Closed johanneskastl closed 1 year ago
Hi, Error shows that it can't find resource connected to FlowSchema. PriorityLevelConfigurations is a part of this commit: https://github.com/vadimkim/cert-manager-webhook-hetzner/commit/8aee1592514690d30ece895120673fa9314bbd84 Entire thread is connected to RBAC: https://github.com/vadimkim/cert-manager-webhook-hetzner/issues/35 Check, if you have ClusterRole and ClusterRoleBinding from RBAC template. I am not 100% sure, but this might be an issue
Thanks for the reply. I only set the groupName during helm installation, so anything else is default.
$ k get clusterroles|grep hetzner
cert-manager-webhook-hetzner:domain-solver 2023-03-24T05:49:52Z
cert-manager-webhook-hetzner:flowcontrol-solver 2023-03-24T05:49:52Z
$ k get clusterrolebindings|grep hetzner
cert-manager-webhook-hetzner:auth-delegator ClusterRole/system:auth-delegator 24h
cert-manager-webhook-hetzner:domain-solver ClusterRole/cert-manager-webhook-hetzner:domain-solver 24h
cert-manager-webhook-hetzner:flowcontrol-solver ClusterRole/cert-manager-webhook-hetzner:flowcontrol-solver 24h
$
What version of webhook are you using?
cert-manager-webhook-hetzner-1.2.2, installed via the helm chart.
values.yaml only contains:
groupName: <redacted>
Multiple k3s clusters, all running v1.25.7+k3s1
Hi,
kubectl api-resources
Check which versions does your k8s API support. In my case, I'm running a kubeadm local 1.24 cluster and my highest supported version is: flowcontrol.apiserver.k8s.io/v1beta2
I'm still looking for the best way to fix this.
EDIT: As stated here, flowcontrol.apiserver.k8s.io/v1beta3 should be supported from version 1.26 and later.
Hi again,
Upgrading to 1.26 fixes the issue. I deployed the cluster on Debian so I had to manually upgrade containerd to avoid kubelet to break.
Is it not possible to use some old version compatible kubernetes 1.25.9?
I found that cert-manager did not issue a certificate using webhook-hetzner today. The certificate stays in status "False". This did work last week, with the same version of the webhook.
Not sure if it is related, but I noticed that the webhook-hetzner pod spits out lots of warnings: