Reflector error inside logs for cert-manager-webhook-civo pod

[posinautinc]

Hello,

I am trying to get Cert Manager (with Let's Encrypt) to issue a wild card cert using DNS01 and the Civo webhook on my K8S cluster on Civo. I have Istio installed and the secret containing the cert was successfully generated in the istio-system namespace.

My website is in a different namespace so I am using https://github.com/emberstack/kubernetes-reflector to copy the cert (secret) to the namespace of my website.

On initial setup, things somehow worked and I could find the replicated secret in my website's namespace. However when I changed some certificate parameter to cause the certificate to re-issue I see that the certificate remains stuck in a pending state. Looking into the logs of the civo-webhook pod I see this:

W0520 16:34:00.041392 1 reflector.go:324] pkg/mod/k8s.io/client-go@v0.23.5/tools/cache/reflector.go:167: failed to list v1beta2.PriorityLevelConfiguration: prioritylevelconfigurations.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:cert-manager:cert-manager-webhook-civo" cannot list resource "prioritylevelconfigurations" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope E0520 16:34:00.041685 1 reflector.go:138] pkg/mod/k8s.io/client-go@v0.23.5/tools/cache/reflector.go:167: Failed to watch v1beta2.PriorityLevelConfiguration: failed to list *v1beta2.PriorityLevelConfiguration: prioritylevelconfigurations.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:cert-manager:cert-manager-webhook-civo" cannot list resource "prioritylevelconfigurations" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope

I am still quite green with respect to Kubernetes/Istio so wondering if you could shed light on whether:

1. this is the wrong approach?
2. I need to configure permissions/roles somehow?
3. this is not supported by the Civo-webhook?
4. some other problem?

This is my ClusterIssuer yaml:

apiVersion: cert-manager.io/v1 kind: ClusterIssuer metadata: name: letsencrypt-staging-cluster namespace: istio-system spec: acme: email: someone@gmail.com server: https://acme-staging-v02.api.letsencrypt.org/directory privateKeySecretRef: name: letsencrypt-staging-cluster solvers:

• dns01: webhook: solverName: "civo" groupName: civo.webhook.okteto.com config: secretName: civo-secret

And my Certificate.yaml:

apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: mydomain-cert-staging namespace: istio-system spec: secretName: mydomain-cert-staging duration: 2160h # 90d renewBefore: 360h # 15d isCA: false privateKey: algorithm: RSA encoding: PKCS1 size: 2048 usages:

• server auth
• client auth commonName: "whoami.mydomain.com" dnsNames:
• "whoami.mydomain.com" issuerRef: name: letsencrypt-staging-cluster kind: ClusterIssuer group: cert-manager.io secretTemplate: annotations: reflector.v1.k8s.emberstack.com/reflection-allowed: "true"
  reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces: "ns-twb-staging" # Control destination namespaces. reflector.v1.k8s.emberstack.com/reflection-auto-enabled: "true" # Auto create reflection for matching namespaces. reflector.v1.k8s.emberstack.com/reflection-auto-namespaces: "ns-twb-staging" # Control auto-reflection namespace.

Thanks!

[malwatt]

I have exactly the same errors, but without using emberstack/kubernetes-reflector. Was a solution found?

[rberrelleza]

Can you provide a sample? My guess is that the permissions that the chart have are not enough for what you need. We could include an option for you to bring your serviceAccount or your role to give the permission model more flexibility.