robbietjuh / cert-manager-webhook-transip Goto Github PK

Hey Robbie,

Do you think it would be possible to publish an ARM64 version? I'm running a k8s cluster on my raspberry pi and I would like to use this webhook to configure my ssl.

With kind regards,

Maaroen (Jeroen Nederlof)

Hello good people of cert-manager-webhook-transip

Im trying to use this chart for as a integration with Transip for DNS01 challenge to enable wildcard certificates.

So, what i did:

I have a installation of cert-manager (version cert-manager-v1.2.0-alpha.1) running in my cluster. And i can confirm that it is working. (i have created a issuer for http-01 challenge type and managed to create a valid certificate)

I followed the instructions and have deployed the chart with helm 3.

I have created a secret with the my credentials for transip.

The error im getting

When looking at the logs of the pod I seem to be getting a steady stream of errors:

I0316 14:58:35.976213       1 log.go:172] http: TLS handshake error from 10.164.0.12:34678: remote error: tls: bad certificate
I0316 14:58:36.198807       1 log.go:172] http: TLS handshake error from 10.164.0.14:59010: remote error: tls: bad certificate
I0316 14:58:36.228736       1 log.go:172] http: TLS handshake error from 10.164.0.20:59360: remote error: tls: bad certificate
I0316 14:58:39.136329       1 log.go:172] http: TLS handshake error from 10.164.15.198:37438: remote error: tls: bad certificate
I0316 14:58:39.800156       1 log.go:172] http: TLS handshake error from 10.164.15.237:41270: remote error: tls: bad certificate
I0316 14:58:52.488458       1 log.go:172] http: TLS handshake error from 10.164.15.237:41302: remote error: tls: bad certificate

And i was wondering what that meant, and how i can fix it.....

I imagine that its something silly that i have over looked....

Thanks in advance.

The deployment files are currently using apiVersion apiregistration.k8s.io/v1beta1 for the APIService, which is deprecated in 1.19+ and dropped completely in 1.22+.
The apiVersion to use is apiregistration.k8s.io/v1. This apiVersion has been available since 1.10. No notable changes or migration steps needed according to the migration guide.

Hello Robbie,

Do you have any idea what causes this error: Error presenting challenge: the server is currently unable to handle the request (post transip.cert-manager.webhook.transip)

This makes me unable to do the dns challenge.

After installing the webhook transip Helm chart, I get the following error in the apiserver:

2020-07-17T18:38:41.719870952+02:00 E0717 16:38:41.719691       1 controller.go:114] loading OpenAPI spec for "v1alpha1.cert-manager.webhook.transip" failed with: failed to retrieve openAPI spec, http error: ResponseCode: 503, Body: Error trying to reach service: 'x509: certificate signed by unknown authority', Header: map[Content-Type:[text/plain; charset=utf-8] X-Content-Type-Options:[nosniff]]

And this one in the transip webhook deployment:

http: TLS handshake error from 10.11.0.3:37218: remote error: tls: bad certificate

After looking into the Helm chart (https://github.com/robbietjuh/cert-manager-webhook-transip/blob/master/deploy/transip-webhook/templates/pki.yaml) I'm wondering why a self-signed certificate is used. Shouldn't we use the CA certificate from the config map kube-system/extension-apiserver-authentication::requestheader-client-ca-file so that the webhook is using certificates signed by the apiserver?