flant / cert-manager-webhook-regru Goto Github PK
View Code? Open in Web Editor NEWThe webhook and the ClusterIssuer resource for automatic provisioning of reg.ru SSL certificates in Kubernetes
License: Apache License 2.0
The webhook and the ClusterIssuer resource for automatic provisioning of reg.ru SSL certificates in Kubernetes
License: Apache License 2.0
Cluster was obtained using Yandex.Cloud Managed Kubernetes solution.
Any modifications of RBAC roles didn't work.
kubectl get challenge letsencrypt-jvzb2-2152256332-2670382356 -o yaml
apiVersion: acme.cert-manager.io/v1
kind: Challenge
metadata:
creationTimestamp: "2023-02-16T06:07:51Z"
finalizers:
- finalizer.acme.cert-manager.io
generation: 1
name: letsencrypt-jvzb2-2152256332-2670382356
namespace: quickclick-prod
ownerReferences:
- apiVersion: acme.cert-manager.io/v1
blockOwnerDeletion: true
controller: true
kind: Order
name: letsencrypt-jvzb2-2152256332
uid: f5b3b927-e3ff-4f09-b92a-cb7521949d21
resourceVersion: "1634916"
uid: 6182c5bc-8c09-4d26-be53-60c45578b3b8
spec:
authorizationURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/203731144196
dnsName: quickclick.online
issuerRef:
group: cert-manager.io
kind: ClusterIssuer
name: letsencrypt
key: dDlzkoMWZo5NLYFs8-XpPvEmEGdikSbIOfVu3WNJW84
solver:
dns01:
webhook:
config:
regruPasswordSecretRef:
key: REGRU_PASSWORD
name: regru-password
groupName: acme.regru.ru
solverName: regru-dns
token: O8lRYSJ9eiWHWXUT0DR00EQxRt8RRmvsT5QbznbKqTc
type: DNS-01
url: https://acme-v02.api.letsencrypt.org/acme/chall-v3/203731144196/Y_IJnA
wildcard: true
status:
presented: false
processing: true
reason: 'regru-dns.acme.regru.ru is forbidden: User "system:serviceaccount:cert-manager:cert-manager"
cannot create resource "regru-dns" in API group "acme.regru.ru" at the cluster
scope'
state: pending
Chunk of web hook pod logs:
W0216 14:36:52.248111 1 reflector.go:324] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: failed to list *v1beta2.FlowSchema: flowschemas.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:cert-manager:regru-webhook-regru-cluster-issuer" cannot list resource "flowschemas" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope
E0216 14:36:52.248146 1 reflector.go:138] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: Failed to watch *v1beta2.FlowSchema: failed to list *v1beta2.FlowSchema: flowschemas.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:cert-manager:regru-webhook-regru-cluster-issuer" cannot list resource "flowschemas" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope
W0216 14:37:12.841566 1 reflector.go:324] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: failed to list *v1beta2.PriorityLevelConfiguration: prioritylevelconfigurations.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:cert-manager:regru-webhook-regru-cluster-issuer" cannot list resource "prioritylevelconfigurations" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope
E0216 14:37:12.841599 1 reflector.go:138] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: Failed to watch *v1beta2.PriorityLevelConfiguration: failed to list *v1beta2.PriorityLevelConfiguration: prioritylevelconfigurations.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:cert-manager:regru-webhook-regru-cluster-issuer" cannot list resource "prioritylevelconfigurations" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope
W0216 14:37:36.658052 1 reflector.go:324] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: failed to list *v1beta2.FlowSchema: flowschemas.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:cert-manager:regru-webhook-regru-cluster-issuer" cannot list resource "flowschemas" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope
E0216 14:37:36.658085 1 reflector.go:138] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: Failed to watch *v1beta2.FlowSchema: failed to list *v1beta2.FlowSchema: flowschemas.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:cert-manager:regru-webhook-regru-cluster-issuer" cannot list resource "flowschemas" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope
W0216 14:37:50.056745 1 reflector.go:324] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: failed to list *v1beta2.PriorityLevelConfiguration: prioritylevelconfigurations.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:cert-manager:regru-webhook-regru-cluster-issuer" cannot list resource "prioritylevelconfigurations" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope
E0216 14:37:50.056784 1 reflector.go:138] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: Failed to watch *v1beta2.PriorityLevelConfiguration: failed to list *v1beta2.PriorityLevelConfiguration: prioritylevelconfigurations.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:cert-manager:regru-webhook-regru-cluster-issuer" cannot list resource "prioritylevelconfigurations" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope
W0216 14:38:11.480925 1 reflector.go:324] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: failed to list *v1beta2.FlowSchema: flowschemas.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:cert-manager:regru-webhook-regru-cluster-issuer" cannot list resource "flowschemas" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope
E0216 14:38:11.480971 1 reflector.go:138] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: Failed to watch *v1beta2.FlowSchema: failed to list *v1beta2.FlowSchema: flowschemas.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:cert-manager:regru-webhook-regru-cluster-issuer" cannot list resource "flowschemas" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope
W0216 14:38:30.946739 1 reflector.go:324] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: failed to list *v1beta2.PriorityLevelConfiguration: prioritylevelconfigurations.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:cert-manager:regru-webhook-regru-cluster-issuer" cannot list resource "prioritylevelconfigurations" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope
E0216 14:38:30.946771 1 reflector.go:138] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: Failed to watch *v1beta2.PriorityLevelConfiguration: failed to list *v1beta2.PriorityLevelConfiguration: prioritylevelconfigurations.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:cert-manager:regru-webhook-regru-cluster-issuer" cannot list resource "prioritylevelconfigurations" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope
W0216 14:38:59.318790 1 reflector.go:324] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: failed to list *v1beta2.FlowSchema: flowschemas.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:cert-manager:regru-webhook-regru-cluster-issuer" cannot list resource "flowschemas" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope
E0216 14:38:59.318823 1 reflector.go:138] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: Failed to watch *v1beta2.FlowSchema: failed to list *v1beta2.FlowSchema: flowschemas.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:cert-manager:regru-webhook-regru-cluster-issuer" cannot list resource "flowschemas" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope
W0216 14:39:06.331360 1 reflector.go:324] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: failed to list *v1beta2.PriorityLevelConfiguration: prioritylevelconfigurations.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:cert-manager:regru-webhook-regru-cluster-issuer" cannot list resource "prioritylevelconfigurations" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope
E0216 14:39:06.331395 1 reflector.go:138] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: Failed to watch *v1beta2.PriorityLevelConfiguration: failed to list *v1beta2.PriorityLevelConfiguration: prioritylevelconfigurations.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:cert-manager:regru-webhook-regru-cluster-issuer" cannot list resource "prioritylevelconfigurations" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope
W0216 14:39:41.699617 1 reflector.go:324] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: failed to list *v1beta2.PriorityLevelConfiguration: prioritylevelconfigurations.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:cert-manager:regru-webhook-regru-cluster-issuer" cannot list resource "prioritylevelconfigurations" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope
E0216 14:39:41.699647 1 reflector.go:138] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: Failed to watch *v1beta2.PriorityLevelConfiguration: failed to list *v1beta2.PriorityLevelConfiguration: prioritylevelconfigurations.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:cert-manager:regru-webhook-regru-cluster-issuer" cannot list resource "prioritylevelconfigurations" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope
W0216 14:39:53.112315 1 reflector.go:324] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: failed to list *v1beta2.FlowSchema: flowschemas.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:cert-manager:regru-webhook-regru-cluster-issuer" cannot list resource "flowschemas" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope
E0216 14:39:53.112346 1 reflector.go:138] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: Failed to watch *v1beta2.FlowSchema: failed to list *v1beta2.FlowSchema: flowschemas.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:cert-manager:regru-webhook-regru-cluster-issuer" cannot list resource "flowschemas" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope
W0216 14:40:14.262299 1 reflector.go:324] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: failed to list *v1beta2.PriorityLevelConfiguration: prioritylevelconfigurations.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:cert-manager:regru-webhook-regru-cluster-issuer" cannot list resource "prioritylevelconfigurations" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope
E0216 14:40:14.262335 1 reflector.go:138] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: Failed to watch *v1beta2.PriorityLevelConfiguration: failed to list *v1beta2.PriorityLevelConfiguration: prioritylevelconfigurations.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:cert-manager:regru-webhook-regru-cluster-issuer" cannot list resource "prioritylevelconfigurations" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope
W0216 14:40:44.408353 1 reflector.go:324] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: failed to list *v1beta2.FlowSchema: flowschemas.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:cert-manager:regru-webhook-regru-cluster-issuer" cannot list resource "flowschemas" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope
E0216 14:40:44.408388 1 reflector.go:138] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: Failed to watch *v1beta2.FlowSchema: failed to list *v1beta2.FlowSchema: flowschemas.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:cert-manager:regru-webhook-regru-cluster-issuer" cannot list resource "flowschemas" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope
W0216 14:40:56.726358 1 reflector.go:324] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: failed to list *v1beta2.PriorityLevelConfiguration: prioritylevelconfigurations.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:cert-manager:regru-webhook-regru-cluster-issuer" cannot list resource "prioritylevelconfigurations" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope
E0216 14:40:56.726393 1 reflector.go:138] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: Failed to watch *v1beta2.PriorityLevelConfiguration: failed to list *v1beta2.PriorityLevelConfiguration: prioritylevelconfigurations.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:cert-manager:regru-webhook-regru-cluster-issuer" cannot list resource "prioritylevelconfigurations" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope
W0216 14:41:31.558256 1 reflector.go:324] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: failed to list *v1beta2.FlowSchema: flowschemas.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:cert-manager:regru-webhook-regru-cluster-issuer" cannot list resource "flowschemas" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope
E0216 14:41:31.558295 1 reflector.go:138] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: Failed to watch *v1beta2.FlowSchema: failed to list *v1beta2.FlowSchema: flowschemas.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:cert-manager:regru-webhook-regru-cluster-issuer" cannot list resource "flowschemas" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope
W0216 14:41:49.052948 1 reflector.go:324] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: failed to list *v1beta2.PriorityLevelConfiguration: prioritylevelconfigurations.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:cert-manager:regru-webhook-regru-cluster-issuer" cannot list resource "prioritylevelconfigurations" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope
E0216 14:41:49.052976 1 reflector.go:138] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: Failed to watch *v1beta2.PriorityLevelConfiguration: failed to list *v1beta2.PriorityLevelConfiguration: prioritylevelconfigurations.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:cert-manager:regru-webhook-regru-cluster-issuer" cannot list resource "prioritylevelconfigurations" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope
W0216 14:42:19.766463 1 reflector.go:324] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: failed to list *v1beta2.FlowSchema: flowschemas.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:cert-manager:regru-webhook-regru-cluster-issuer" cannot list resource "flowschemas" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope
E0216 14:42:19.766503 1 reflector.go:138] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: Failed to watch *v1beta2.FlowSchema: failed to list *v1beta2.FlowSchema: flowschemas.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:cert-manager:regru-webhook-regru-cluster-issuer" cannot list resource "flowschemas" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope
W0216 14:42:45.955955 1 reflector.go:324] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: failed to list *v1beta2.PriorityLevelConfiguration: prioritylevelconfigurations.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:cert-manager:regru-webhook-regru-cluster-issuer" cannot list resource "prioritylevelconfigurations" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope
E0216 14:42:45.955983 1 reflector.go:138] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: Failed to watch *v1beta2.PriorityLevelConfiguration: failed to list *v1beta2.PriorityLevelConfiguration: prioritylevelconfigurations.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:cert-manager:regru-webhook-regru-cluster-issuer" cannot list resource "prioritylevelconfigurations" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope
Webhook failes during certificate request with the following error message:
pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: failed to list *v1beta2.FlowSchema: the server could not find the requested resource
pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: Failed to watch *v1beta2.FlowSchema: failed to list *v1beta2.FlowSchema: the server could not find the requested resource
pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: failed to list *v1beta2.PriorityLevelConfiguration: the server could not find the requested resource
pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: Failed to watch *v1beta2.PriorityLevelConfiguration: failed to list *v1beta2.PriorityLevelConfiguration: the server could not find the requested resource
Are we are missing some APIs / dependencies in our k8s setup (or maybe even our k8s version is not supported)?
Couldn't find any requirements in docs.
We use:
Hi. i have a cluster, where some time ago been installed, tested and removed cert-manager-webhook-yandex Now i try to install cert-manager-webhook-regru and i'v got error:
client.go:128: [debug] creating 15 resource(s)
Error: INSTALLATION FAILED: Internal error occurred: failed calling webhook "webhook.cert-manager.io": failed to call webhook: Post "https://dev-cert-manager-webhook-yandex-webhook.cert-manager.svc:443/mutate?timeout=10s": service "dev-cert-manager-webhook-yandex-webhook" not found
helm.go:84: [debug] Internal error occurred: failed calling webhook "webhook.cert-manager.io": failed to call webhook: Post "https://dev-cert-manager-webhook-yandex-webhook.cert-manager.svc:443/mutate?timeout=10s": service "dev-cert-manager-webhook-yandex-webhook" not found
INSTALLATION FAILED
i'v try to remove all resources with acme|cert-manager names. Clear all CRDs. Make a clean install cert-manager and cert-manager-webhook-regru.
And any way i got this error. Can you help me with debugging?
k8s: v1.23.6
helm: v3.8.1
cert-manager: chart: 1.13.2
cert-manager-webhook-regru: 1.1.0
then you can find it via a query from the official documentation
cert-manager-webhook
https://cert-manager.io/docs/configuration/acme/dns01/webhook/
https://github.com/topics/cert-manager-webhook
https://github.com/selectel/cert-manager-webhook-selectel
Hi. Tryed to issue wildcard certificate with manifest:
- apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: wildcard-infra-example-com
spec:
secretName: wildcard-infra-example-com-secret
issuerRef:
name: regru-dns
kind: ClusterIssuer
dnsNames:
- *.infra.example.com
But in pod log see url:
api.reg.ru/api/regru2/zone/add_txt?input_data=%7B%22username%22%3A%22my_regru_user%22%2C%22password%22%3A%22smy_regru_password%22%2C%22domains%22%3A%5B%7B%22dname%22%3A%22%22%7D%5D%2C%22subdomain%22%3A%22_acme-challenge.infra.example.com.%22%2C%22text%22%3A%22CIFuiEULSPsSYQIemqFM0-dAreebSWy-LdWUw_QoMzw%22%2C%22output_content_type%22%3A%22plain%22%7D&input_format=json
And error responce from api:
{
"answer" : {
"domains" : [
{
"error_code" : "NO_DOMAIN",
"error_text" : "domain_name not given or empty",
"result" : "error"
}
]
},
"charset" : "utf-8",
"messagestore" : null,
"result" : "success"
}
As i understand, from api docs, my url format whong, it shoul be
api.reg.ru/api/regru2/zone/add_txt?input_data=%7B%22username%22%3A%22test%22%2C%22password%22%3A%22test%22%2C%22domains%22%3A%5B%7B%22dname%22%3A%22test.ru%22%7D%2C%7B%22dname%22%3A%22test.com%22%7D%5D%2C%22subdomain%22%3A%22mail%22%2C%22text%22%3A%22testmail%22%2C%22output_content_type%22%3A%22plain%22%7D&input_format=json
the zone can be calculated through requests to api
https://www.reg.ru/reseller/api2doc#zone_nop
you also need to consider dns delegation in _acme-challenge https://letsencrypt.org/docs/challenge-types/
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.