flant / cert-manager-webhook-regru Goto Github PK
View Code? Open in Web Editor NEWThe webhook and the ClusterIssuer resource for automatic provisioning of reg.ru SSL certificates in Kubernetes
License: Apache License 2.0
cert-manager-webhook-regru's People
Contributors
Stargazers
Watchers
cert-manager-webhook-regru's Issues
Cert-manager account cannot create resource regru-dns at the cluster scope
Cluster was obtained using Yandex.Cloud Managed Kubernetes solution.
Any modifications of RBAC roles didn't work.
kubectl get challenge letsencrypt-jvzb2-2152256332-2670382356 -o yaml
apiVersion: acme.cert-manager.io/v1
kind: Challenge
metadata:
creationTimestamp: "2023-02-16T06:07:51Z"
finalizers:
- finalizer.acme.cert-manager.io
generation: 1
name: letsencrypt-jvzb2-2152256332-2670382356
namespace: quickclick-prod
ownerReferences:
- apiVersion: acme.cert-manager.io/v1
blockOwnerDeletion: true
controller: true
kind: Order
name: letsencrypt-jvzb2-2152256332
uid: f5b3b927-e3ff-4f09-b92a-cb7521949d21
resourceVersion: "1634916"
uid: 6182c5bc-8c09-4d26-be53-60c45578b3b8
spec:
authorizationURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/203731144196
dnsName: quickclick.online
issuerRef:
group: cert-manager.io
kind: ClusterIssuer
name: letsencrypt
key: dDlzkoMWZo5NLYFs8-XpPvEmEGdikSbIOfVu3WNJW84
solver:
dns01:
webhook:
config:
regruPasswordSecretRef:
key: REGRU_PASSWORD
name: regru-password
groupName: acme.regru.ru
solverName: regru-dns
token: O8lRYSJ9eiWHWXUT0DR00EQxRt8RRmvsT5QbznbKqTc
type: DNS-01
url: https://acme-v02.api.letsencrypt.org/acme/chall-v3/203731144196/Y_IJnA
wildcard: true
status:
presented: false
processing: true
reason: 'regru-dns.acme.regru.ru is forbidden: User "system:serviceaccount:cert-manager:cert-manager"
cannot create resource "regru-dns" in API group "acme.regru.ru" at the cluster
scope'
state: pendingChunk of web hook pod logs:
W0216 14:36:52.248111 1 reflector.go:324] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: failed to list *v1beta2.FlowSchema: flowschemas.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:cert-manager:regru-webhook-regru-cluster-issuer" cannot list resource "flowschemas" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope
E0216 14:36:52.248146 1 reflector.go:138] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: Failed to watch *v1beta2.FlowSchema: failed to list *v1beta2.FlowSchema: flowschemas.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:cert-manager:regru-webhook-regru-cluster-issuer" cannot list resource "flowschemas" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope
W0216 14:37:12.841566 1 reflector.go:324] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: failed to list *v1beta2.PriorityLevelConfiguration: prioritylevelconfigurations.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:cert-manager:regru-webhook-regru-cluster-issuer" cannot list resource "prioritylevelconfigurations" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope
E0216 14:37:12.841599 1 reflector.go:138] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: Failed to watch *v1beta2.PriorityLevelConfiguration: failed to list *v1beta2.PriorityLevelConfiguration: prioritylevelconfigurations.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:cert-manager:regru-webhook-regru-cluster-issuer" cannot list resource "prioritylevelconfigurations" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope
W0216 14:37:36.658052 1 reflector.go:324] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: failed to list *v1beta2.FlowSchema: flowschemas.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:cert-manager:regru-webhook-regru-cluster-issuer" cannot list resource "flowschemas" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope
E0216 14:37:36.658085 1 reflector.go:138] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: Failed to watch *v1beta2.FlowSchema: failed to list *v1beta2.FlowSchema: flowschemas.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:cert-manager:regru-webhook-regru-cluster-issuer" cannot list resource "flowschemas" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope
W0216 14:37:50.056745 1 reflector.go:324] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: failed to list *v1beta2.PriorityLevelConfiguration: prioritylevelconfigurations.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:cert-manager:regru-webhook-regru-cluster-issuer" cannot list resource "prioritylevelconfigurations" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope
E0216 14:37:50.056784 1 reflector.go:138] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: Failed to watch *v1beta2.PriorityLevelConfiguration: failed to list *v1beta2.PriorityLevelConfiguration: prioritylevelconfigurations.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:cert-manager:regru-webhook-regru-cluster-issuer" cannot list resource "prioritylevelconfigurations" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope
W0216 14:38:11.480925 1 reflector.go:324] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: failed to list *v1beta2.FlowSchema: flowschemas.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:cert-manager:regru-webhook-regru-cluster-issuer" cannot list resource "flowschemas" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope
E0216 14:38:11.480971 1 reflector.go:138] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: Failed to watch *v1beta2.FlowSchema: failed to list *v1beta2.FlowSchema: flowschemas.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:cert-manager:regru-webhook-regru-cluster-issuer" cannot list resource "flowschemas" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope
W0216 14:38:30.946739 1 reflector.go:324] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: failed to list *v1beta2.PriorityLevelConfiguration: prioritylevelconfigurations.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:cert-manager:regru-webhook-regru-cluster-issuer" cannot list resource "prioritylevelconfigurations" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope
E0216 14:38:30.946771 1 reflector.go:138] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: Failed to watch *v1beta2.PriorityLevelConfiguration: failed to list *v1beta2.PriorityLevelConfiguration: prioritylevelconfigurations.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:cert-manager:regru-webhook-regru-cluster-issuer" cannot list resource "prioritylevelconfigurations" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope
W0216 14:38:59.318790 1 reflector.go:324] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: failed to list *v1beta2.FlowSchema: flowschemas.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:cert-manager:regru-webhook-regru-cluster-issuer" cannot list resource "flowschemas" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope
E0216 14:38:59.318823 1 reflector.go:138] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: Failed to watch *v1beta2.FlowSchema: failed to list *v1beta2.FlowSchema: flowschemas.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:cert-manager:regru-webhook-regru-cluster-issuer" cannot list resource "flowschemas" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope
W0216 14:39:06.331360 1 reflector.go:324] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: failed to list *v1beta2.PriorityLevelConfiguration: prioritylevelconfigurations.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:cert-manager:regru-webhook-regru-cluster-issuer" cannot list resource "prioritylevelconfigurations" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope
E0216 14:39:06.331395 1 reflector.go:138] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: Failed to watch *v1beta2.PriorityLevelConfiguration: failed to list *v1beta2.PriorityLevelConfiguration: prioritylevelconfigurations.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:cert-manager:regru-webhook-regru-cluster-issuer" cannot list resource "prioritylevelconfigurations" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope
W0216 14:39:41.699617 1 reflector.go:324] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: failed to list *v1beta2.PriorityLevelConfiguration: prioritylevelconfigurations.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:cert-manager:regru-webhook-regru-cluster-issuer" cannot list resource "prioritylevelconfigurations" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope
E0216 14:39:41.699647 1 reflector.go:138] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: Failed to watch *v1beta2.PriorityLevelConfiguration: failed to list *v1beta2.PriorityLevelConfiguration: prioritylevelconfigurations.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:cert-manager:regru-webhook-regru-cluster-issuer" cannot list resource "prioritylevelconfigurations" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope
W0216 14:39:53.112315 1 reflector.go:324] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: failed to list *v1beta2.FlowSchema: flowschemas.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:cert-manager:regru-webhook-regru-cluster-issuer" cannot list resource "flowschemas" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope
E0216 14:39:53.112346 1 reflector.go:138] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: Failed to watch *v1beta2.FlowSchema: failed to list *v1beta2.FlowSchema: flowschemas.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:cert-manager:regru-webhook-regru-cluster-issuer" cannot list resource "flowschemas" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope
W0216 14:40:14.262299 1 reflector.go:324] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: failed to list *v1beta2.PriorityLevelConfiguration: prioritylevelconfigurations.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:cert-manager:regru-webhook-regru-cluster-issuer" cannot list resource "prioritylevelconfigurations" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope
E0216 14:40:14.262335 1 reflector.go:138] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: Failed to watch *v1beta2.PriorityLevelConfiguration: failed to list *v1beta2.PriorityLevelConfiguration: prioritylevelconfigurations.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:cert-manager:regru-webhook-regru-cluster-issuer" cannot list resource "prioritylevelconfigurations" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope
W0216 14:40:44.408353 1 reflector.go:324] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: failed to list *v1beta2.FlowSchema: flowschemas.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:cert-manager:regru-webhook-regru-cluster-issuer" cannot list resource "flowschemas" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope
E0216 14:40:44.408388 1 reflector.go:138] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: Failed to watch *v1beta2.FlowSchema: failed to list *v1beta2.FlowSchema: flowschemas.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:cert-manager:regru-webhook-regru-cluster-issuer" cannot list resource "flowschemas" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope
W0216 14:40:56.726358 1 reflector.go:324] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: failed to list *v1beta2.PriorityLevelConfiguration: prioritylevelconfigurations.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:cert-manager:regru-webhook-regru-cluster-issuer" cannot list resource "prioritylevelconfigurations" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope
E0216 14:40:56.726393 1 reflector.go:138] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: Failed to watch *v1beta2.PriorityLevelConfiguration: failed to list *v1beta2.PriorityLevelConfiguration: prioritylevelconfigurations.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:cert-manager:regru-webhook-regru-cluster-issuer" cannot list resource "prioritylevelconfigurations" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope
W0216 14:41:31.558256 1 reflector.go:324] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: failed to list *v1beta2.FlowSchema: flowschemas.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:cert-manager:regru-webhook-regru-cluster-issuer" cannot list resource "flowschemas" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope
E0216 14:41:31.558295 1 reflector.go:138] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: Failed to watch *v1beta2.FlowSchema: failed to list *v1beta2.FlowSchema: flowschemas.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:cert-manager:regru-webhook-regru-cluster-issuer" cannot list resource "flowschemas" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope
W0216 14:41:49.052948 1 reflector.go:324] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: failed to list *v1beta2.PriorityLevelConfiguration: prioritylevelconfigurations.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:cert-manager:regru-webhook-regru-cluster-issuer" cannot list resource "prioritylevelconfigurations" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope
E0216 14:41:49.052976 1 reflector.go:138] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: Failed to watch *v1beta2.PriorityLevelConfiguration: failed to list *v1beta2.PriorityLevelConfiguration: prioritylevelconfigurations.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:cert-manager:regru-webhook-regru-cluster-issuer" cannot list resource "prioritylevelconfigurations" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope
W0216 14:42:19.766463 1 reflector.go:324] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: failed to list *v1beta2.FlowSchema: flowschemas.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:cert-manager:regru-webhook-regru-cluster-issuer" cannot list resource "flowschemas" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope
E0216 14:42:19.766503 1 reflector.go:138] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: Failed to watch *v1beta2.FlowSchema: failed to list *v1beta2.FlowSchema: flowschemas.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:cert-manager:regru-webhook-regru-cluster-issuer" cannot list resource "flowschemas" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope
W0216 14:42:45.955955 1 reflector.go:324] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: failed to list *v1beta2.PriorityLevelConfiguration: prioritylevelconfigurations.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:cert-manager:regru-webhook-regru-cluster-issuer" cannot list resource "prioritylevelconfigurations" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope
E0216 14:42:45.955983 1 reflector.go:138] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: Failed to watch *v1beta2.PriorityLevelConfiguration: failed to list *v1beta2.PriorityLevelConfiguration: prioritylevelconfigurations.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:cert-manager:regru-webhook-regru-cluster-issuer" cannot list resource "prioritylevelconfigurations" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope
Webhook fails: couldn't find resource FlowSchema, couldn't find PriorityLevelConfiguration
Webhook failes during certificate request with the following error message:
pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: failed to list *v1beta2.FlowSchema: the server could not find the requested resource
pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: Failed to watch *v1beta2.FlowSchema: failed to list *v1beta2.FlowSchema: the server could not find the requested resource
pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: failed to list *v1beta2.PriorityLevelConfiguration: the server could not find the requested resource
pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: Failed to watch *v1beta2.PriorityLevelConfiguration: failed to list *v1beta2.PriorityLevelConfiguration: the server could not find the requested resource
Are we are missing some APIs / dependencies in our k8s setup (or maybe even our k8s version is not supported)?
Couldn't find any requirements in docs.
We use:
- k8s - 1.21.1
- webhook - 1.0.0
failed calling webhook "webhook.cert-manager.io"
Hi. i have a cluster, where some time ago been installed, tested and removed cert-manager-webhook-yandex Now i try to install cert-manager-webhook-regru and i'v got error:
client.go:128: [debug] creating 15 resource(s)
Error: INSTALLATION FAILED: Internal error occurred: failed calling webhook "webhook.cert-manager.io": failed to call webhook: Post "https://dev-cert-manager-webhook-yandex-webhook.cert-manager.svc:443/mutate?timeout=10s": service "dev-cert-manager-webhook-yandex-webhook" not found
helm.go:84: [debug] Internal error occurred: failed calling webhook "webhook.cert-manager.io": failed to call webhook: Post "https://dev-cert-manager-webhook-yandex-webhook.cert-manager.svc:443/mutate?timeout=10s": service "dev-cert-manager-webhook-yandex-webhook" not found
INSTALLATION FAILED
i'v try to remove all resources with acme|cert-manager names. Clear all CRDs. Make a clean install cert-manager and cert-manager-webhook-regru.
And any way i got this error. Can you help me with debugging?
k8s: v1.23.6
helm: v3.8.1
cert-manager: chart: 1.13.2
cert-manager-webhook-regru: 1.1.0
added topics in about
then you can find it via a query from the official documentation
cert-manager-webhook
https://cert-manager.io/docs/configuration/acme/dns01/webhook/
https://github.com/topics/cert-manager-webhook
https://github.com/selectel/cert-manager-webhook-selectel
domain_name not given or empty
Hi. Tryed to issue wildcard certificate with manifest:
- apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: wildcard-infra-example-com
spec:
secretName: wildcard-infra-example-com-secret
issuerRef:
name: regru-dns
kind: ClusterIssuer
dnsNames:
- *.infra.example.com
But in pod log see url:
api.reg.ru/api/regru2/zone/add_txt?input_data=%7B%22username%22%3A%22my_regru_user%22%2C%22password%22%3A%22smy_regru_password%22%2C%22domains%22%3A%5B%7B%22dname%22%3A%22%22%7D%5D%2C%22subdomain%22%3A%22_acme-challenge.infra.example.com.%22%2C%22text%22%3A%22CIFuiEULSPsSYQIemqFM0-dAreebSWy-LdWUw_QoMzw%22%2C%22output_content_type%22%3A%22plain%22%7D&input_format=json
And error responce from api:
{
"answer" : {
"domains" : [
{
"error_code" : "NO_DOMAIN",
"error_text" : "domain_name not given or empty",
"result" : "error"
}
]
},
"charset" : "utf-8",
"messagestore" : null,
"result" : "success"
}
As i understand, from api docs, my url format whong, it shoul be
api.reg.ru/api/regru2/zone/add_txt?input_data=%7B%22username%22%3A%22test%22%2C%22password%22%3A%22test%22%2C%22domains%22%3A%5B%7B%22dname%22%3A%22test.ru%22%7D%2C%7B%22dname%22%3A%22test.com%22%7D%5D%2C%22subdomain%22%3A%22mail%22%2C%22text%22%3A%22testmail%22%2C%22output_content_type%22%3A%22plain%22%7D&input_format=json
rm env zone
the zone can be calculated through requests to api
https://www.reg.ru/reseller/api2doc#zone_nop
you also need to consider dns delegation in _acme-challenge https://letsencrypt.org/docs/challenge-types/
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.