GithubHelp home page GithubHelp logo

bwolf / cert-manager-webhook-gandi Goto Github PK

View Code? Open in Web Editor NEW

This project forked from cert-manager/webhook-example

43.0 2.0 38.0 226 KB

A cert-manager webhook for creating an ACME DNS01 solver webhook for Gandi DNS

License: Apache License 2.0

Dockerfile 4.08% Go 75.03% Makefile 9.38% Mustache 9.39% Nix 2.12%
cert-manager cert-manager-webhook gandi webhook kubernetes letsencrypt tls

cert-manager-webhook-gandi's Introduction

ACME webhook for Gandi (cert-manager-webhook-gandi)

cert-manager-webhook-gandi is an ACME webhook for cert-manager. It provides an ACME (read: Let's Encrypt) webhook for cert-manager, which allows to use a DNS-01 challenge with Gandi. This allows to provide Let's Encrypt certificates to Kubernetes for service protocols other than HTTP and furthermore to request wildcard certificates. Internally it uses the Gandi LiveDNS API to communicate with Gandi.

Quoting the ACME DNS-01 challenge:

This challenge asks you to prove that you control the DNS for your domain name by putting a specific value in a TXT record under that domain name. It is harder to configure than HTTP-01, but can work in scenarios that HTTP-01 can’t. It also allows you to issue wildcard certificates. After Let’s Encrypt gives your ACME client a token, your client will create a TXT record derived from that token and your account key, and put that record at _acme-challenge.<YOUR_DOMAIN>. Then Let’s Encrypt will query the DNS system for that record. If it finds a match, you can proceed to issue a certificate!

Building

Build the container image cert-manager-webhook-gandi:latest:

make build

Image

Ready made images are hosted on Docker Hub (image tags). Use at your own risk:

bwolf/cert-manager-webhook-gandi

Release History

Refer to the CHANGELOG file.

Compatibility

This webhook has been tested with cert-manager v1.5.4 and Kubernetes v1.22.2 on amd64. In theory it should work on other hardware platforms as well but no steps have been taken to verify this. Please drop me a note if you had success.

Testing with Minikube

  1. Build this webhook in Minikube:

     minikube start --memory=4G --more-options
 eval $(minikube docker-env)
 make build
 docker images | grep webhook

  2. Install cert-manager with Helm:

     helm repo add jetstack https://charts.jetstack.io

 helm install cert-manager jetstack/cert-manager \
     --namespace cert-manager \
     --create-namespace \
     --set installCRDs=true \
     --version v1.5.4 \
     --set 'extraArgs={--dns01-recursive-nameservers=8.8.8.8:53\,1.1.1.1:53}'

 kubectl get pods --namespace cert-manager --watch

    Note: refer to Name servers in the official documentation according the extraArgs.

    Note: ensure that the custom CRDS of cert-manager match the major version of the cert-manager release by comparing the URL of the CRDS with the helm info of the charts app version:

         helm search repo jetstack

    Example output:

         NAME                    CHART VERSION   APP VERSION     DESCRIPTION
     jetstack/cert-manager   v1.5.4          v1.5.4          A Helm chart for cert-manager

    Check the state and ensure that all pods are running fine (watch out for any issues regarding the cert-manager-webhook- pod and its volume mounts):

         kubectl describe pods -n cert-manager | less

  3. Create the secret to keep the Gandi API key in the cert-manager namespace:

     kubectl create secret generic gandi-credentials \
     --namespace cert-manager --from-literal=api-token='<GANDI-API-KEY>'

    The Secret must reside in the same namespace as cert-manager.

  4. Deploy this webhook (add --dry-run to try it and --debug to inspect the rendered manifests; Set logLevel to 6 for verbose logs):

    The features.apiPriorityAndFairness argument must be removed or set to false for Kubernetes older than 1.20.

     helm install cert-manager-webhook-gandi \
     --namespace cert-manager \
     --set features.apiPriorityAndFairness=true \
     --set image.repository=cert-manager-webhook-gandi \
     --set image.tag=latest \
     --set logLevel=2 \
     ./deploy/cert-manager-webhook-gandi

    To deploy using the image from Docker Hub (for example using the 0.2.0 tag):

     helm install cert-manager-webhook-gandi \
     --namespace cert-manager \
     --set features.apiPriorityAndFairness=true \
     --set image.tag=0.2.0 \
     --set logLevel=2 \
     ./deploy/cert-manager-webhook-gandi

    To deploy using the Helm repository (for example using the v0.2.0 version):

     helm install cert-manager-webhook-gandi \
     --repo https://bwolf.github.io/cert-manager-webhook-gandi \
     --version v0.2.0 \
     --namespace cert-manager \
     --set features.apiPriorityAndFairness=true \
     --set logLevel=2

    Check the logs

         kubectl get pods -n cert-manager --watch
     kubectl logs -n cert-manager cert-manager-webhook-gandi-XYZ

  5. Create a staging issuer (email addresses with the suffix example.com are forbidden).

    See letsencrypt-staging-issuer.yaml

    Don't forget to replace email [email protected].

    Check status of the Issuer:

     kubectl describe issuer letsencrypt-staging

    You can deploy a ClusterIssuer instead : see letsencrypt-staging-clusterissuer.yaml

    Note: The production Issuer is similar.

  6. Issue a Certificate for your domain: see certif-example-com.yaml

    Replace your-domain and your.domain in the certif-example-com.yaml

    Create the Certificate:

     kubectl apply -f ./examples/certificates/certif-example-com.yaml

    Check the status of the Certificate:

     kubectl describe certificate example-com

    Display the details like the common name and subject alternative names:

     kubectl get secret example-com-tls -o yaml

    If you deployed a ClusterIssuer : use certif-example-com-clusterissuer.yaml

  7. Issue a wildcard Certificate for your domain: see certif-wildcard-example-com.yaml

    Replace your-domain and your.domain in the certif-wildcard-example-com.yaml

    Create the Certificate:

     kubectl apply -f ./examples/certificates/certif-wildcard-example-com.yaml

    Check the status of the Certificate:

     kubectl describe certificate wildcard-example-com

    Display the details like the common name and subject alternative names:

     kubectl get secret wildcard-example-com-tls -o yaml

    If you deployed a ClusterIssuer : use certif-wildcard-example-com-clusterissuer.yaml

  8. Uninstall this webhook:

     helm uninstall cert-manager-webhook-gandi --namespace cert-manager
 kubectl delete gandi-credentials --namespace cert-manager

  9. Uninstalling cert-manager: This is out of scope here. Refer to the official documentation.

Development

Note: If some tool (IDE or build process) fails resolving a dependency, it may be the cause that a indirect dependency uses bzr for versioning. In such a case it may help to put the bzr binary into $PATH or $GOPATH/bin.

Release process (automated with GitHub actions)

  • Changes in the Go code result in the build of a Docker image and the release of a new Helm chart
  • Changes at Helm chart level only, result in the release of a new Chart without building a new Docker image
  • All other changes are pushed to master
  • All versions are to be documented in CHANGELOG

Note: All changes to the Go code or Helm chart must go with a version tag vX.X.X to trigger the GitHub workflow

Note: Any Helm chart release results in the creation of a GitHub release

Conformance test

Please note that the test is not a typical unit or integration test. Instead it invokes the web hook in a Kubernetes-like environment which asks the web hook to really call the DNS provider (.i.e. Gandi). It attempts to create an TXT entry like cert-manager-dns01-tests.example.com, verifies the presence of the entry via Google DNS. Finally it removes the entry by calling the cleanup method of web hook.

As said above, the conformance test is run against the real Gandi API. Therefore you must have a Gandi account, a domain and an API key.

cp testdata/gandi/api-key.yaml.sample testdata/gandi/api-key.yaml
echo -n $YOUR_GANDI_API_KEY | base64 | pbcopy # or xclip
$EDITOR testdata/gandi/api-key.yaml
TEST_ZONE_NAME=example.com. make test
make clean

cert-manager-webhook-gandi's People

Contributors

barsa-net avatar bwolf avatar diaphteiros avatar ecolowtech avatar github-actions[bot] avatar guillaug avatar munnerz avatar slayug avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar

Forkers

hypi-universe tontongg na3 jheyduk sharekey rested phraide gregorycuellar sylvainol vjestin lrobinot ecolowtech epilix zcourts corwind shawnhank hexa-solutions clementgautier andreaseger safespring-community houlalajaimal slayug axelinux cdkey22 franznemeth justsem sintef olive2bx kesslerdev miclav terrylcc daniel-jantrambun moto-timo shuguet diorcety gg3nx dolmen-tech rverchere

cert-manager-webhook-gandi's Issues

Activity & kube 1.25/cert-manger 1.10 status?

I'm trying to make heads or tails of the logs on the webhook pod but to me this doesn't work anymore?

My certificates sit in "pending" waiting for ACME to see DNS records but I can't see the webhook even attempting to try gandi's api.

Challenge Header error

Hi,

I'm trying to set up acme certificates with the gandi webhook, but I have an error during the Challenge :

Error presenting challenge: unable to check TXT record: Get "https://api.gandi.net/v5/livedns/domains/mydomain.comrecords/_acme-challenge.staging/TXT": net/http: invalid header field value "Apikey my_api_key\n" for key Authorization

Is the \n character normal ?

I've checked my secret and the apikey does not contain "\n"..

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  labels:
    app.kubernetes.io/instance: certificates
  name: lets-encrypt-issuer
  namespace: cert-manager
spec:
  acme:
    email:[email protected]
    preferredChain: ""
    privateKeySecretRef:
      name: letsencrypt
    server: https://acme-staging-v02.api.letsencrypt.org/directory
    solvers:
    - dns01:
        webhook:
          config:
            apiKeySecretRef:
              key: api-token
              name: gandi-credentials
          groupName: acme.bwolf.me
          solverName: gandi

And my certificate :

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  labels:
    app.kubernetes.io/instance: certificates
  name: traefik-certificate
  namespace: traefik
spec:
  dnsNames:
  - '*.mydomain.com'
  issuerRef:
    kind: ClusterIssuer
    name: lets-encrypt-issuer
  secretName: traefik-public-cert

and my secret

apiVersion: v1
kind: Secret
metadata:
  name: gandi-credentials
  namespace: cert-manager
type: Opaque
data:
  api-token:  <base64 encoded apikey>

Support the same platforms with cert-manager

Hello and thank you for the nice project,

I would like to use the plugin in a raspberry pi kubernetes cluster, but the official images are only available for amd64. Is it possible to add builds for arm64 ? Probably it makes sense to support the same platforms as cert-manager.

I think the necessary changes for supporting the new builds are minimum. The only thing that has to change is the platforms in the build step

It should be changed to platforms: linux/amd64,linux/arm/v7,linux/arm64,linux/ppc64le,linux/s390x

Does it make sense to support more platforms?

Kind regards,
Vasileios

Compatibility with cert-manager 1.0

Hi,

I just upgraded cert-manager to 1.0.4 and have this during upgrade:

validatingwebhookconfiguration.admissionregistration.k8s.io/cert-manager-webhook configured
Error from server: error when applying patch:
{"spec":{"duration":"43800h"}}
to:
Resource: "cert-manager.io/v1alpha2, Resource=certificates", GroupVersionKind: "cert-manager.io/v1alpha2, Kind=Certificate"
Name: "cert-manager-webhook-gandi-ca", Namespace: "cert-manager"
for: "manifests/cert-manager.yaml": conversion webhook for cert-manager.io/v1alpha2, Kind=Certificate failed: the server rejected our request for an unknown reason
Error from server: error when applying patch:
{"spec":{"duration":"8760h"}}
to:
Resource: "cert-manager.io/v1alpha2, Resource=certificates", GroupVersionKind: "cert-manager.io/v1alpha2, Kind=Certificate"
Name: "cert-manager-webhook-gandi-webhook-tls", Namespace: "cert-manager"
for: "manifests/cert-manager.yaml": conversion webhook for cert-manager.io/v1alpha2, Kind=Certificate failed: the server rejected our request for an unknown reason

This is related to certificates from https://github.com/bwolf/cert-manager-webhook-gandi/blob/master/deploy/cert-manager-webhook-gandi/templates/pki.yaml

Update to support Gandi Personal Access Tokens

Gandi is now advocating strongly for Personal Access Tokens and it can be a little difficult to find the correct place to get an API Key. These new Personal Access Tokens allow considerably more granularity in control, meaning we can scope them down to individual resources and specific permissions.

The primary differences between the API Key and the Personal Access Token appear to be:

  • Uses Authorization: Bearer <key> rather than Authorization: ApiKey <key>
  • Personal Access Token looks like a 40-character hex-string, whereas ApiKey is a 24 character [a-zA-Z0-9] string

This means that it could be possible to support both of these dynamically based on the shape of the supplied key and alter the Authorization: header accordingly.

Alternatively, you could store the "type" of key in the same Secret as the key itself.

Missing RBAC

Heya

Dunno if it's due to a more recent cert-manager but I've had to add the following RBAC :

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: "cert-manager-gandi"
rules:
- apiGroups: ["acme.bwolf.me"]
  resources: ["gandi"]
  verbs: ["get", "watch", "list", "patch", "create"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: cert-manager-gandi
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cert-manager-gandi
subjects:
- kind: ServiceAccount
  name: cert-manager-dev
  namespace: cert-manager

Tried to push a branch for a PR but 403 :D

Cannot Generate Certificat : Forbidden

Hello everyone,

I followed the installation but I have the following error message :

I0505 09:07:20.325417       1 dns.go:88] cert-manager/challenges/Present "msg"="presenting DNS01 challenge for domain" "dnsName"="my.domain.com" "domain"="my.domain.com" "resource_kind"="Challenge" "resource_name"="my-domain-8nblq-1587531663-436165196" "resource_namespace"="default" "resource_version"="v1" "type"="DNS-01" 
E0505 09:07:20.337689       1 controller.go:163] cert-manager/challenges "msg"="re-queuing item due to error processing" "error"="gandi.domain.com is forbidden: User \"system:serviceaccount:cert-manager:cert-manager\" cannot create resource \"gandi\" in API group \"domain.com\" at the cluster scope" "key"="default/domain-com-8nblq-1587531663-436165196"

E0505 09:04:37.880742       1 sources.go:124] cert-manager/certificate/apiservice/generic-inject-reconciler "msg"="unable to fetch associated secret" "error"="Secret \"cert-manager-webhook-gandi-1651741469-webhook-tls\" not found" "certificate"={"Namespace":"cert-manager","Name":"cert-manager-webhook-gandi-1651741469-webhook-tls"} "resource_kind"="APIService" "resource_name"="v1alpha1.acme.bwolf.me" "resource_namespace"="" "resource_version"="v1" "secret"={"Namespace":"cert-manager","Name":"cert-manager-webhook-gandi-1651741469-webhook-tls"}

Can you help me please ?

Please find elements present on my Kubernetes cluster :

$ kubectl describe secrets -n cert-manager gandi-credentials
Name:         gandi-credentials
Namespace:    cert-manager
Labels:       <none>
Annotations:  <none>

Type:  Opaque

Data
====
api-token:  24 bytes

#####################################

$ helm install cert-manager-webhook-gandi \
>      --repo https://bwolf.github.io/cert-manager-webhook-gandi \
>      --version v0.2.0 \
>      --namespace cert-manager \
>      --set features.apiPriorityAndFairness=true \
>      --set logLevel=2 \
>      --generate-name
NAME: cert-manager-webhook-gandi-1651741469
LAST DEPLOYED: Thu May  5 11:04:37 2022
NAMESPACE: cert-manager
STATUS: deployed
REVISION: 1
TEST SUITE: None

#####################################

$ kubectl describe clusterissuers.cert-manager.io letsencrypt-prod-gandi
Name:         letsencrypt-prod-gandi
Namespace:
Labels:       <none>
Annotations:  <none>
API Version:  cert-manager.io/v1
Kind:         ClusterIssuer
Metadata:
  Creation Timestamp:  2022-05-05T08:15:51Z
  Generation:          1
  Managed Fields:
    API Version:  cert-manager.io/v1
    Fields Type:  FieldsV1
    fieldsV1:
      f:metadata:
        f:annotations:
          .:
          f:kubectl.kubernetes.io/last-applied-configuration:
      f:spec:
        .:
        f:acme:
          .:
          f:email:
          f:privateKeySecretRef:
            .:
            f:name:
          f:server:
          f:solvers:
    Manager:      kubectl-client-side-apply
    Operation:    Update
    Time:         2022-05-05T08:15:51Z
    API Version:  cert-manager.io/v1
    Fields Type:  FieldsV1
    fieldsV1:
      f:status:
        .:
        f:acme:
          .:
          f:lastRegisteredEmail:
          f:uri:
        f:conditions:
    Manager:         controller
    Operation:       Update
    Subresource:     status
    Time:            2022-05-05T08:15:52Z
  Resource Version:  23551033
  UID:               c8f06ce6-d8d1-4f9b-b446-9f345896624
Spec:
  Acme:
    Email:            [email protected]
    Preferred Chain:
    Private Key Secret Ref:
      Name:  letsencrypt-account-key-gandi
    Server:  https://acme-v02.api.letsencrypt.org/directory
    Solvers:
      dns01:
        Webhook:
          Config:
            API Key Secret Ref:
              Key:      api-token
              Name:     gandi-credentials
          Group Name:   domain.com
          Solver Name:  gandi
Status:
  Acme:
    Last Registered Email:  [email protected]
    Uri:                    https://acme-v02.api.letsencrypt.org/acme/acct/529540286
  Conditions:
    Last Transition Time:  2022-05-05T08:15:52Z
    Message:               The ACME account was registered with the ACME server
    Observed Generation:   1
    Reason:                ACMEAccountRegistered
    Status:                True
    Type:                  Ready
Events:                    <none>

#####################################

$ kubectl describe certificate domain-com
Name:         domain-com
Namespace:    default
Labels:       <none>
Annotations:  <none>
API Version:  cert-manager.io/v1
Kind:         Certificate
Metadata:
  Creation Timestamp:  2022-05-05T09:06:10Z
  Generation:          1
  Managed Fields:
    API Version:  cert-manager.io/v1
    Fields Type:  FieldsV1
    fieldsV1:
      f:metadata:
        f:annotations:
          .:
          f:kubectl.kubernetes.io/last-applied-configuration:
      f:spec:
        .:
        f:dnsNames:
        f:issuerRef:
          .:
          f:kind:
          f:name:
        f:secretName:
    Manager:      kubectl-client-side-apply
    Operation:    Update
    Time:         2022-05-05T09:06:10Z
    API Version:  cert-manager.io/v1
    Fields Type:  FieldsV1
    fieldsV1:
      f:status:
        .:
        f:conditions:
        f:nextPrivateKeySecretName:
    Manager:         controller
    Operation:       Update
    Subresource:     status
    Time:            2022-05-05T09:06:11Z
  Resource Version:  23564444
  UID:               f5c765d9-807e-4be1-b7fe-8eb4abb913dc
Spec:
  Dns Names:
    my.domain.com
  Issuer Ref:
    Kind:       ClusterIssuer
    Name:       letsencrypt-prod-gandi
  Secret Name:  example-com-tls
Status:
  Conditions:
    Last Transition Time:        2022-05-05T09:06:11Z
    Message:                     Issuing certificate as Secret does not exist
    Observed Generation:         1
    Reason:                      DoesNotExist
    Status:                      False
    Type:                        Ready
    Last Transition Time:        2022-05-05T09:06:11Z
    Message:                     Issuing certificate as Secret does not exist
    Observed Generation:         1
    Reason:                      DoesNotExist
    Status:                      True
    Type:                        Issuing
  Next Private Key Secret Name:  domain-com-p5g68
Events:
  Type    Reason     Age   From          Message
  ----    ------     ----  ----          -------
  Normal  Issuing    15m   cert-manager  Issuing certificate as Secret does not exist
  Normal  Generated  15m   cert-manager  Stored new private key in temporary Secret resource "domain-com-p5g68"
  Normal  Requested  15m   cert-manager  Created new CertificateRequest resource "domain-com-8nblq"

Thank you for your help !

Lack of maintainment

Hi,

as some of you might already concluded, I won't further maintain this package any more, because I don't have the time, I no longer use K8S privately and I am no longer a Gandi customer. I plan to set this repository to read-only and I will include a link in the readme to a repo of someone who is willing to maintain a fork.

What do you think and is there someone who is able to maintain the package to whom I can link in the readme? I also suggest that you update the cert-manager documentation (PR) to refer to the update-to-date repo.

Cheers!

Missing debug logging to further troubleshoot an issue.

Hi. First of all, thank you for providing this!

I recently set up certmanager on a cluster, and configured it to be able to issue certificates for all my gandi domains.
For my default nginx setup. I'm requesting a certificate which has all my apex domains and it's respective wildcard.
All the orders work, except for 1 particular wildcard.

I tried figuring out what the exact error is, but the most specific I can find in the logs is

status":{"metadata":{},"status":"Failed","message":"unable to create TXT record: failed creating TXT record: \u003cnil\u003e"}}}

from the logged request, I could figure out (I think?) which record needed to be created, and tried to set it up myself (gandi.cli tool), which yielded me zero error.

I'm not sure if there are any other options to try to understand the exact error Gandi returns?

Not sure if that is related here, but I do know, from experience with the gandi.cli tool, their API is a bit a mess, as "https://dns.api.gandi.net/api/v5" is actually an older version, whilst the newer (and different) one is at https://api.gandi.net/api/v5
(I patched gandi.cli to be able to make dns.list work... srgvg/gandi.cli@15004e3)

Can't get it working

Hi, forgive me for my bad english.

I'm trying to use this webhook to generate certificat with a gandi DNS-01 challenge. Cert-manager is correctly deployed. I can generate self-signed certificates without any problems.

The gandi webhook is deployed. When I try to gen a new certificate, nothing is happening in logs of the pod.

Versions:
Kubernetes: v1.16.6
cert-manager: v0.14.0

My issuer:

Name:         letsencrypt-staging
Namespace:    cert-manager
Labels:       <none>
Annotations:  kubectl.kubernetes.io/last-applied-configuration:
                {"apiVersion":"cert-manager.io/v1alpha2","kind":"Issuer","metadata":{"annotations":{},"name":"letsencrypt-staging","namespace":"cert-manag...
API Version:  cert-manager.io/v1alpha3
Kind:         Issuer
Metadata:
  Creation Timestamp:  2020-03-20T10:50:32Z
  Generation:          1
  Resource Version:    1067293
  Self Link:           /apis/cert-manager.io/v1alpha3/namespaces/cert-manager/issuers/letsencrypt-staging
  UID:                 ec87cc37-8213-43d6-b2f4-c0fd9e4a2dd8
Spec:
  Acme:
    Email:  [email protected]
    Private Key Secret Ref:
      Name:  letsencrypt-staging
    Server:  https://acme-staging-v02.api.letsencrypt.org/directory
    Solvers:
      dns01:
        Webhook:
          Config:
            API Key Secret Ref:
              Key:      api-token
              Name:     gandi-credentials
          Group Name:   acme.bwolf.me
          Solver Name:  gandi
Status:
  Acme:
    Last Registered Email:  [email protected]
    Uri:                    https://acme-staging-v02.api.letsencrypt.org/acme/acct/12839421
  Conditions:
    Last Transition Time:  2020-03-20T10:50:33Z
    Message:               The ACME account was registered with the ACME server
    Reason:                ACMEAccountRegistered
    Status:                True
    Type:                  Ready
Events:                    <none>

Gen cert:

---
apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
  name: wildcard-mydomain-net
spec:
  dnsNames:
  - '*.mydomain.net'
  issuerRef:
    kind: Issuer
    name: letsencrypt-staging
  secretName: wildcard-mydomain-net-tls

Pod is running:
cert-manager-webhook-gandi-585f67dc4f-gblr7 1/1 Running 2 85m

Pod log:

…/kubernetes/cert-manager/helm  k logs cert-manager-webhook-gandi-585f67dc4f-gblr7                                                                                     master ● ?  13:11:27
W0320 10:46:36.716882       1 configmap_cafile_content.go:102] unable to load initial CA bundle for: "client-ca::kube-system::extension-apiserver-authentication::client-ca-file" due to: configmap "extension-apiserver-authentication" not found
W0320 10:46:36.716952       1 configmap_cafile_content.go:102] unable to load initial CA bundle for: "client-ca::kube-system::extension-apiserver-authentication::requestheader-client-ca-file" due to: configmap "extension-apiserver-authentication" not found
I0320 10:46:36.731454       1 tlsconfig.go:179] loaded serving cert ["serving-cert::/tls/tls.crt::/tls/tls.key"]: "" [serving] groups=[cert-manager] validServingFor=[cert-manager-webhook-gandi,cert-manager-webhook-gandi.cert-manager,cert-manager-webhook-gandi.cert-manager.svc] issuer="ca.cert-manager-webhook-gandi.cert-manager" (2020-03-20 10:46:14 +0000 UTC to 2021-03-20 10:46:14 +0000 UTC (now=2020-03-20 10:46:36.731423012 +0000 UTC))
I0320 10:46:36.731645       1 named_certificates.go:52] loaded SNI cert [0/"self-signed loopback"]: "apiserver-loopback-client@1584701196" [serving] validServingFor=[apiserver-loopback-client] issuer="apiserver-loopback-client-ca@1584701196" (2020-03-20 09:46:36 +0000 UTC to 2021-03-20 09:46:36 +0000 UTC (now=2020-03-20 10:46:36.731636833 +0000 UTC))
I0320 10:46:36.731672       1 secure_serving.go:178] Serving securely on [::]:443
I0320 10:46:36.731730       1 configmap_cafile_content.go:205] Starting client-ca::kube-system::extension-apiserver-authentication::requestheader-client-ca-file
I0320 10:46:36.731813       1 shared_informer.go:197] Waiting for caches to sync for client-ca::kube-system::extension-apiserver-authentication::requestheader-client-ca-file
I0320 10:46:36.731931       1 dynamic_serving_content.go:129] Starting serving-cert::/tls/tls.crt::/tls/tls.key
I0320 10:46:36.731949       1 configmap_cafile_content.go:205] Starting client-ca::kube-system::extension-apiserver-authentication::client-ca-file
I0320 10:46:36.731972       1 shared_informer.go:197] Waiting for caches to sync for client-ca::kube-system::extension-apiserver-authentication::client-ca-file
I0320 10:46:36.731934       1 tlsconfig.go:219] Starting DynamicServingCertificateController
I0320 10:46:36.832166       1 shared_informer.go:204] Caches are synced for client-ca::kube-system::extension-apiserver-authentication::client-ca-file 
I0320 10:46:36.832498       1 tlsconfig.go:157] loaded client CA [0/"client-ca::kube-system::extension-apiserver-authentication::client-ca-file,client-ca::kube-system::extension-apiserver-authentication::requestheader-client-ca-file"]: "kubernetes" [] issuer="<self>" (2020-03-14 23:01:55 +0000 UTC to 2030-03-12 23:01:55 +0000 UTC (now=2020-03-20 10:46:36.832484393 +0000 UTC))
I0320 10:46:36.832692       1 tlsconfig.go:179] loaded serving cert ["serving-cert::/tls/tls.crt::/tls/tls.key"]: "" [serving] groups=[cert-manager] validServingFor=[cert-manager-webhook-gandi,cert-manager-webhook-gandi.cert-manager,cert-manager-webhook-gandi.cert-manager.svc] issuer="ca.cert-manager-webhook-gandi.cert-manager" (2020-03-20 10:46:14 +0000 UTC to 2021-03-20 10:46:14 +0000 UTC (now=2020-03-20 10:46:36.832684098 +0000 UTC))
I0320 10:46:36.832841       1 named_certificates.go:52] loaded SNI cert [0/"self-signed loopback"]: "apiserver-loopback-client@1584701196" [serving] validServingFor=[apiserver-loopback-client] issuer="apiserver-loopback-client-ca@1584701196" (2020-03-20 09:46:36 +0000 UTC to 2021-03-20 09:46:36 +0000 UTC (now=2020-03-20 10:46:36.832834595 +0000 UTC))
I0320 10:46:36.833259       1 shared_informer.go:204] Caches are synced for client-ca::kube-system::extension-apiserver-authentication::requestheader-client-ca-file 
I0320 10:46:36.833467       1 tlsconfig.go:157] loaded client CA [0/"client-ca::kube-system::extension-apiserver-authentication::client-ca-file,client-ca::kube-system::extension-apiserver-authentication::requestheader-client-ca-file"]: "kubernetes" [] issuer="<self>" (2020-03-14 23:01:55 +0000 UTC to 2030-03-12 23:01:55 +0000 UTC (now=2020-03-20 10:46:36.833458519 +0000 UTC))
I0320 10:46:36.833483       1 tlsconfig.go:157] loaded client CA [1/"client-ca::kube-system::extension-apiserver-authentication::client-ca-file,client-ca::kube-system::extension-apiserver-authentication::requestheader-client-ca-file"]: "front-proxy-ca" [] issuer="<self>" (2020-03-14 23:01:56 +0000 UTC to 2030-03-12 23:01:56 +0000 UTC (now=2020-03-20 10:46:36.833477265 +0000 UTC))
I0320 10:46:36.833636       1 tlsconfig.go:179] loaded serving cert ["serving-cert::/tls/tls.crt::/tls/tls.key"]: "" [serving] groups=[cert-manager] validServingFor=[cert-manager-webhook-gandi,cert-manager-webhook-gandi.cert-manager,cert-manager-webhook-gandi.cert-manager.svc] issuer="ca.cert-manager-webhook-gandi.cert-manager" (2020-03-20 10:46:14 +0000 UTC to 2021-03-20 10:46:14 +0000 UTC (now=2020-03-20 10:46:36.833628591 +0000 UTC))
I0320 10:46:36.833761       1 named_certificates.go:52] loaded SNI cert [0/"self-signed loopback"]: "apiserver-loopback-client@1584701196" [serving] validServingFor=[apiserver-loopback-client] issuer="apiserver-loopback-client-ca@1584701196" (2020-03-20 09:46:36 +0000 UTC to 2021-03-20 09:46:36 +0000 UTC (now=2020-03-20 10:46:36.833753389 +0000 UTC))

Any idea ?? Thanks

Helm install fails during field validation

Hi, I was trying to install the chart using fluxcd that impose the --strict flag on helm install and got the following issue:

cert-manager   cert-manager-webhook-gandi   False     Helm install failed: rendered manifests contain a resource that already exists. Unable to continue with install: Role "cert-manager-webhook-gandi:secret-reader" in namespace "cert-ma
nager" exists and cannot be imported into the current release: invalid ownership metadata; label validation error: missing key "app.kubernetes.io/managed-by": must be set to "Helm"; annotation validation error: missing key "meta.helm.sh
/release-name": must be set to "cert-manager-webhook-gandi"; annotation validation error: missing key "meta.helm.sh/release-namespace": must be set to "cert-manager"   62s

I think that the fact that the labels are missing from the role makes it impossible to install.

Would you consider adding the missing labels?

cert-manager-webhook-gandi cannot get resource secrets

Hello,

I've tried to deploy the #11 (which is already merged but missing the helm index.yaml) but I get the next error:

kubectl -n cert-manager describe Challenge
Name:         staging-wildcard-mydomain-com-nrqcw-313117991-3538039921
Namespace:    cert-manager
Labels:       <none>
Annotations:  <none>
API Version:  acme.cert-manager.io/v1
Kind:         Challenge
Metadata:
  Creation Timestamp:  2021-10-22T07:42:34Z
  Finalizers:
    finalizer.acme.cert-manager.io
  Generation:  1
  Managed Fields:
    API Version:  acme.cert-manager.io/v1
    Fields Type:  FieldsV1
    fieldsV1:
      f:metadata:
        f:finalizers:
          .:
          v:"finalizer.acme.cert-manager.io":
        f:ownerReferences:
          .:
          k:{"uid":"f5232e50-fe3b-4cce-88db-2bd4a8e40efa"}:
            .:
            f:apiVersion:
            f:blockOwnerDeletion:
            f:controller:
            f:kind:
            f:name:
            f:uid:
      f:spec:
        .:
        f:authorizationURL:
        f:dnsName:
        f:issuerRef:
          .:
          f:kind:
          f:name:
        f:key:
        f:solver:
          .:
          f:dns01:
            .:
            f:webhook:
              .:
              f:config:
              f:groupName:
              f:solverName:
        f:token:
        f:type:
        f:url:
        f:wildcard:
      f:status:
        .:
        f:presented:
        f:processing:
        f:reason:
        f:state:
    Manager:    controller
    Operation:  Update
    Time:       2021-10-22T07:43:19Z
  Owner References:
    API Version:           acme.cert-manager.io/v1
    Block Owner Deletion:  true
    Controller:            true
    Kind:                  Order
    Name:                  staging-wildcard-mydomain-com-nrqcw-313117991
    UID:                   f5232e50-fe3b-4cce-88db-2bd4a8e40efa
  Resource Version:        2161769
  Self Link:               /apis/acme.cert-manager.io/v1/namespaces/cert-manager/challenges/staging-wildcard-mydomain-com-nrqcw-313117991-3538039921
  UID:                     c3b73544-5fdb-4c23-9f5e-adb5bbbf381b
Spec:
  Authorization URL:  https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/755711798
  Dns Name:           mydomain.com
  Issuer Ref:
    Kind:  ClusterIssuer
    Name:  letsencrypt-staging
  Key:     mA2hM92XoAA0nxzdqmuEpwu3CyqLaq-Lu3t4r3KtSP4
  Solver:
    dns01:
      Webhook:
        Config:
          API Key Secret Ref:
            Key:      api-token
            Name:     dns-credentials-gandi
        Group Name:   acme.h6s.io
        Solver Name:  gandi
  Token:              OcooaAx3gD-aPTJCAFRke6m_fPBlTY8NGPm4YSTjxWA
  Type:               DNS-01
  URL:                https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/755711798/EuOuuw
  Wildcard:           true
Status:
  Presented:   false
  Processing:  true
  Reason:      unable to get API key: unable to get secret `dns-credentials-gandi`; secrets "dns-credentials-gandi" is forbidden: User "system:serviceaccount:cert-manager:cert-manager-webhook-gandi" cannot get resource "secrets" in API group "" in the namespace "cert-manager"
  State:       pending
Events:
  Type     Reason        Age                  From          Message
  ----     ------        ----                 ----          -------
  Normal   Started       3m46s                cert-manager  Challenge scheduled for processing
  Warning  PresentError  81s (x6 over 3m46s)  cert-manager  Error presenting challenge: unable to get API key: unable to get secret `dns-credentials-gandi`; secrets "dns-credentials-gandi" is forbidden: User "system:serviceaccount:cert-manager:cert-manager-webhook-gandi" cannot get resource "secrets" in API group "" in the namespace "cert-manager"

To reproduce the problem:

# cert-manager
helm upgrade cert-manager jetstack/cert-manager \
	-n cert-manager \
	--namespace cert-manager \
	--install \
	--wait \
	--create-namespace \
	--set installCRDs=true \
	--version v1.5.4

# webhook-gandi
# TODO: Use @bwolf repo when PR merged. Meanwhile, the groupName must rest as acme.h6s.io
helm upgrade cert-manager-webhook-gandi cert-manager-webhook-gandi \
	--namespace cert-manager \
	--install \
	--wait \
	--repo https://hexa-solutions.github.io/cert-manager-webhook-gandi \
	--version v0.2.0 \
	--set logLevel=2

Created the secret with:

kubectl -n cert-manager create secret generic dns-credentials-gandi --from-literal=api-token='HEHEHE'

(Verified that token is working)

and the resources

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-staging
  namespace: cert-manager
  labels:
    group: mydom-certs # IMPORTANT!
spec:
  acme:
    # The ACME server URL
    server: https://acme-staging-v02.api.letsencrypt.org/directory
    # Email address used for ACME registration
    email: [email protected]
    # Name of a secret used to store the ACME account private key
    privateKeySecretRef:
      name: letsencrypt-staging
    solvers:
      - dns01:
          webhook:
            groupName: acme.h6s.io
            solverName: gandi
            config:
              apiKeySecretRef:
                key: api-token
                name: dns-credentials-gandi
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: staging-wildcard-mydomain-com
  namespace: cert-manager
  labels:
    group: mydom-certs # IMPORTANT!
spec:
  secretName: staging-wildcard-mydomain-com
  dnsNames:
    - "*.mydomain.com"
  issuerRef:
    name: letsencrypt-staging
    kind: ClusterIssuer

Cannot issue certificate with cert-manager 1.0

Hello,

I tried everything I could, from cluster to non-cluster issuers, added the RBAC for Gandi ressource as suggested in another issue, but still, on this brand new setup I cannot get it to work like I did in the past.

The ACME server is correctly registered. The only interesting thing I could get is:

I0421 06:08:45.720072 1 dns.go:88] cert-manager/controller/challenges/Present "msg"="presenting DNS01 challenge for domain" "dnsName"="my domain.com" "domain"="mydomain.com" "resource_kind"="Challenge" "resource_name"="wildcard-mydomain.com-staging-2g496-2137719332-3682646012" "resource_namespace"="default" "resource_version"="v1" "type"="DNS-01"
E0421 06:08:45.721975 1 controller.go:158] cert-manager/controller/challenges "msg"="re-queuing item due to error processing" "error"="the server could not find the requested resource (post gandi.acme.bwolf.me)" "key"="default/wildcard-mydomain.com-staging-2g496-2137719332-3682646012"
W0421 06:09:24.916456 1 warnings.go:67] networking.k8s.io/v1beta1 Ingress is deprecated in v1.19+, unavailable in v1.22+; use networking.k8s.io/v1 Ingress

Do you have any idea where I should look to get more information on the issue?

Thank you!
Torpi

the server could not find the requested resource

Hi,

The cert-manager-webhook-gandi-XXX pod log is full of these errors:

E0303 23:46:52.191455       1 reflector.go:138] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: Failed to watch *v1beta1.PriorityLevelConfiguration: failed to list *v1beta1.PriorityLevelConfiguration: the server could not find the requested resource
E0303 23:46:52.202524       1 reflector.go:138] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: Failed to watch *v1beta1.FlowSchema: failed to list *v1beta1.FlowSchema: the server could not find the requested resource
E0303 23:46:53.912153       1 reflector.go:138] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: Failed to watch *v1beta1.FlowSchema: failed to list *v1beta1.FlowSchema: the server could not find the requested resource
E0303 23:46:54.895335       1 reflector.go:138] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: Failed to watch *v1beta1.PriorityLevelConfiguration: failed to list *v1beta1.PriorityLevelConfiguration: the server could not find the requested resource
E0303 23:46:57.618353       1 reflector.go:138] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: Failed to watch *v1beta1.FlowSchema: failed to list *v1beta1.FlowSchema: the server could not find the requested resource
E0303 23:46:58.412069       1 reflector.go:138] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: Failed to watch *v1beta1.PriorityLevelConfiguration: failed to list *v1beta1.PriorityLevelConfiguration: the server could not find the requested resource

I'm running Kubernetes 1.26.1 and Cert-Manager 1.11.0 with version 0.2.0 of this webhook.

`cert-manager` namespace is hardcoded in some resources

Hi,

I installed cert-manager and cert-manager-webhook-gandi along with DNS servers, reverse-proxies etc into the networking namespace and face the following messages in my logs:

I0817 03:54:10.529426       1 dns.go:88] cert-manager/controller/challenges/Present "msg"="presenting DNS01 challenge for domain" "dnsName"="dolibarr.whatismydomain.com" "domain"="dolibarr.whatismydomain.com" "resource_kind"="Challenge" "resource_name"="dolibarr-dolibarr-production-bfpmm-1295072856-3170105358" "resource_namespace"="wimd" "type"="dns-01" 
E0817 03:54:10.531672       1 controller.go:158] cert-manager/controller/challenges "msg"="re-queuing item  due to error processing" "error"="gandi.acme.bwolf.me is forbidden: User \"system:serviceaccount:networking:cert-manager\" cannot create resource \"gandi\" in API group \"acme.bwolf.me\" at the cluster scope" "key"="wimd/dolibarr-dolibarr-production-bfpmm-1295072856-3170105358"

I think this is due to not all resources referencing the installation namespace, in the following excerpt the first documents use networking while the later ones use cert-manager:

# Source: cert-manager-webhook-gandi/templates/rbac.yaml
# apiserver gets the auth-delegator role to delegate auth decisions to
# the core apiserver
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: cert-manager-webhook-gandi:auth-delegator
  labels:
    app: cert-manager-webhook-gandi
    chart: cert-manager-webhook-gandi-0.1.1
    release: cert-manager-webhook-gandi
    heritage: Helm
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: system:auth-delegator
subjects:
  - apiGroup: ""
    kind: ServiceAccount
    name: cert-manager-webhook-gandi
    namespace: networking
---
# Source: cert-manager-webhook-gandi/templates/rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: cert-manager-webhook-gandi:domain-solver
  labels:
    app: cert-manager-webhook-gandi
    chart: cert-manager-webhook-gandi-0.1.1
    release: cert-manager-webhook-gandi
    heritage: Helm
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cert-manager-webhook-gandi:domain-solver
subjects:
  - apiGroup: ""
    kind: ServiceAccount
    name: cert-manager
    namespace: cert-manager

In the meanwhile I will add a kubectl apply -f some-more.yaml step to patch involved resources.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.