devmachine-fr / cert-manager-alidns-webhook Goto Github PK

View Code? Open in Web Editor NEW

89.0 2.0 29.0 290 KB

Cert-manager webhook to generate Let's Encrypt certificates over Alibaba Cloud DNS.

License: Apache License 2.0

Dockerfile 2.96% Makefile 7.57% Go 78.21% Mustache 11.25%

cert-manager-webhook cert-manager alidns letsencrypt aliyun certificate

cert-manager-alidns-webhook's Introduction

Alibaba Cloud DNS ACME webhook

This project is based on code initialy commited in https://github.com/go-acme/lego

This is an webhook implementation for Cert-Manager to use with Alibaba Cloud DNS (aka AliDNS). See the cert-manager's documentation for more details on webhook : https://cert-manager.io/docs/concepts/webhook/

Usage

Installation

helm repo add cert-manager-alidns-webhook https://devmachine-fr.github.io/cert-manager-alidns-webhook
helm repo update
helm install alidns-webhook cert-manager-alidns-webhook/alidns-webhook

Create the secret holding alibaba credential :

kubectl create secret generic alidns-secrets --from-literal="access-token=yourtoken" --from-literal="secret-key=yoursecretkey"

Create an issuer

The name of solver to use is alidns-solver. You can create an issuer as below :

apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: letsencrypt
  namespace: default
spec:
  acme:
    email: [email protected]
    privateKeySecretRef:
      name: letsencrypt
    server: https://acme-staging-v02.api.letsencrypt.org/directory
    solvers:
    - dns01:
        webhook:
          config:
            accessTokenSecretRef:
              key: access-token
              name: alidns-secrets
            regionId: cn-beijing
            secretKeySecretRef:
              key: secret-key
              name: alidns-secrets
          groupName: example.com
          solverName: alidns-solver
      selector:
        dnsNames:
        - example.com
        - '*.example.com'

Or you can create an ClusterIssuer as below :

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt
spec:
  acme:
    email: [email protected]
    server: https://acme-staging-v02.api.letsencrypt.org/directory
    privateKeySecretRef:
      name: letsencrypt
    solvers:
    - dns01:
        webhook:
            config:
              accessTokenSecretRef:
                key: access-token
                name: alidns-secrets
              regionId: cn-beijing
              secretKeySecretRef:
                key: secret-key
                name: alidns-secrets
            groupName: example.com # groupName must match the one configured on webhook deployment (see Helm chart's values) !
            solverName: alidns-solver

See cert-manager documentation for more information : https://cert-manager.io/docs/configuration/acme/dns01/

Create the certification

Then create the certificate which will use this issuer : https://cert-manager.io/docs/usage/certificate/

Create an certification using Issuer as below :

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: example-tls
spec:
  secretName: example-com-tls
  commonName: example.com
  dnsNames:
  - example.com
  - "*.example.com"
  issuerRef:
    name: letsencrypt
    kind: Issuer

Or create an certification using ClusterIssuer as below :

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: example-tls
spec:
  secretName: example-com-tls
  commonName: example.com
  dnsNames:
  - example.com
  - "*.example.com"
  issuerRef:
    name: letsencrypt
    kind: ClusterIssuer

Tests

Modify testdata/alidns-solver to add a valid token for alidns.

# replace example.com with a zone which belongs to given credentials
TEST_ASSET_ETCD=kubebuilder/bin/etcd TEST_ASSET_KUBE_APISERVER=kubebuilder/bin/kube-apiserver TEST_ASSET_KUBECTL=kubebuilder/bin/kubectl TEST_ZONE_NAME=example.com. make test .

Build

Build and publish the docker image:

docker build . -t <your registry>/alidns-webhook:latest
docker push <your registry>/alidns-webhook

Use the helm chart in charts directory.

helm template charts --set image.repository=<your registry> --set image.tag=latest

cert-manager-alidns-webhook's People

Contributors

Stargazers

Watchers

cert-manager-alidns-webhook's Issues

Perhaps notification helm install with set value "groupName" would be better

I just deploy webhook with helm and I set tu my own domain
but cluster issuer False by certificate , certificate to certificaterequest

and finally I got challenges pending with User "system:serviceaccount:cert-manager:cert-manager" cannot create resource "alidns-solver" in API group "this_is_my_domain"

and i finally knew that the groupname in helm chart values should matched with (cluster)issuers.

indeed, in project this two values are not matched

should issuer and alidns-webhook in the same namespace?

should issuer and alidns-webhook deployed in the same namespace?
if not, i guess, the ServiceAccount created may not have permissions to read the secret configured in dns01.webhook.config

Build and deploy docker image to docker hub

Build an image and deploy it to docker hub.

remote error: tls: unrecognized name

cert-manager version: 1.14.5

I0529 10:36:33.256469 1 setup.go:225] "ACME server URL host and ACME private key registration host differ. Re-checking ACME account registration" logger="cert-manager.clusterissuers" resource_name="letsencrypt-ssl" resource_namespace="" resource_kind="ClusterIssuer" resource_version="v1" related_resource_name="letsencrypt-prs" related_resource_namespace="cert-manager" related_resource_kind="Secret"

E0529 10:36:33.768117 1 setup.go:265] "failed to register an ACME account" err="Get "https://acme-staging-v02.api.letsencrypt.org/directory\": remote error: tls: unrecognized name" logger="cert-manager.clusterissuers" resource_name="letsencrypt-ssl" resource_namespace="" resource_kind="ClusterIssuer" resource_version="v1" related_resource_name="letsencrypt-prs" related_resource_namespace="cert-manager" related_resource_kind="Secret"

E0529 10:36:33.768307 1 sync.go:62] "error setting up issuer" err="Get "https://acme-staging-v02.api.letsencrypt.org/directory\": remote error: tls: unrecognized name" logger="cert-manager.clusterissuers" resource_name="letsencrypt-ssl" resource_namespace="" resource_kind="ClusterIssuer" resource_version="v1"

E0529 10:36:33.768466 1 controller.go:167] "re-queuing item due to error processing" err="Get "https://acme-staging-v02.api.letsencrypt.org/directory\": remote error: tls: unrecognized name" logger="cert-manager.clusterissuers" key="letsencrypt-ssl"

docker build error

Why I can't find webhook related crd in helm install.

---
# Source: alidns-webhook/templates/rbac.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
  name: release-name-alidns-webhook
  labels:
    app: alidns-webhook
    chart: alidns-webhook-0.7.0
    release: release-name
    heritage: Helm
---
# Source: alidns-webhook/templates/rbac.yaml
# Grant permissions to read secrets inside the cluster to allow to have issuer in another namespace than the webhook
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: release-name-alidns-webhook:secrets-reader
  labels:
    app: alidns-webhook
    chart: alidns-webhook-0.7.0
    release: release-name
    heritage: Helm
rules:
  - apiGroups:
      - ''
    resources:
      - 'secrets'
    verbs:
      - 'get'
---
# Source: alidns-webhook/templates/rbac.yaml
# Grant cert-manager permission to validate using our apiserver
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: release-name-alidns-webhook:domain-solver
  labels:
    app: alidns-webhook
    chart: alidns-webhook-0.7.0
    release: release-name
    heritage: Helm
rules:
  - apiGroups:
      - example.com
    resources:
      - '*'
    verbs:
      - 'create'
---
# Source: alidns-webhook/templates/rbac.yaml
# Bind the previously created role to the webhook service account to allow reading from secrets in all namespaces
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: release-name-alidns-webhook:secrets-reader
  labels:
    app: alidns-webhook
    chart: alidns-webhook-0.7.0
    release: release-name
    heritage: Helm
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: release-name-alidns-webhook:secrets-reader
subjects:
  - apiGroup: ""
    kind: ServiceAccount
    name: release-name-alidns-webhook
    namespace: default
---
# Source: alidns-webhook/templates/rbac.yaml
# apiserver gets the auth-delegator role to delegate auth decisions to
# the core apiserver
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: release-name-alidns-webhook:auth-delegator
  labels:
    app: alidns-webhook
    chart: alidns-webhook-0.7.0
    release: release-name
    heritage: Helm
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: system:auth-delegator
subjects:
  - apiGroup: ""
    kind: ServiceAccount
    name: release-name-alidns-webhook
    namespace: default
---
# Source: alidns-webhook/templates/rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: release-name-alidns-webhook:domain-solver
  labels:
    app: alidns-webhook
    chart: alidns-webhook-0.7.0
    release: release-name
    heritage: Helm
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: release-name-alidns-webhook:domain-solver
subjects:
  - apiGroup: ""
    kind: ServiceAccount
    name: cert-manager
    namespace: cert-manager
---
# Source: alidns-webhook/templates/rbac.yaml
# Grant the webhook permission to read the ConfigMap containing the Kubernetes
# apiserver's requestheader-ca-certificate.
# This ConfigMap is automatically created by the Kubernetes apiserver.
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: release-name-alidns-webhook:webhook-authentication-reader
  namespace: kube-system
  labels:
    app: alidns-webhook
    chart: alidns-webhook-0.7.0
    release: release-name
    heritage: Helm
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: extension-apiserver-authentication-reader
subjects:
  - apiGroup: ""
    kind: ServiceAccount
    name: release-name-alidns-webhook
    namespace: default
---
# Source: alidns-webhook/templates/service.yaml
apiVersion: v1
kind: Service
metadata:
  name: release-name-alidns-webhook
  labels:
    app: alidns-webhook
    chart: alidns-webhook-0.7.0
    release: release-name
    heritage: Helm
spec:
  type: ClusterIP
  ports:
    - port: 443
      targetPort: https
      protocol: TCP
      name: https
  selector:
    app: alidns-webhook
    release: release-name
---
# Source: alidns-webhook/templates/deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  name: release-name-alidns-webhook
  labels:
    app: alidns-webhook
    chart: alidns-webhook-0.7.0
    release: release-name
    heritage: Helm
spec:
  replicas:
  selector:
    matchLabels:
      app: alidns-webhook
      release: release-name
  template:
    metadata:
      labels:
        app: alidns-webhook
        release: release-name
    spec:
      serviceAccountName: release-name-alidns-webhook
      containers:
        - name: alidns-webhook
          image: "ghcr.io/devmachine-fr/cert-manager-alidns-webhook/cert-manager-alidns-webhook:0.2.0"
          imagePullPolicy: IfNotPresent
          args:
            - --tls-cert-file=/tls/tls.crt
            - --tls-private-key-file=/tls/tls.key
            - --secure-port=443
          env:
            - name: GROUP_NAME
              value: "example.com"
          ports:
            - name: https
              containerPort: 443
              protocol: TCP
          livenessProbe:
            httpGet:
              scheme: HTTPS
              path: /healthz
              port: https
          readinessProbe:
            httpGet:
              scheme: HTTPS
              path: /healthz
              port: https
          volumeMounts:
            - name: certs
              mountPath: /tls
              readOnly: true
          resources:
            {}

      volumes:
        - name: certs
          secret:
            secretName: release-name-alidns-webhook-webhook-tls
---
# Source: alidns-webhook/templates/apiservice.yaml
apiVersion: apiregistration.k8s.io/v1
kind: APIService
metadata:
  name: v1alpha1.example.com
  labels:
    app: alidns-webhook
    chart: alidns-webhook-0.7.0
    release: release-name
    heritage: Helm
  annotations:
    cert-manager.io/inject-ca-from: "default/release-name-alidns-webhook-webhook-tls"
spec:
  group: example.com
  groupPriorityMinimum: 1000
  versionPriority: 15
  service:
    name: release-name-alidns-webhook
    namespace: default
  version: v1alpha1
---
# Source: alidns-webhook/templates/pki.yaml
# Generate a CA Certificate used to sign certificates for the webhook
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: release-name-alidns-webhook-ca
  namespace: "default"
  labels:
    app: alidns-webhook
    chart: alidns-webhook-0.7.0
    release: release-name
    heritage: Helm
spec:
  secretName: release-name-alidns-webhook-ca
  duration: 43800h0m0s # 5y
  issuerRef:
    name: release-name-alidns-webhook-selfsign
  commonName: "ca.alidns-webhook.cert-manager"
  isCA: true
---
# Source: alidns-webhook/templates/pki.yaml
# Finally, generate a serving certificate for the webhook to use
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: release-name-alidns-webhook-webhook-tls
  namespace: "default"
  labels:
    app: alidns-webhook
    chart: alidns-webhook-0.7.0
    release: release-name
    heritage: Helm
spec:
  secretName: release-name-alidns-webhook-webhook-tls
  duration: 8760h0m0s # 1y
  issuerRef:
    name: release-name-alidns-webhook-ca
  dnsNames:
  - release-name-alidns-webhook
  - release-name-alidns-webhook.default
  - release-name-alidns-webhook.default.svc
---
# Source: alidns-webhook/templates/pki.yaml
# Create a selfsigned Issuer, in order to create a root CA certificate for
# signing webhook serving certificates
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: release-name-alidns-webhook-selfsign
  namespace: "default"
  labels:
    app: alidns-webhook
    chart: alidns-webhook-0.7.0
    release: release-name
    heritage: Helm
spec:
  selfSigned: {}
---
# Source: alidns-webhook/templates/pki.yaml
# Create an Issuer that uses the above generated CA certificate to issue certs
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: release-name-alidns-webhook-ca
  namespace: "default"
  labels:
    app: alidns-webhook
    chart: alidns-webhook-0.7.0
    release: release-name
    heritage: Helm
spec:
  ca:
    secretName: release-name-alidns-webhook-ca

Helm installs a series of supporting resources for webhooks, but where are the webhook?

failed to list *v1beta2.FlowSchema

把 cert-manager 升级到最新的 1.11.1 后，webhook 出现异常

webhook 版本： 0.7.0

后台报错日志如下：

I0408 13:50:42.646306       1 requestheader_controller.go:169] Starting RequestHeaderAuthRequestController
I0408 13:50:42.646394       1 shared_informer.go:255] Waiting for caches to sync for RequestHeaderAuthRequestController
I0408 13:50:42.646458       1 configmap_cafile_content.go:202] "Starting controller" name="client-ca::kube-system::extension-apiserver-authentication::client-ca-file"
I0408 13:50:42.646470       1 shared_informer.go:255] Waiting for caches to sync for client-ca::kube-system::extension-apiserver-authentication::client-ca-file
I0408 13:50:42.646493       1 configmap_cafile_content.go:202] "Starting controller" name="client-ca::kube-system::extension-apiserver-authentication::requestheader-client-ca-file"
I0408 13:50:42.646500       1 shared_informer.go:255] Waiting for caches to sync for client-ca::kube-system::extension-apiserver-authentication::requestheader-client-ca-file
I0408 13:50:42.646546       1 secure_serving.go:210] Serving securely on [::]:443
I0408 13:50:42.646580       1 dynamic_serving_content.go:132] "Starting controller" name="serving-cert::/tls/tls.crt::/tls/tls.key"
I0408 13:50:42.647522       1 tlsconfig.go:240] "Starting DynamicServingCertificateController"
W0408 13:50:42.652808       1 reflector.go:324] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: failed to list *v1beta2.FlowSchema: flowschemas.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:cert-manager:alidns-webhook" cannot list resource "flowschemas" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope
E0408 13:50:42.652838       1 reflector.go:138] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: Failed to watch *v1beta2.FlowSchema: failed to list *v1beta2.FlowSchema: flowschemas.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:cert-manager:alidns-webhook" cannot list resource "flowschemas" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope
W0408 13:50:42.653662       1 reflector.go:324] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: failed to list *v1beta2.PriorityLevelConfiguration: prioritylevelconfigurations.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:cert-manager:alidns-webhook" cannot list resource "prioritylevelconfigurations" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope
E0408 13:50:42.653690       1 reflector.go:138] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: Failed to watch *v1beta2.PriorityLevelConfiguration: failed to list *v1beta2.PriorityLevelConfiguration: prioritylevelconfigurations.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:cert-manager:alidns-webhook" cannot list resource "prioritylevelconfigurations" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope
I0408 13:50:42.655900       1 apf_controller.go:317] Starting API Priority and Fairness config controller
I0408 13:50:42.746503       1 shared_informer.go:262] Caches are synced for RequestHeaderAuthRequestController
I0408 13:50:42.746521       1 shared_informer.go:262] Caches are synced for client-ca::kube-system::extension-apiserver-authentication::requestheader-client-ca-file
I0408 13:50:42.746508       1 shared_informer.go:262] Caches are synced for client-ca::kube-system::extension-apiserver-authentication::client-ca-file
W0408 13:50:43.798729       1 reflector.go:324] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: failed to list *v1beta2.PriorityLevelConfiguration: prioritylevelconfigurations.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:cert-manager:alidns-webhook" cannot list resource "prioritylevelconfigurations" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope
E0408 13:50:43.798756       1 reflector.go:138] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: Failed to watch *v1beta2.PriorityLevelConfiguration: failed to list *v1beta2.PriorityLevelConfiguration: prioritylevelconfigurations.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:cert-manager:alidns-webhook" cannot list resource "prioritylevelconfigurations" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope
W0408 13:50:43.805481       1 reflector.go:324] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: failed to list *v1beta2.FlowSchema: flowschemas.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:cert-manager:alidns-webhook" cannot list resource "flowschemas" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope
E0408 13:50:43.805506       1 reflector.go:138] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: Failed to watch *v1beta2.FlowSchema: failed to list *v1beta2.FlowSchema: flowschemas.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:cert-manager:alidns-webhook" cannot list resource "flowschemas" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope
W0408 13:50:45.515818       1 reflector.go:324] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: failed to list *v1beta2.FlowSchema: flowschemas.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:cert-manager:alidns-webhook" cannot list resource "flowschemas" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope
E0408 13:50:45.515845       1 reflector.go:138] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: Failed to watch *v1beta2.FlowSchema: failed to list *v1beta2.FlowSchema: flowschemas.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:cert-manager:alidns-webhook" cannot list resource "flowschemas" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope

Abnormally CPU usage

image: ghcr.io/devmachine-fr/cert-manager-alidns-webhook/cert-manager-alidns-webhook:0.2.0

Alicloud configuration started, unable to obtain certificate

Decoded configuration: {{{alidns-secrets} access-token} {{alidns-secrets} secret-key} cn-beijing}
Decoded configuration: {{{alidns-secrets} access-token} {{alidns-secrets} secret-key} cn-beijing}
Decoded configuration: {{{alidns-secrets} access-token} {{alidns-secrets} secret-key} cn-beijing}
Decoded configuration: {{{alidns-secrets} access-token} {{alidns-secrets} secret-key} cn-beijing}
Decoded configuration: {{{alidns-secrets} access-token} {{alidns-secrets} secret-key} cn-beijing}
Decoded configuration: {{{alidns-secrets} access-token} {{alidns-secrets} secret-key} cn-beijing}
Decoded configuration: {{{alidns-secrets} access-token} {{alidns-secrets} secret-key} cn-beijing}
Decoded configuration: {{{alidns-secrets} access-token} {{alidns-secrets} secret-key} cn-beijing}
Decoded configuration: {{{alidns-secrets} access-token} {{alidns-secrets} secret-key} cn-beijing}
Decoded configuration: {{{alidns-secrets} access-token} {{alidns-secrets} secret-key} cn-beijing}
Decoded configuration: {{{alidns-secrets} access-token} {{alidns-secrets} secret-key} cn-beijing}

secret ：--from-literal="access-token= （AccessKey Secret ？）--from-literal="secret-key= （AccessKey ID ？） “ ，Do you need to configure the same namespace as "alias webhook"?

    webhook:
        config:
          accessTokenSecretRef:
            key: access-token
            name: alidns-secrets
          regionId: cn-beijing
          secretKeySecretRef:
            key: secret-key

Package helm charts and deploy it

Package helm chart and deploy it somewhere. I am thinking to have it in a branch on this repository.

alicloud: error getting hosted zones: alicloud: error describing domains

How to use this tool

Hi oliver,
I have cloned your previous cert-manager with alidns support. looks like you have delete that repo. could you please help to advise how can i use the new one and integrate it with kubernetes?It will be highly appreciated if you can write some documentation.Thanks.

BTW, will the SSL certificate be updated automatically?

Name:         v1alpha1.acme.allshare.ltd
Namespace:    
Labels:       app=alidns-webhook
              app.kubernetes.io/managed-by=Helm
              chart=alidns-webhook-0.7.0
              heritage=Helm
              release=alidns-webhook
Annotations:  cert-manager.io/inject-ca-from: cert-manager/alidns-webhook-webhook-tls
              meta.helm.sh/release-name: alidns-webhook
              meta.helm.sh/release-namespace: cert-manager
API Version:  apiregistration.k8s.io/v1
Kind:         APIService
Metadata:
  Creation Timestamp:  2024-05-16T17:27:23Z
  Resource Version:    8947531
  UID:                 d5ae6ec6-0fca-4eb7-813e-657510e92214
Spec:
  Ca Bundle:               xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
  Group:                   acme.allshare.ltd
  Group Priority Minimum:  1000
  Service:
    Name:            alidns-webhook
    Namespace:       cert-manager
    Port:            443
  Version:           v1alpha1
  Version Priority:  15
Status:
  Conditions:
    Last Transition Time:  2024-05-16T17:27:51Z
    Message:               all checks passed
    Reason:                Passed
    Status:                True
    Type:                  Available
Events:                    <none>

BUT apiserver is wrong

E0516 17:42:54.450064       1 controller.go:146] Error updating APIService "v1alpha1.acme.allshare.ltd" with err: failed to download v1alpha1.acme.allshare.ltd: resource not found
E0516 17:42:55.452499       1 controller.go:102] loading OpenAPI spec for "v1alpha1.acme.allshare.ltd" failed with: failed to download v1alpha1.acme.allshare.ltd: resource not found
I0516 17:42:55.452524       1 controller.go:109] OpenAPI AggregationController: action for item v1alpha1.acme.allshare.ltd: Rate Limited Requeue.
E0516 17:43:55.463326       1 controller.go:102] loading OpenAPI spec for "v1alpha1.acme.allshare.ltd" failed with: failed to download v1alpha1.acme.allshare.ltd: resource not found
I0516 17:43:55.463347       1 controller.go:109] OpenAPI AggregationController: action for item v1alpha1.acme.allshare.ltd: Rate Limited Requeue.
E0516 17:45:55.465650       1 controller.go:102] loading OpenAPI spec for "v1alpha1.acme.allshare.ltd" failed with: failed to download v1alpha1.acme.allshare.ltd: resource not found
I0516 17:45:55.465667       1 controller.go:109] OpenAPI AggregationController: action for item v1alpha1.acme.allshare.ltd: Rate Limited Requeue.
E0516 17:47:54.519448       1 controller.go:146] Error updating APIService "v1alpha1.acme.allshare.ltd" with err: failed to download v1alpha1.acme.allshare.ltd: resource not found
E0516 17:47:55.521869       1 controller.go:102] loading OpenAPI spec for "v1alpha1.acme.allshare.ltd" failed with: failed to download v1alpha1.acme.allshare.ltd: resource not found
I0516 17:47:55.521886       1 controller.go:109] OpenAPI AggregationController: action for item v1alpha1.acme.allshare.ltd: Rate Limited Requeue.
E0516 17:48:55.524804       1 controller.go:102] loading OpenAPI spec for "v1alpha1.acme.allshare.ltd" failed with: failed to download v1alpha1.acme.allshare.ltd: resource not found
I0516 17:48:55.524825       1 controller.go:109] OpenAPI AggregationController: action for item v1alpha1.acme.allshare.ltd: Rate Limited Requeue.
E0516 17:50:55.527847       1 controller.go:102] loading OpenAPI spec for "v1alpha1.acme.allshare.ltd" failed with: failed to download v1alpha1.acme.allshare.ltd: resource not found
I0516 17:50:55.527866       1 controller.go:109] OpenAPI AggregationController: action for item v1alpha1.acme.allshare.ltd: Rate Limited Requeue.

alidns-webhook-pod log:

I0516 17:27:49.837231       1 requestheader_controller.go:169] Starting RequestHeaderAuthRequestController
I0516 17:27:49.837296       1 shared_informer.go:240] Waiting for caches to sync for RequestHeaderAuthRequestController
I0516 17:27:49.837331       1 configmap_cafile_content.go:202] Starting client-ca::kube-system::extension-apiserver-authentication::client-ca-file
I0516 17:27:49.837339       1 shared_informer.go:240] Waiting for caches to sync for client-ca::kube-system::extension-apiserver-authentication::client-ca-file
I0516 17:27:49.837358       1 configmap_cafile_content.go:202] Starting client-ca::kube-system::extension-apiserver-authentication::requestheader-client-ca-file
I0516 17:27:49.837363       1 shared_informer.go:240] Waiting for caches to sync for client-ca::kube-system::extension-apiserver-authentication::requestheader-client-ca-file
I0516 17:27:49.838014       1 secure_serving.go:197] Serving securely on [::]:443
I0516 17:27:49.838234       1 dynamic_serving_content.go:130] Starting serving-cert::/tls/tls.crt::/tls/tls.key
I0516 17:27:49.838265       1 tlsconfig.go:240] Starting DynamicServingCertificateController
I0516 17:27:49.939226       1 shared_informer.go:247] Caches are synced for client-ca::kube-system::extension-apiserver-authentication::requestheader-client-ca-file 
I0516 17:27:50.037627       1 shared_informer.go:247] Caches are synced for RequestHeaderAuthRequestController 
I0516 17:27:50.037715       1 shared_informer.go:247] Caches are synced for client-ca::kube-system::extension-apiserver-authentication::client-ca-file

HOW TO FIX IT