We are using the Kubernetes cert manager, version 2.4.2, along with Let's Encrypt.

Our cert expires in the next few days, and cert-manager is unable to update.

These logs are from the cert-manager-webhook pod.

I am seeing this vague error but I am not sure where to go next for further debugging.

2023-03-15T04:43:55-04:00 I0315 08:43:55.000294       1 dynamic_source.go:169] cert-manager/webhook "msg"="Serving certificate requires renewal, regenerating"  
2023-03-15T04:43:55-04:00 I0315 08:43:55.035562       1 dynamic_source.go:267] cert-manager/webhook "msg"="Updated serving TLS certificate"  
2023-03-15T20:43:54-04:00 I0316 00:43:54.473908       1 authority.go:312] cert-manager/webhook "msg"="Root CA certificate is nearing expiry. Regenerating..."  
2023-03-15T20:43:54-04:00 I0316 00:43:54.519234       1 dynamic_source.go:160] cert-manager/webhook "msg"="Detected root CA rotation - regenerating serving certificates"  
2023-03-15T20:43:54-04:00 I0316 00:43:54.551889       1 dynamic_source.go:267] cert-manager/webhook "msg"="Updated serving TLS certificate"  
2023-03-16T06:43:57-04:00 W0316 10:43:57.028777       1 reflector.go:442] external/io_k8s_client_go/tools/cache/reflector.go:167: watch of *v1.Secret ended with: an error on the server ("unable to decode an event from the watch stream: http2: client connection lost") has prevented the request from succeeding
2023-03-20T12:43:54-04:00 I0320 16:43:54.001357       1 dynamic_source.go:169] cert-manager/webhook "msg"="Serving certificate requires renewal, regenerating"  
2023-03-20T12:43:54-04:00 I0320 16:43:54.035635       1 dynamic_source.go:267] cert-manager/webhook "msg"="Updated serving TLS certificate"

╷
│ Error: failed to create kubernetes rest client for read of resource: Get "https://localhost/api?timeout=32s": x509: certificate is valid for *.dev.tappy.stage-codal.net, dev.tappy.stage-codal.net, not localhost
│
│ with module.cert_manager.kubectl_manifest.cluster_issuer[0],
│ on .terraform/modules/cert_manager/main.tf line 42, in resource "kubectl_manifest" "cluster_issuer":
│ 42: resource "kubectl_manifest" "cluster_issuer" {
│

Working fine in local machine where kubectl, helm, kubectl config and providers are configured.

Not working in jenkins server where only kubectl command is installed.

additional_set = [
    {
      name = "global.leaderElection.namespace"
      value = module.cert_manager.namespace
    },
    {
      name = "startupapicheck.podLabels.sidecar\\.istio\\.io/inject"
      value = false
    }
  ]

Retruned error is:

Error: failed post-install: warning: Hook post-install cert-manager/templates/startupapicheck-job.yaml failed: Job in version "v1" cannot be handled as a Job: json: cannot unmarshal bool into Go struct field ObjectMeta.spec.template.metadata.labels of type string

I've tried multiple different escape sequences, none of them have worked.

I suppose it is related with escaping. And is related with following issue hashicorp/terraform-provider-helm#64

Any advice how to proceed is welcome.

I have a use case when using venafi as issuer.

My venafi is set to enforce some mandatory custom fields on each new certificate. When applying using yaml file, custom fields can be set inside metadata like this

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: cert-manager-xxxx
namespace: xxxx
annotations:
venafi.cert-manager.io/custom-fields: |-
[
]

Can we add this "custom field" feature in the module? Or can we add a way to specify a yaml file directly for certificate just like what we are doing for cluster issuer?

Thanks!

was wondering if template could be upgrades to support dns1 configs such as

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-prod
  namespace: cert-manager
spec:
  acme:
    server: https://acme-v02.api.letsencrypt.org/directory
    email:  __cloudflareemail__
    privateKeySecretRef:
      name: letsencrypt-prod
    solvers:
    - selector:
        dnsNames:
        - '*.vinsonjewellers.com'
        - vinsonjewellers.com
      dns01:
        cloudflare:
          email: __cloudflareemail__
          apiKeySecretRef:
            name: cloudflare-api-key-secret
            key: API

I'm getting this error after trying to set it up
╷
│ Error: Post "http://localhost/api/v1/namespaces": dial tcp [::1]:80: connect: connection refused
│
│ with module.cert_manager.kubernetes_namespace.cert_manager[0],
│ on .terraform/modules/cert_manager/main.tf line 1, in resource "kubernetes_namespace" "cert_manager":
│ 1: resource "kubernetes_namespace" "cert_manager" {
│
╵

my tf files look like

module "cert_manager" {
  source = "terraform-iaac/cert-manager/kubernetes"

  cluster_issuer_email = "[email protected]"

	certificates = {
		"example-cert" = {
			dns_names = ["example.com", "*.example.com"]
		}
	}
}

resource "helm_release" "ingress-nginx" {
  name             = "ingress-nginx"

  repository       = "https://kubernetes.github.io/ingress-nginx"
  chart            = "ingress-nginx"

  create_namespace = true
  namespace       = "gitlab-managed-apps"


  set {
    name  = "controller.annotations.cert-manager\\.io/cluster-issuer"
    value = module.cert_manager.cluster_issuer_name
  }
}

Am I missing anything?

The typing introduced in #25, broke the solvers configuration we have (that's working in 2.6.0)

The given value is not suitable for module.cert_manager.var.solvers declared at .terraform/modules/cert_manager/variables.tf:58,1-19: all list elements must have the same type.

Our configured solvers:

  solvers = [
    {
      dns01 = {
        cloudflare = {
          apiTokenSecretRef = {
            name = "cloudflare-api-key-secret"
            key  = "DNS_KEY"
          }
        },
      },
      selector = {
        matchLabels = {
          "use-dns01" = "cloudflare"
        }
      }
    },
    {
      http01 = {
        ingress = {
          class = "nginx"
        }
      }
    }
  ]

Hi I am getting timeout error while implementing this module error is attached below.

╷
│ Error: letsencrypt-prod failed to create kubernetes rest client for update of resource: Get "https://xxxxxx.gr7.us-east-1.eks.amazonaws.com/api?timeout=32s": dial tcp: lookup xxxxxxxxxxx.gr7.us-east-1.eks.amazonaws.com on 8.8.8.8:53: no such host
│
│ with module.cert-manager.kubectl_manifest.cluster_issuer[0],
│ on .terraform/modules/cert-manager/main.tf line 42, in resource "kubectl_manifest" "cluster_issuer":
│ 42: resource "kubectl_manifest" "cluster_issuer" {

as this is my first time implementing this a little help on how to resolve this would be appreciated.

Thanks.

Hi,

I'm trying to use the module on an existing cluster. I already have other kubernetes resources being created but I can't get this one to run.

Here's the config:

module "cert_manager" {
  source        = "terraform-iaac/cert-manager/kubernetes"
  cluster_issuer_email                   = "[email protected]"
}

Here's the error message:

 Error: Kubernetes cluster unreachable: invalid configuration: no configuration has been provided, try setting KUBERNETES_MASTER environment variable
│ 
│   with module.civo-cluster.module.cert_manager.helm_release.cert_manager,
│   on .terraform/modules/civo-cluster.cert_manager/main.tf line 10, in resource "helm_release" "cert_manager":
│   10: resource "helm_release" "cert_manager" {

Hi, I am getting the following error when creating the helm_release for the cert-manager with the ClusterIssuer in the same terraform apply because the plan fails.

I did a bit of Googling around and it seems that it's because in the plan state, the CRDs are not yet installed so the error happens.

Is this a known issue and is there a way to circumvent it?

│ Error: Failed to determine GroupVersionResource for manifest
│ 
│   with module.k8s_base.kubernetes_manifest.cluster_issuer,
│   on ../../modules/k8s_base/main.tf line 35, in resource "kubernetes_manifest" "cluster_issuer":
│   35: resource "kubernetes_manifest" "cluster_issuer" {
│ 
│ no matches for kind "ClusterIssuer" in group "cert-manager.io"

This is what I used:

module "cert_manager" {
  source        = "terraform-iaac/cert-manager/kubernetes"

  cluster_issuer_email                   = "[email protected]"
  cluster_issuer_name                    = "cert-manager-global"
  cluster_issuer_private_key_secret_name = "cert-manager-private-key"
}

This is what I got:

╷
│ Error: Kubernetes cluster unreachable: invalid configuration: no configuration has been provided, try setting KUBERNETES_MASTER environment variable
│ 
│   with module.cert_manager.helm_release.cert_manager,
│   on .terraform/modules/cert_manager/main.tf line 12, in resource "helm_release" "cert_manager":
│   12: resource "helm_release" "cert_manager" {
│ 

Did I miss a step?

hello,

I'm trying to add multiple sets, but I don't understand how it would look in HCL, it always gives me an error.

Thanks in advance.

Given recently updates here: cert-manager/cert-manager#6755

It would useful to have the preferredChain not hardcoded to ISRG Root X1 and make it optional/configurable within this module.

Hey there,

Using the module leads to this error:

module.cert_manager.helm_release.cert_manager: Creating...
╷
│ Error: failed to download "https://charts.jetstack.io/charts/cert-manager-v1.6.1.tgz" at version "1.6.1"
│ 
│   with module.cert_manager.helm_release.cert_manager,
│   on .terraform/modules/cert_manager/main.tf line 12, in resource "helm_release" "cert_manager":
│   12: resource "helm_release" "cert_manager" {

change variable chart_version from 1.6.1 to v1.6.1 in .terraform/modules/cert_manager/variables.tf seems to do the job

what could i have done?

EKS 1.20, terraform 1.0.1, kubectl 1.21

  required_providers {
    aws = {
      source = "hashicorp/aws"
    }
    kubernetes = {
      source  = "hashicorp/kubernetes"
      version = "2.6.1"
    }
    kubectl = {
      source  = "gavinbunney/kubectl"
      version = "1.13.1"
    }
  }
  required_version = ">= 1.0.1"

Thanks!

Edit: my bad, doesn't work either with v1.6.1

Hi,

I wonder if you plan to rework this module to use kubectl provider directly without helm?

I guess this should be the main point of creating a terraform module for this to have a better / fine granularity control over certman resources and avoid helm overhead.

In fact terraform does what helm does only a bit better.

Hey folks !
I have this issue with this module and a M1 MacOS when initializing terraform

Error: Incompatible provider version
 
Provider registry.terraform.io/hashicorp/template v2.2.0 does not have a package available for your current platform, darwin_arm64.
 
Provider releases are separate from Terraform CLI releases, so not all providers are available for all platforms.
Other versions of this provider may have different platforms supported.

Regarding Hashicorp's documentation, this is related to "template_file" that is deprecated, follow this link

Have you ever seen this and already consider a solution?

Thanks!

Hi there,

I have an eks-cluster deployed and upon applying this module. I receive this error:

│ Error: cert-manager failed to create kubernetes rest client for update of resource: resource [cert-manager.io/v1/ClusterIssuer] isn't valid for cluster, check the APIVersion and Kind fields are valid
│
│ with module.cert_manager.kubectl_manifest.cluster_issuer[0],
│ on .terraform/modules/cert_manager/main.tf line 42, in resource "kubectl_manifest" "cluster_issuer":
│ 42: resource "kubectl_manifest" "cluster_issuer" {

To solve the issue, I can deactivate the issuer creation cluster_issuer_create = false and apply a ClusterIssuer in a second step (due to dependency constraints, like discussed here).

Any chance that I can get this module working as planned?