Comments (6)
olivierboudet
commented on July 16, 2024
It should not be necessary, do you have an error ?
from cert-manager-alidns-webhook.
ben-wangz
commented on July 16, 2024
yes, there will be an error if the issuer and alidns-webhook not in the same namespace.
you may replay it according to the commands below. And pay attention to:
1. alidns-webhook tries to read the secret in the namespace of test: load secret "test/alidns-webhook-secrets"
2. the same secret was add to both namespace basic-components-plus and namespace test. it cannot be loaded for the permissions.
[root@node-01 ~]# cat alidns.webhook.values.yaml
image:
repository: localhost:5000/ghcr.io/devmachine-fr/cert-manager-alidns-webhook/cert-manager-alidns-webhook
tag: 0.2.0
pullPolicy: IfNotPresent
privateRegistry:
enabled: false
dockerRegistrySecret: alibaba-container-registry
certManager:
namespace: basic-components
serviceAccountName: my-cert-manager
groupName: acme.geekcity.tech
[root@node-01 ~]# kubectl -n test get secret
NAME TYPE DATA AGE
alidns-webhook-secrets Opaque 2 47s
default-token-mfmlc kubernetes.io/service-account-token 3 49s
[root@node-01 ~]# kubectl -n basic-components-plus get secret
NAME TYPE DATA AGE
alidns-webhook-secrets Opaque 2 82s
default-token-nxtcc kubernetes.io/service-account-token 3 104s
my-alidns-webhook-ca kubernetes.io/tls 3 39s
my-alidns-webhook-token-95rb6 kubernetes.io/service-account-token 3 40s
my-alidns-webhook-webhook-tls kubernetes.io/tls 3 35s
sh.helm.release.v1.my-alidns-webhook.v1 helm.sh/release.v1 1 40s
[root@node-01 ~]# cat alidns.webhook.staging.issuer.yaml
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: alidns-webhook-letsencrypt
spec:
acme:
email: [email protected]
privateKeySecretRef:
name: alidns-webhook-letsencrypt
server: https://acme-staging-v02.api.letsencrypt.org/directory
solvers:
- dns01:
webhook:
config:
accessTokenSecretRef:
key: access-token
name: alidns-webhook-secrets
regionId: cn-beijing
secretKeySecretRef:
key: secret-key
name: alidns-webhook-secrets
groupName: acme.geekcity.tech
solverName: alidns-solver
[root@node-01 ~]# cat test.certificate.yaml
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: cm-plus-test
spec:
secretName: cm-plus.test.geekcity.tech-tls
dnsNames:
- cm-plus.test.geekcity.tech
issuerRef:
name: alidns-webhook-letsencrypt
kind: Issuer
group: cert-manager.io
[root@node-01 ~]# kubectl -n test apply -f alidns.webhook.staging.issuer.yaml
issuer.cert-manager.io/alidns-webhook-letsencrypt created
[root@node-01 ~]# kubectl -n test apply -f test.certificate.yaml
certificate.cert-manager.io/cm-plus-test created
...(just after a few seconds)
[root@node-01 ~]# kubectl -n test describe Challenge cm-plus-test-5jmq6-975627868-3544924144
...
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Started 57s cert-manager Challenge scheduled for processing
Warning PresentError 31s (x4 over 56s) cert-manager Error presenting challenge: failed to load secret "test/alidns-webhook-secrets": secrets "alidns-webhook-secrets" is forbidden: User "system:serviceaccount:basic-components-plus:my-alidns-webhook" cannot get resource "secrets" in API group "" in the namespace "test"
from cert-manager-alidns-webhook.
olivierboudet
commented on July 16, 2024
I assume it is because the issuer and the alidns-webhook-secrets are not in the same namespace.
Could you try to create the secret in the test namespace ?
from cert-manager-alidns-webhook.
ben-wangz
commented on July 16, 2024
yes, that was a problem. and in the previous case i showed, another secret is created in the test namespace.
from cert-manager-alidns-webhook.
olivierboudet
commented on July 16, 2024
Oh ok I did not saw it. Thank you, I will try to fix this asap.
from cert-manager-alidns-webhook.
olivierboudet
commented on July 16, 2024
Could you try version 0.6.1 ?
from cert-manager-alidns-webhook.
Related Issues (15)
- How to use this tool HOT 1
- Perhaps notification helm install with set value "groupName" would be better HOT 1
- Alicloud configuration started, unable to obtain certificate HOT 2
- 配置咨询
- failed to list *v1beta2.FlowSchema
- Abnormally CPU usage
- what's different between pragkent/alidns-webhook
- Why I can't find webhook related crd in helm install. HOT 3
- k8s api-server groupName failed to download v1alpha1.acme.allshare.ltd: resource not found HOT 5
- remote error: tls: unrecognized name
- alicloud: error getting hosted zones: alicloud: error describing domains HOT 8
- Build and deploy docker image to docker hub HOT 1
- Package helm charts and deploy it HOT 1
- docker build error HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from cert-manager-alidns-webhook.