "stacktrace": "......"
}

I debugged the code and found: https://github.com/guilhem/freeipa-issuer/blob/797082b5d5779554c684cdf7c2a8602e05777022/controllers/certificaterequest.go#L92

I changed it to: cr.Spec.IssuerRef.Kind "ClusterIssuer"

but looks like the there are more changes required for the ClusterIssuer.

guilhem commented 3 years ago

should be fix by your #16 ;)