Giter Club home page Giter Club logo

cert-manager-webhook-yandex's Issues

Error presenting challenge: no public zone

Hi!
I have 3 zones kept in yandex cloud dns, and they are configured and used.

yc dns zone list

+----------------------+----------+--------------+------------+-------------+
|          ID          |   NAME   |     ZONE     | VISIBILITY | DESCRIPTION |
+----------------------+----------+--------------+------------+-------------+
| dns76jpi12jreoirj12vb | pchelun  | pchelun.ru.  | PUBLIC     |             |
| dns76jpi12jreoirj12vb | abiletik | abiletik.ru. | PUBLIC     |             |
| dns76jpi12jreoirj12vb | muffs    | muffs.ru.    | PUBLIC     |             |
+----------------------+----------+--------------+------------+-------------+

when I try to issue certificate

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: dev-muffs-ru
  namespace: default
spec:
  secretName: dev-muffs-ru-secret
  issuerRef:
    name: yandex
    kind: ClusterIssuer
  dnsNames:
  - muffs.ru
  - abiletik.ru
  - pchelun.ru
  - '*.muffs.ru'
  - '*.prod.muffs.ru'
  - '*.dev.muffs.ru'
  - '*.abiletik.ru'
  - '*.pchelun.ru'

I get certificates for only two domains, and for third domain I get error during challenge creation:

Events:
  Type     Reason        Age              From                     Message
  ----     ------        ----             ----                     -------
  Normal   Started       8s               cert-manager-challenges  Challenge scheduled for processing
  Warning  PresentError  2s (x3 over 7s)  cert-manager-challenges  Error presenting challenge: no public zone muffs.ru. found

All zones in yandex cloud dns configured properly and used with no issues. I don't see any errors at yandex-webhook container

I0906 22:47:29.573907       1 secure_serving.go:266] Serving securely on 0.0.0.0:443
I0906 22:47:29.573974       1 requestheader_controller.go:169] Starting RequestHeaderAuthRequestController
I0906 22:47:29.573987       1 shared_informer.go:240] Waiting for caches to sync for RequestHeaderAuthRequestController
I0906 22:47:29.574011       1 dynamic_serving_content.go:129] "Starting controller" name="serving-cert::/tls/tls.crt::/tls/tls.key"
I0906 22:47:29.574050       1 tlsconfig.go:240] "Starting DynamicServingCertificateController"
I0906 22:47:29.574099       1 apf_controller.go:299] Starting API Priority and Fairness config controller
I0906 22:47:29.575617       1 configmap_cafile_content.go:201] "Starting controller" name="client-ca::kube-system::extension-apiserver-authentication::client-ca-file"
I0906 22:47:29.575633       1 shared_informer.go:240] Waiting for caches to sync for client-ca::kube-system::extension-apiserver-authentication::client-ca-file
I0906 22:47:29.575656       1 configmap_cafile_content.go:201] "Starting controller" name="client-ca::kube-system::extension-apiserver-authentication::requestheader-client-ca-file"
I0906 22:47:29.575660       1 shared_informer.go:240] Waiting for caches to sync for client-ca::kube-system::extension-apiserver-authentication::requestheader-client-ca-file
I0906 22:47:29.674586       1 apf_controller.go:304] Running API Priority and Fairness config worker
I0906 22:47:29.674679       1 shared_informer.go:247] Caches are synced for RequestHeaderAuthRequestController 
I0906 22:47:29.675820       1 shared_informer.go:247] Caches are synced for client-ca::kube-system::extension-apiserver-authentication::requestheader-client-ca-file 
I0906 22:47:29.675824       1 shared_informer.go:247] Caches are synced for client-ca::kube-system::extension-apiserver-authentication::client-ca-file 
I0907 09:36:13.250369       1 trace.go:205] Trace[1597883780]: "Create" url:/apis/acme.cloud.yandex.com/v1alpha1/yandex-cloud-dns,user-agent:cert-manager-challenges/v1.9.1 (linux/amd64) cert-manager/4486c01f726f17d2790a8a563ae6bc6e98465505,audit-id:79ca64e6-489e-4e4f-9c66-f476d84a6435,client:10.200.210.107,accept:application/json, */*,protocol:HTTP/2.0 (07-Sep-2022 09:36:12.745) (total time: 505ms):
Trace[1597883780]: ---"Object stored in database" 504ms (09:36:13.250)
Trace[1597883780]: [505.057642ms] [505.057642ms] END

But I still have issues with:

Error presenting challenge: no public zone muffs.ru. found

yandex-cloud-dns.acme.cloud.yandex.com is forbidden

I didn't understand why the account doesn't have access
account has a role "dns.editor" in the directory

cert-manager/challenges "msg"="re-queuing item due to error processing" "error"="yandex-cloud-dns.acme.cloud.yandex.com is forbidden: User \"system:serviceaccount:cert-manager:certmanager-cert-manager\" cannot create resource \"yandex-cloud-dns\" in API group \"acme.cloud.yandex.com\" at the cluster scope" "key"="default/example-com-mzr2j-1730014154-645249238"

please help in solving the problem

"cert-manager" cannot create resource "yandex-cloud-dns"

Hi.
Using readme i'v been deployed cert-manager and cert-manager-webhook-yandex via argo-cd to my dev kubernetes cluster using default variables from charts. But my cartificate challenge is stuck with error:
"Error presenting challenge: yandex-cloud-dns.acme.cloud.yandex.com is forbidden: User "system:serviceaccount:cert-manager:dev-cert-manager" cannot create resource "yandex-cloud-dns" in API group "acme.cloud.yandex.com" at the cluster scope"
Any chance to fix that?

K8s Rev: v1.23.6
ArgoCD v2.3.3+07ac038
cert-manager chart v1.13.0

Ошибки flowcontrol в логах

В логах webhook после запуска хелм чарта видны такие ошибки:

W0422 12:26:10.468602       1 reflector.go:324] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: failed to list *v1beta2.PriorityLevelConfiguration: prioritylevelconfigurations.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:test-certmanager-webhook:cert-manager-webhook-cert-manager-webhook-yandex" cannot list resource "prioritylevelconfigurations" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope
E0422 12:26:10.468664       1 reflector.go:138] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: Failed to watch *v1beta2.PriorityLevelConfiguration: failed to list *v1beta2.PriorityLevelConfiguration: prioritylevelconfigurations.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:test-certmanager-webhook:cert-manager-webhook-cert-manager-webhook-yandex" cannot list resource "prioritylevelconfigurations" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope
W0422 12:26:38.522115       1 reflector.go:324] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: failed to list *v1beta2.FlowSchema: flowschemas.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:test-certmanager-webhook:cert-manager-webhook-cert-manager-webhook-yandex" cannot list resource "flowschemas" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope
E0422 12:26:38.522153       1 reflector.go:138] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: Failed to watch *v1beta2.FlowSchema: failed to list *v1beta2.FlowSchema: flowschemas.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:test-certmanager-webhook:cert-manager-webhook-cert-manager-webhook-yandex" cannot list resource "flowschemas" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope
W0422 12:26:57.602042       1 reflector.go:324] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: failed to list *v1beta2.PriorityLevelConfiguration: prioritylevelconfigurations.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:test-certmanager-webhook:cert-manager-webhook-cert-manager-webhook-yandex" cannot list resource "prioritylevelconfigurations" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope
E0422 12:26:57.602077       1 reflector.go:138] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: Failed to watch *v1beta2.PriorityLevelConfiguration: failed to list *v1beta2.PriorityLevelConfiguration: prioritylevelconfigurations.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:test-certmanager-webhook:cert-manager-webhook-cert-manager-webhook-yandex" cannot list resource "prioritylevelconfigurations" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope
W0422 12:27:34.407068       1 reflector.go:324] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: failed to list *v1beta2.FlowSchema: flowschemas.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:test-certmanager-webhook:cert-manager-webhook-cert-manager-webhook-yandex" cannot list resource "flowschemas" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope
E0422 12:27:34.407101       1 reflector.go:138] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: Failed to watch *v1beta2.FlowSchema: failed to list *v1beta2.FlowSchema: flowschemas.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:test-certmanager-webhook:cert-manager-webhook-cert-manager-webhook-yandex" cannot list resource "flowschemas" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope
W0422 12:27:36.401234       1 reflector.go:324] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: failed to list *v1beta2.PriorityLevelConfiguration: prioritylevelconfigurations.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:test-certmanager-webhook:cert-manager-webhook-cert-manager-webhook-yandex" cannot list resource "prioritylevelconfigurations" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope
E0422 12:27:36.401270       1 reflector.go:138] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: Failed to watch *v1beta2.PriorityLevelConfiguration: failed to list *v1beta2.PriorityLevelConfiguration: prioritylevelconfigurations.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:test-certmanager-webhook:cert-manager-webhook-cert-manager-webhook-yandex" cannot list resource "prioritylevelconfigurations" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope

Webhook does not work for kubernetes 1.26+

Hello, I'm trying to complete DNS-01 challenge on k3s version v1.28.5+k3s1

It looks like the webhook is not working correctly if you look at the logs:

pentusha at arco in ~ 
$ kubectl logs yandex-webhook-cert-manager-webhook-yandex-5cd9d96999-k49nf -n cert-manager --tail 2
E0206 11:33:52.928712       1 reflector.go:138] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: Failed to watch *v1beta1.PriorityLevelConfiguration: failed to list *v1beta1.PriorityLevelConfiguration: the server could not find the requested resource
E0206 11:34:15.513545       1 reflector.go:138] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: Failed to watch *v1beta1.FlowSchema: failed to list *v1beta1.FlowSchema: the server could not find the requested resource

I did some googling and found that this scheme was deprecated and was actually removed since 1.26.

failed calling webhook "webhook.cert-manager.io"

Hi. i have a cluster, where some time ago been installed, tested and removed cert-manager-webhook-yandex Now i try to install cert-manager-webhook-regru and i'v got error:

client.go:128: [debug] creating 15 resource(s)
Error: INSTALLATION FAILED: Internal error occurred: failed calling webhook "webhook.cert-manager.io": failed to call webhook: Post "https://dev-cert-manager-webhook-yandex-webhook.cert-manager.svc:443/mutate?timeout=10s": service "dev-cert-manager-webhook-yandex-webhook" not found
helm.go:84: [debug] Internal error occurred: failed calling webhook "webhook.cert-manager.io": failed to call webhook: Post "https://dev-cert-manager-webhook-yandex-webhook.cert-manager.svc:443/mutate?timeout=10s": service "dev-cert-manager-webhook-yandex-webhook" not found
INSTALLATION FAILED

i'v try to remove all resources with acme|cert-manager names. Clear all CRDs. Make a clean install cert-manager and cert-manager-webhook-regru.
And any way i got this error. Can you help me with debugging?

k8s: v1.23.6
helm: v3.8.1
cert-manager: chart: 1.13.2
cert-manager-webhook-regru: 1.1.0

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.