search

piraeusdatastore / helm-charts

Collection of useful charts for Piraeus and similar projects
Apache License 2.0
30 stars 18 forks source link

snapshot-controller: error while generating certificate with cert manager #44

Open jkossis opened 8 months ago

jkossis commented 8 months ago

When using the webhook's certManagerIssuerRef configuration, the following error occurs while generating the certificate:

Name:         snapshot-validation-webhook
Namespace:    snapshot-controller
Labels:       app.kubernetes.io/instance=snapshot-controller
              app.kubernetes.io/managed-by=Helm
              app.kubernetes.io/name=snapshot-validation-webhook
              app.kubernetes.io/version=v6.3.3
              helm.sh/chart=snapshot-controller-2.0.4
Annotations:  meta.helm.sh/release-name: snapshot-controller
              meta.helm.sh/release-namespace: snapshot-controller
API Version:  cert-manager.io/v1
Kind:         Certificate
Metadata:
  Creation Timestamp:  2024-01-08T16:35:43Z
  Generation:          1
  Resource Version:    2103731
  UID:                 953009bf-dad7-47ae-aac0-678ab7191808
Spec:
  Dns Names:
    snapshot-validation-webhook.snapshot-controller.svc
  Issuer Ref:
    Kind:  ClusterIssuer
    Name:  cloudflare
  Private Key:
    Rotation Policy:  Always
  Secret Name:        snapshot-validation-webhook-tls
Status:
  Conditions:
    Last Transition Time:    2024-01-08T16:35:43Z
    Message:                 Issuing certificate as Secret does not exist
    Observed Generation:     1
    Reason:                  DoesNotExist
    Status:                  False
    Type:                    Ready
    Last Transition Time:    2024-01-08T16:35:44Z
    Message:                 The certificate request has failed to complete and will be retried: Failed to wait for order resource "snapshot-validation-webhook-1-112280392" to become ready: order is in "errored" state: Failed to create Order: 400 urn:ietf:params:acme:error:rejectedIdentifier: Error creating new order :: Cannot issue for "snapshot-validation-webhook.snapshot-controller.svc": Domain name does not end with a valid public suffix (TLD)
    Observed Generation:     1
    Reason:                  Failed
    Status:                  False
    Type:                    Issuing
  Failed Issuance Attempts:  1
  Last Failure Time:         2024-01-08T16:35:44Z
Events:
  Type     Reason     Age   From                                       Message
  ----     ------     ----  ----                                       -------
  Normal   Issuing    35s   cert-manager-certificates-trigger          Issuing certificate as Secret does not exist
  Normal   Generated  35s   cert-manager-certificates-key-manager      Stored new private key in temporary Secret resource "snapshot-validation-webhook-m87kf"
  Normal   Requested  35s   cert-manager-certificates-request-manager  Created new CertificateRequest resource "snapshot-validation-webhook-1"
  Warning  Failed     34s   cert-manager-certificates-issuing          The certificate request has failed to complete and will be retried: Failed to wait for order resource "snapshot-validation-webhook-1-112280392" to become ready: order is in "errored" state: Failed to create Order: 400 urn:ietf:params:acme:error:rejectedIdentifier: Error creating new order :: Cannot issue for "snapshot-validation-webhook.snapshot-controller.svc": Domain name does not end with a valid public suffix (TLD)

It looks like Cert Manager is unhappy with the svc suffix ... I can't see how this has worked previously.

WanzenBug commented 8 months ago

It looks like Cert Manager is unhappy with the svc suffix ... I can't see how this has worked previously.

More specifically, it is unhappy because it was asked to create a "public" certificate using ACME, but we try to create the certificate internally, without a valid top-level domain.

But we don't need a public certificate at all. We only need a certificate to validate the internal service names (hence the .svc suffix). Usually, users create some kind of internal issuer, usually using the SelfSigned or CA type and use that to provision these internal certificates.

I don't really see the reason one would want a public certificate for this internal component. If the snapshot-controller was reachable from outside the cluster, something has already gone very wrong.

jkossis commented 7 months ago

@WanzenBug, I appreciate you providing some more info on this. Admittedly, this would be very useful info to include in the portion of the readme that pertains to using cert-manager. Right now, this is all that is there:

A [cert-manager.io](https://cert-manager.io/) issuer able to create a certificate for the webhook service.

To use this method, create an override file like:

webhook:
  tls:
    certManagerIssuerRef:
      name: internal-issuer
      kind: ClusterIssuer

To apply the override, use --values <override-file>.
WanzenBug commented 7 months ago

For sure. Patches welcome :smiley: