cert-manager1.15 版本报错

[liuweiGL]

安装命令

helm upgrade --install alidns-webhook alidns-webhook     --repo https://wjiec.github.io/alidns-webhook     --namespace cert-manager     --set groupName=acme.xxx.com

创建 issuer

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: dns-aliyun
spec:
  acme:
    # Change to your letsencrypt email
    server: https://acme.zerossl.com/v2/DV90
    externalAccountBinding:
      keyID: ***************
      keySecretRef:
        name: **********
        key: secret
    privateKeySecretRef:
      name: dns-aliyun-account
    solvers:
    - dns01:
        webhook:
          groupName: acme.xxx.com
          solverName: alidns
          config:
            region: ""
            accessKeyIdRef:
              name: aliyun-raw-dns
              key: access-key
            accessKeySecretRef:
              name: aliyun-raw-dns
              key: secret-key

报错信息

alidns.acme.xxx.com is forbidden: User "system:serviceaccount:cert-manager:cert-manager-controller" cannot create resource "alidns" in API group "acme.xxx.com" at the cluster scope

[liuweiGL]

解决办法：设置 certManager.serviceAccountName 字段

helm upgrade --install alidns-webhook alidns-webhook  \
                       --repo https://wjiec.github.io/alidns-webhook  \
                       --namespace cert-manager    \
                       --set groupName=acme.xxx.com,certManager.serviceAccountName=cert-manager-controller

[wjiec]

Hi, did your cert-manager change the default sa name during installation via --set serviceAccount.name=cert-manager-controller (or something similar)? I'd like to add this question to the README, thanks!

[liuweiGL]

应该没有吧，不过我用的是 bitnami charts

[wjiec]

Yeah, that's the thing! https://github.com/bitnami/charts/blob/155d842a9517619077f82e2589d0104027a4a004/bitnami/cert-manager/templates/_helpers.tpl#L43-L58