Open yctn opened 4 years ago
Before installing cert-manager-cloudns, make sure you have cert-manager installed & running, including the cert-manager Custom Resource Definitions (CRD). You can find how to do this with Helm here: https://cert-manager.io/docs/installation/helm/
You should be able to install cert-manager-webhook-cloudns like this:
Create a secret containing the cloudns API credentials by placing the credentials in files and creating the secret:
kubectl create secret generic cert-manager-webhook-cloudns-api-secret \
--from-file .creds/auth_id \
--from-file .creds/auth_password
Create the manifest:
Note, this requires helm to be installed.
make rendered-manifest.yaml
Apply the manifest:
kubectl apply -f .out/rendered-manifest.yaml
Last but not least, you'll need to setup a cert-manager (Cluster) Issuer to use this solver.
You can do this using the following config under acme
of the (Cluster)Issuer:
solvers:
- dns01:
webhook:
groupName: acme.ixon.cloud
solverName: cloudns
That should do the trick. I should probably put this in the README :).
Yes that would be nice :) i will try it thanks
serviceaccount/cert-manager-webhook-cloudns created rolebinding.rbac.authorization.k8s.io/cert-manager-webhook-cloudns:webhook-authentication-reader created clusterrolebinding.rbac.authorization.k8s.io/cert-manager-webhook-cloudns:auth-delegator created clusterrole.rbac.authorization.k8s.io/cert-manager-webhook-cloudns:domain-solver created clusterrolebinding.rbac.authorization.k8s.io/cert-manager-webhook-cloudns:domain-solver created clusterrole.rbac.authorization.k8s.io/cert-manager-webhook-cloudns:cloudns-api-secret-access created clusterrolebinding.rbac.authorization.k8s.io/cert-manager-webhook-cloudns:api-secret-access created service/cert-manager-webhook-cloudns created deployment.apps/cert-manager-webhook-cloudns created apiservice.apiregistration.k8s.io/v1alpha1.acme.ixon.cloud created unable to recognize ".out/rendered-manifest.yaml": no matches for kind "Issuer" in version "certmanager.k8s.io/v1alpha1" unable to recognize ".out/rendered-manifest.yaml": no matches for kind "Certificate" in version "certmanager.k8s.io/v1alpha1" unable to recognize ".out/rendered-manifest.yaml": no matches for kind "Issuer" in version "certmanager.k8s.io/v1alpha1" unable to recognize ".out/rendered-manifest.yaml": no matches for kind "Certificate" in version "certmanager.k8s.io/v1alpha1"
what could this be?
Apparently the cert-manager Custom Resource Definitions (CRDs) are not installed by default if you are using their helm chart.
You'll need to install these manually before applying the cert-manager-webhook-cloudns chart.
Please see this issue: https://github.com/helm/charts/issues/10949
@Raqbit Is it this still valid? Can you please confirm?
@Raqbit Is it this still valid? Can you please confirm?
These instructions should work.
Hi, i'm trying to install it followig the instruction in this issue, i only changed step 1 in which i put the credentials in the example file under deploy/secrets and kubectl apply -f it, this is my cluster issuer:
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-staging
spec:
acme:
email: myemail
server: https://acme-staging-v02.api.letsencrypt.org/directory
privateKeySecretRef:
name: letsencrypt-account-key
solvers:
- dns01:
webhook:
groupName: "acme.ixon.cloud"
solverName: "cloudns"
and this is the annotation in the ingress:
cert-manager.io/cluster-issuer: "letsencrypt-staging"
but after that no certificate is created,
have I made something wrong or the webhook is not working correctly anymore?
After applying the manifest the pod is not really coming up. I have the following in the pod logs.
I0318 21:47:44.077779 1 secure_serving.go:116] Serving securely on [::]:443
E0318 21:47:44.099107 1 webhook.go:196] Failed to make webhook authorizer request: the server could not find the requested resource
E0318 21:47:44.100266 1 errors.go:77] the server could not find the requested resource
What resource is it looking for? Any idea on how to fix this?
When I check for the apiservices
I see an error.
kubectl get apiservice | grep ixon
v1alpha1.acme.ixon.cloud default/cert-manager-webhook-cloudns False (MissingEndpoints) 5m29s
I did install cert-manager
the following way.
helm repo add jetstack https://charts.jetstack.io
helm repo update
helm install \
cert-manager jetstack/cert-manager \
--namespace cert-manager \
--create-namespace \
--version v1.7.1 \
--set installCRDs=true
I did some more debugging and found a solution. The MisisngEndpoints
from above is obviously only showing up, because the pod is not up.
The first real error seems to be related to versions of some components. My Kubernetes version is v1.23.4+k3s1
. Installed via k3sup install --local --k3s-extra-args "--no-deploy servicelb" --k3s-version v1.23.4+k3s1
.
After merging the branch update-deps
, running a go mod tidy
to update the files go.mod
and go.sum
and building an image, the pod came finally up.
With that it showed continuously FlowSchema errors. I fixed that via adding the below (ClusterRole[Binding])
in the rbac.yaml
.
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ include "cert-manager-webhook-cloudns.fullname" . }}:flowcontrol-solver
labels:
app: {{ include "cert-manager-webhook-cloudns.name" . }}
chart: {{ include "cert-manager-webhook-cloudns.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
rules:
- apiGroups:
- "flowcontrol.apiserver.k8s.io"
resources:
- 'prioritylevelconfigurations'
- 'flowschemas'
verbs:
- 'list'
- 'watch'
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ include "cert-manager-webhook-cloudns.fullname" . }}:flowcontrol-solver
labels:
app: {{ include "cert-manager-webhook-cloudns.name" . }}
chart: {{ include "cert-manager-webhook-cloudns.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ include "cert-manager-webhook-cloudns.fullname" . }}:flowcontrol-solver
subjects:
- apiGroup: ""
kind: ServiceAccount
name: {{ include "cert-manager-webhook-cloudns.fullname" . }}
namespace: {{ .Release.Namespace | quote }}
---
With the above, there are now only some warmings remaining.
W0321 09:27:52.614714 1 warnings.go:70] flowcontrol.apiserver.k8s.io/v1beta1 PriorityLevelConfiguration is deprecated in v1.23+, unavailable in v1.26+; use flowcontrol.apiserver.k8s.io/v1beta2 PriorityLevelConfiguration
W0321 09:27:58.590881 1 warnings.go:70] flowcontrol.apiserver.k8s.io/v1beta1 FlowSchema is deprecated in v1.23+, unavailable in v1.26+; use flowcontrol.apiserver.k8s.io/v1beta2 FlowSchema
The warnings go away when cert-manager
is upgraded to 1.7.1+
.
i would like to use cloudns with cert-manager. but how would i install this?