Comments (8)
jniebuhr
commented on August 17, 2024
Hi @krisek,
can you please post your certificate resource (without any personal data if applicable) and the logs of the issuer container?
from aws-privateca-issuer.
krisek
commented on August 17, 2024
Hi, thanks a lot for looking at this!
⎈ kris-play:kris ~/p/aws-pca-deploy kubectl get certificate hello.kris -o yaml 400ms 06.28 09:20
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
annotations:
..
name: hello.kris
namespace: kris
...
spec:
commonName: hello.kris
dnsNames:
- hello.kris
duration: 2160h0m0s
issuerRef:
group: awspca.cert-manager.io
kind: AWSPCAIssuer
name: kris-test-issuer
privateKey:
algorithm: RSA
size: 2048
renewBefore: 360h0m0s
secretName: hello.kris-crt
usages:
- server auth
- client auth
status:
conditions:
- lastTransitionTime: "2021-06-28T05:57:06Z"
message: Issuing certificate as Secret does not exist
reason: DoesNotExist
status: "False"
type: Ready
- lastTransitionTime: "2021-06-28T05:57:06Z"
message: Issuing certificate as Secret does not exist
reason: DoesNotExist
status: "True"
type: Issuing
nextPrivateKeySecretName: hello.kris-q6rkb
⎈ kris-play:kris ~/p/aws-pca-deploy kubectl describe AWSPCAIssuer 313ms 06.28 09:25
Name: kris-test-issuer
Namespace: kris
Labels: <none>
Annotations: <none>
API Version: awspca.cert-manager.io/v1beta1
Kind: AWSPCAIssuer
Metadata:
..
Spec:
Arn: arn:aws:acm-pca:eu-central-1:**********:certificate-authority/***********
Region: eu-central-1
Secret Ref:
Name: pca-manager-secret
Namespace: kris
Status:
Conditions:
Last Transition Time: 2021-06-27T22:06:19Z
Message: Issuer verified
Reason: Verified
Status: True
Type: Ready
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Verified 56m awspcaissuer-controller Issuer verified
Normal Verified 29m awspcaissuer-controller Issuer verified
⎈ kris-play:kris ~/p/aws-pca-deploy kubectl get pods -n aws-pca 236ms 06.28 09:21
NAME READY STATUS RESTARTS AGE
aws-pca-issuer-1624863446-64fc69dd7b-vkwjw 1/1 Running 0 26m
⎈ kris-play:kris ~/p/aws-pca-deploy kubectl logs aws-pca-issuer-1624863446-64fc69dd7b-vkwjw -n aws-pca 660ms 06.28 09:24
I0628 06:57:31.570278 1 request.go:655] Throttling request took 1.046797791s, request: GET:https://172.31.0.1:443/apis/node.k8s.io/v1beta1?timeout=32s
{"level":"info","ts":1624863453.9255252,"logger":"controller-runtime.metrics","msg":"metrics server is starting to listen","addr":":8080"}
{"level":"info","ts":1624863453.9258225,"logger":"setup","msg":"starting manager"}
I0628 06:57:33.926061 1 leaderelection.go:243] attempting to acquire leader lease aws-pca/b858308c.awspca.cert-manager.io...
{"level":"info","ts":1624863453.9260924,"logger":"controller-runtime.manager","msg":"starting metrics server","path":"/metrics"}
I0628 06:57:51.327295 1 leaderelection.go:253] successfully acquired lease aws-pca/b858308c.awspca.cert-manager.io
{"level":"info","ts":1624863471.327644,"logger":"controller-runtime.manager.controller.certificaterequest","msg":"Starting EventSource","reconciler group":"cert-manager.io","reconciler kind":"CertificateRequest","source":"kind source: /, Kind="}
{"level":"info","ts":1624863471.327736,"logger":"controller-runtime.manager.controller.awspcaclusterissuer","msg":"Starting EventSource","reconciler group":"awspca.cert-manager.io","reconciler kind":"AWSPCAClusterIssuer","source":"kind source: /, Kind="}
{"level":"info","ts":1624863471.327816,"logger":"controller-runtime.manager.controller.awspcaissuer","msg":"Starting EventSource","reconciler group":"awspca.cert-manager.io","reconciler kind":"AWSPCAIssuer","source":"kind source: /, Kind="}
{"level":"info","ts":1624863471.4280107,"logger":"controller-runtime.manager.controller.certificaterequest","msg":"Starting Controller","reconciler group":"cert-manager.io","reconciler kind":"CertificateRequest"}
{"level":"info","ts":1624863471.4281147,"logger":"controller-runtime.manager.controller.certificaterequest","msg":"Starting workers","reconciler group":"cert-manager.io","reconciler kind":"CertificateRequest","worker count":1}
{"level":"info","ts":1624863471.4281433,"logger":"controller-runtime.manager.controller.awspcaissuer","msg":"Starting Controller","reconciler group":"awspca.cert-manager.io","reconciler kind":"AWSPCAIssuer"}
{"level":"info","ts":1624863471.4282038,"logger":"controller-runtime.manager.controller.awspcaissuer","msg":"Starting workers","reconciler group":"awspca.cert-manager.io","reconciler kind":"AWSPCAIssuer","worker count":1}
{"level":"info","ts":1624863471.428352,"logger":"controller-runtime.manager.controller.awspcaclusterissuer","msg":"Starting Controller","reconciler group":"awspca.cert-manager.io","reconciler kind":"AWSPCAClusterIssuer"}
{"level":"info","ts":1624863472.028584,"logger":"controller-runtime.manager.controller.awspcaclusterissuer","msg":"Starting workers","reconciler group":"awspca.cert-manager.io","reconciler kind":"AWSPCAClusterIssuer","worker count":1}
from aws-privateca-issuer.
krisek
commented on August 17, 2024
Based on https://github.com/cert-manager/aws-privateca-issuer/blob/master/config/examples/config/secret.yaml it is not clear whether I need to bace64 encode the AWS credentials or not, I tried with both encoded and not encoded: the result is the same.
from aws-privateca-issuer.
jniebuhr
commented on August 17, 2024
You have to put them in the secret yaml in base64 encoding. Or create them via kubectl create secret generic.
Which version of cert-manager are you running? And can you post the CertificateRequest, too?
from aws-privateca-issuer.
krisek
commented on August 17, 2024
Ok, now i reverted to base64.
CertificateRequest:
⎈ kris-play:kris ~/p/aws-pca-deploy kubectl delete CertificateRequest hello.kris-mt5wv 302ms 06.28 09:48
certificaterequest.cert-manager.io "hello.kris-mt5wv" deleted
⎈ kris-play:kris ~/p/aws-pca-deploy kubectl get CertificateRequest 271ms 06.28 09:48
NAME READY AGE
hello.kris-mr95z 6s
jenkins-playground-a7t-tls-w8ll9 True 30d
⎈ kris-play:kris ~/p/aws-pca-deploy kubectl describe CertificateRequest hello.kris-mr95z 237ms 06.28 09:49
Name: hello.kris-mr95z
Namespace: kris
Labels: <none>
Annotations: cert-manager.io/certificate-name: hello.kris
cert-manager.io/certificate-revision: 1
cert-manager.io/private-key-secret-name: hello.kris-q6rkb
API Version: cert-manager.io/v1
Kind: CertificateRequest
Metadata:
Creation Timestamp: 2021-06-28T07:48:45Z
Generate Name: hello.kris-
Generation: 1
Managed Fields:
API Version: cert-manager.io/v1
..
Manager: controller
Operation: Update
Time: 2021-06-28T07:48:45Z
Owner References:
API Version: cert-manager.io/v1
Block Owner Deletion: true
Controller: true
Kind: Certificate
Name: hello.kris
UID: 9fc91f47-d74e-421f-afba-09d5ddcaae16
Resource Version: 153356545
Self Link: /apis/cert-manager.io/v1/namespaces/kris/certificaterequests/hello.kris-mr95z
UID: 4c62b5bf-c836-4a86-a9c3-fc5da504e5d6
Spec:
Duration: 2160h0m0s
Issuer Ref:
Group: awspca.cert-manager.io
Kind: AWSPCAIssuer
Name: kris-test-issuer
Request: LS0tLS1CRUdJTiBDRVJUSUZJQ...
Usages:
server auth
client auth
Events: <none>
⎈ kris-play:kris ~/p/aws-pca-deploy kubectl get CertificateRequest hello.kris-mr95z -o yaml 300ms 06.28 09:49
apiVersion: cert-manager.io/v1
kind: CertificateRequest
metadata:
annotations:
cert-manager.io/certificate-name: hello.kris
cert-manager.io/certificate-revision: "1"
cert-manager.io/private-key-secret-name: hello.kris-q6rkb
creationTimestamp: "2021-06-28T07:48:45Z"
generateName: hello.kris-
generation: 1
...
name: hello.kris-mr95z
namespace: kris
ownerReferences:
- apiVersion: cert-manager.io/v1
blockOwnerDeletion: true
controller: true
kind: Certificate
name: hello.kris
uid: 9fc91f47-d74e-421f-afba-09d5ddcaae16
resourceVersion: "153356545"
selfLink: /apis/cert-manager.io/v1/namespaces/kris/certificaterequests/hello.kris-mr95z
uid: 4c62b5bf-c836-4a86-a9c3-fc5da504e5d6
spec:
duration: 2160h0m0s
issuerRef:
group: awspca.cert-manager.io
kind: AWSPCAIssuer
name: kris-test-issuer
request: LS0tLS1CRUdJTiBDRVJUSUZJQ...
usages:
- server auth
⎈ kris-play:kris ~/p/aws-pca-deploy helm list -A | egrep 'pca|cert' 312ms 06.28 09:53
aws-pca-issuer-1624863446 aws-pca 1 2021-06-28 08:57:27.623566023 +0200 CEST deployed aws-pca-issuer-0.1.1 v0.2.1
cert-exporter kube-system 10 2021-04-12 06:41:35.556000101 +0000 UTC deployed cert-exporter-1.6.1 1.6.1
cert-manager kube-system 11 2021-04-12 10:26:38.392282114 +0200 CEST deployed cert-manager-app-2.4.3 1.1.0
from aws-privateca-issuer.
jniebuhr
commented on August 17, 2024
It looks like you're running cert-manager 1.1.0. The issuer will wait for approval from the cert-manager which was added in 1.3. So you can either update your cert-manager or disable the check as described in https://github.com/cert-manager/aws-privateca-issuer#disable-approval-check
from aws-privateca-issuer.
krisek
commented on August 17, 2024
Thanks a lot, that was it! Maybe we could add to this section the possible symptoms of this problem... cert-manager was installed by a different team, so I didn't take care about this dependency.
I'm happy to add an additional sentence to the documentation and raise the PR.
BTW it is interesting: the certificate is in the cluster now, all good, but I don't see it in the AWS console. Is this normal?
from aws-privateca-issuer.
jniebuhr
commented on August 17, 2024
Yes, that's completely normal. No AWS resource is created for the certificate (the certificates under Certificate Manager are public ones while Private CA is a different section).
Sure, you could add something like FAQ or Troubleshooting to the Readme
from aws-privateca-issuer.
Related Issues (20)
- [Feature Request]: List the chart repository on artifacthub.io HOT 1
- [Feature Request]: Integration with cert-manager 1.10 HOT 4
- [Bug]: Using the default version causes image pull failures HOT 4
- Integration with cert-manager, istio-csr fails pod to pod mTLS. HOT 5
- [Bug]: Image Tag in Helm Chart doesn't match Contianer Image Tag HOT 9
- topologySpreadConstraints support in helm chart HOT 6
- [Bug]: cert-manager.io/cluster-issuer annotation does not work for AWSPCAClusterIssuer HOT 12
- [Feature Request]: helm chart: support optional podDisruptionBudget HOT 1
- [Feature Request]: Documentation of useage with ingress annotations HOT 2
- [Bug]: panic: runtime error: invalid memory address or nil pointer dereference HOT 8
- security HOT 3
- [Feature Request]: Support temporary AWS credentials (including AWS_SESSION_TOKEN) HOT 1
- [Bug]: Error: failed to sts.GetCallerIdentity when using IRSA HOT 11
- [Bug]: awspca-issuer not using secretRef to obtain CA HOT 7
- [Feature Request]: Issue image out of more official ECR Public Repo HOT 2
- [Feature Request]: Support ARM64 architecture HOT 4
- [Feature Request]: Add feature to call kubernetes secrets for the AWSPCAClusterIssuer spec.arn value HOT 3
- [Bug]: Issuer is not ready and certificate creation fails HOT 10
- [Bug]: Connection to AWS PCA not working HOT 5
- [Feature Request]: Replace deprecated `set-output` command with environment file HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from aws-privateca-issuer.