codingvirtues / awspca-issuer Goto Github PK
View Code? Open in Web Editor NEWcert-manager for Kubernetes external issuer for AWS Private CA
License: Apache License 2.0
cert-manager for Kubernetes external issuer for AWS Private CA
License: Apache License 2.0
Within the cert-manager documentation the certificate spec states that the duration field is optional. When I was testing the pca issuer I noticed the controller crashed when I didn't specify a duration.
sample manifest to cause the crash
apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
name: bug-test
namespace: awspca-issuer-system
spec:
issuerRef:
group: certmanager.awspca
kind: AWSPCAIssuer
name: awspca-issuer
secretName: bug-test
commonName: foo.com
# DNS SAN
dnsNames:
- localhost
- foo.com
# IP Address SAN
ipAddresses:
- "127.0.0.1"
# Duration of the certificate
# Renew 1 hour before the certificate expiration
# renewBefore: 1h
isCA: false
I think this line is the cause of the crash. Would it be possible to slip in a default duration of 24 hours to prevent crashes for future users?
awspca-issuer/provisioners/awspca.go
Lines 101 to 110 in b5adadf
edited to add:
I left out the stack trace so I added it. I apologize for the log being partially cut off.
2020-10-09T20:14:42.809Z INFO controller-runtime.metrics metrics server is starting to listen {"addr": "127.0.0.1:8080"}
2020-10-09T20:14:42.893Z INFO setup starting manager
I1009 20:14:42.894315 1 leaderelection.go:242] attempting to acquire leader lease awspca-issuer-system/controller-leader-election-helper...
2020-10-09T20:14:42.894Z INFO controller-runtime.manager starting metrics server {"path": "/metrics"}
I1009 20:15:00.299854 1 leaderelection.go:252] successfully acquired lease awspca-issuer-system/controller-leader-election-helper
2020-10-09T20:15:00.299Z DEBUG controller-runtime.manager.events Normal {"object": {"kind":"ConfigMap","namespace":"awspca-issuer-system","name":"controller-leader-election-helper","uid":"2a543a93-bd67-42e1-b809-ccaf2ffa394c","apiVersion":"v1","resourceVersion":"1311092"}, "reason": "LeaderElection", "message": "awspca-issuer-controller-manager-6b58d94657-nqxcb_3693e870-ac71-493e-9eaa-41afe7c555dc became leader"}
2020-10-09T20:15:00.300Z INFO controller-runtime.controller Starting EventSource {"controller": "certificaterequest", "source": "kind source: /, Kind="}
2020-10-09T20:15:00.300Z INFO controller-runtime.controller Starting EventSource {"controller": "awspcaissuer", "source": "kind source: /, Kind="}
2020-10-09T20:15:00.400Z INFO controller-runtime.controller Starting Controller {"controller": "certificaterequest"}
2020-10-09T20:15:00.400Z INFO controller-runtime.controller Starting Controller {"controller": "awspcaissuer"}
2020-10-09T20:15:00.400Z INFO controller-runtime.controller Starting workers {"controller": "awspcaissuer", "worker count": 1}
2020-10-09T20:15:00.400Z INFO controller-runtime.controller Starting workers {"controller": "certificaterequest", "worker count": 1}
2020-10-09T20:15:00.401Z ERROR controllers.CertificateRequest failed to provisioner for AWSPCAIssuer resource {"certificaterequest": "awspca-issuer-system/serena-jks-test-dw84n", "error": "provisioner awspca-issuer-system/awspca-issuer not found"}
github.com/go-logr/zapr.(*zapLogger).Error
/Users/[redacted]/go/pkg/mod/github.com/go-logr/[email protected]/zapr.go:128
github.com/awspca-issuer/controllers.(*CertificateRequestReconciler).Reconcile
/Users/[redacted]/repos/awspca-issuer/controllers/certificaterequest_controller.go:108
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler
/Users/[redacted]/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:256
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem
/Users/[redacted]/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:232
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).worker
/Users/[redacted]/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:211
k8s.io/apimachinery/pkg/util/wait.JitterUntil.func1
/Users/[redacted]/go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/wait.go:152
k8s.io/apimachinery/pkg/util/wait.JitterUntil
/Users/[redacted]/go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/wait.go:153
k8s.io/apimachinery/pkg/util/wait.Until
/Users/[redacted]/go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/wait.go:88
I1009 20:15:00.401315 1 conditions.go:200] Setting lastTransitionTime for CertificateRequest "serena-jks-test-dw84n" condition "Ready" to 2020-10-09 20:15:00.4013063 +0000 UTC m=+18.716761101
2020-10-09T20:15:00.402Z DEBUG controller-runtime.manager.events Warning {"object": {"kind":"CertificateRequest","namespace":"awspca-issuer-system","name":"serena-jks-test-dw84n","uid":"f124c674-17bf-4828-9565-e36234fd3caf","apiVersion":"cert-manager.io/v1alpha2","resourceVersion":"1311018"}, "reason": "Pending", "message": "Failed to load provisioner for AWSPCAIssuer resource awspca-issuer-system/awspca-issuer"}
2020-10-09T20:15:00.595Z ERROR controller-runtime.controller Reconciler error {"controller": "certificaterequest", "request": "awspca-issuer-system/serena-jks-test-dw84n", "error": "provisioner awspca-issuer-system/awspca-issuer not found"}
github.com/go-logr/zapr.(*zapLogger).Error
/Users/[redacted]/go/pkg/mod/github.com/go-logr/[email protected]/zapr.go:128
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler
/Users/[redacted]/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:258
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem
/Users/[redacted]/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:232
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).worker
/Users/[redacted]/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:211
k8s.io/apimachinery/pkg/util/wait.JitterUntil.func1
/Users/[redacted]/go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/wait.go:152
k8s.io/apimachinery/pkg/util/wait.JitterUntil
/Users/[redacted]/go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/wait.go:153
k8s.io/apimachinery/pkg/util/wait.Until
/Users/[redacted]/go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/wait.go:88
2020-10-09T20:15:01.001Z DEBUG controller-runtime.manager.events Normal {"object": {"kind":"AWSPCAIssuer","namespace":"awspca-issuer-system","name":"awspca-issuer","uid":"989c4d9e-4206-4bc2-af0b-8483dd6c5c32","apiVersion":"certmanager.awspca/v1alpha2","resourceVersion":"586343"}, "reason": "Verified", "message": "AWSPCAIssuer verified and ready to sign certificates"}
2020-10-09T20:15:01.014Z DEBUG controller-runtime.controller Successfully Reconciled {"controller": "awspcaissuer", "request": "awspca-issuer-system/awspca-issuer"}
I1009 20:15:05.464122 1 conditions.go:189] Found status change for CertificateRequest "serena-jks-test-dw84n" condition "Ready": "False" -> "True"; setting lastTransitionTime to 2020-10-09 20:15:05.4641086 +0000 UTC m=+23.779563401
2020-10-09T20:15:05.464Z DEBUG controller-runtime.manager.events Normal {"object": {"kind":"CertificateRequest","namespace":"awspca-issuer-system","name":"serena-jks-test-dw84n","uid":"f124c674-17bf-4828-9565-e36234fd3caf","apiVersion":"cert-manager.io/v1alpha2","resourceVersion":"1311097"}, "reason": "Issued", "message": "Certificate issued"}
2020-10-09T20:15:05.599Z DEBUG controller-runtime.controller Successfully Reconciled {"controller": "certificaterequest", "request": "awspca-issuer-system/serena-jks-test-dw84n"}
2020-10-09T20:15:05.614Z DEBUG controller-runtime.controller Successfully Reconciled {"controller": "certificaterequest", "request": "awspca-issuer-system/serena-jks-test-dw84n"}
2020-10-09T20:19:00.651Z DEBUG controller-runtime.controller Successfully Reconciled {"controller": "certificaterequest", "request": "awspca-issuer-system/serena-jks-test-dw84n"}
I1009 20:19:12.906657 1 conditions.go:200] Setting lastTransitionTime for CertificateRequest "serena-jks-test-vkcmc" condition "Ready" to 2020-10-09 20:19:12.9066441 +0000 UTC m=+271.222098901
2020-10-09T20:19:12.907Z DEBUG controller-runtime.manager.events Normal {"object": {"kind":"CertificateRequest","namespace":"awspca-issuer-system","name":"serena-jks-test-vkcmc","uid":"c4222d26-66aa-43e7-b410-daeeed4a9b03","apiVersion":"cert-manager.io/v1alpha2","resourceVersion":"1312140"}, "reason": "Issued", "message": "Certificate issued"}
2020-10-09T20:19:13.026Z DEBUG controller-runtime.controller Successfully Reconciled {"controller": "certificaterequest", "request": "awspca-issuer-system/serena-jks-test-vkcmc"}
2020-10-09T20:19:13.031Z DEBUG controller-runtime.controller Successfully Reconciled {"controller": "certificaterequest", "request": "aw
E1009 20:20:42.687084 1 runtime.go:78] Observed a panic: "invalid memory address or nil pointer dereference" (runtime error: invalid memory address or nil pointer dereference)
goroutine 274 [running]:
k8s.io/apimachinery/pkg/util/runtime.logPanic(0x1572e60, 0x220f470)
/Users/[redacted]/go/pkg/mod/k8s.io/[email protected]/pkg/util/runtime/runtime.go:74 +0xa6
k8s.io/apimachinery/pkg/util/runtime.HandleCrash(0x0, 0x0, 0x0)
/Users/[redacted]/go/pkg/mod/k8s.io/[email protected]/pkg/util/runtime/runtime.go:48 +0x89
panic(0x1572e60, 0x220f470)
/usr/local/Cellar/go/1.15/libexec/src/runtime/panic.go:969 +0x175
github.com/awspca-issuer/provisioners.(*AWSPCAProvisioner).Sign(0xc00065cb00, 0x1926440, 0xc000048210, 0xc00038c5a0, 0xc00065cb00, 0x1, 0x0, 0x0, 0xc000386da0, 0x14, ...)
/Users/[redacted]/repos/awspca-issuer/provisioners/awspca.go:107 +0x569
github.com/awspca-issuer/controllers.(*CertificateRequestReconciler).Reconcile(0xc00045fe90, 0xc000af50a0, 0x14, 0xc000af5080, 0x15, 0x540d64c179, 0xc00013d8c0, 0xc000678248, 0xc000678240)
/Users/[redacted]/repos/awspca-issuer/controllers/certificaterequest_controller.go:114 +0x70e
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler(0xc0002749c0, 0x15c3e40, 0xc000cd74c0, 0x0)
/Users/[redacted]/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:256 +0x166
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem(0xc0002749c0, 0xc000624400)
/Users/[redacted]/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:232 +0xb0
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).worker(0xc0002749c0)
/Users/[redacted]/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:211 +0x2b
k8s.io/apimachinery/pkg/util/wait.JitterUntil.func1(0xc0003d0750)
/Users/[redacted]/go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/wait.go:152 +0x5f
k8s.io/apimachinery/pkg/util/wait.JitterUntil(0xc0003d0750, 0x3b9aca00, 0x0, 0x1, 0xc0000461e0)
/Users/[redacted]/go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/wait.go:153 +0x105
k8s.io/apimachinery/pkg/util/wait.Until(0xc0003d0750, 0x3b9aca00, 0xc0000461e0)
/Users/[redacted]/go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/wait.go:88 +0x4d
created by sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func1
/Users/[redacted]/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:193 +0x32d
panic: runtime error: invalid memory address or nil pointer dereference [recovered]
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x0 pc=0xcabe89]
goroutine 274 [running]:
k8s.io/apimachinery/pkg/util/runtime.HandleCrash(0x0, 0x0, 0x0)
/Users/[redacted]/go/pkg/mod/k8s.io/[email protected]/pkg/util/runtime/runtime.go:55 +0x10c
panic(0x1572e60, 0x220f470)
/usr/local/Cellar/go/1.15/libexec/src/runtime/panic.go:969 +0x175
github.com/awspca-issuer/provisioners.(*AWSPCAProvisioner).Sign(0xc00065cb00, 0x1926440, 0xc000048210, 0xc00038c5a0, 0xc00065cb00, 0x1, 0x0, 0x0, 0xc000386da0, 0x14, ...)
/Users/[redacted]/repos/awspca-issuer/provisioners/awspca.go:107 +0x569
github.com/awspca-issuer/controllers.(*CertificateRequestReconciler).Reconcile(0xc00045fe90, 0xc000af50a0, 0x14, 0xc000af5080, 0x15, 0x540d64c179, 0xc00013d8c0, 0xc000678248, 0xc000678240)
/Users/[redacted]/repos/awspca-issuer/controllers/certificaterequest_controller.go:114 +0x70e
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler(0xc0002749c0, 0x15c3e40, 0xc000cd74c0, 0x0)
/Users/[redacted]/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:256 +0x166
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem(0xc0002749c0, 0xc000624400)
/Users/[redacted]/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:232 +0xb0
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).worker(0xc0002749c0)
/Users/[redacted]/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:211 +0x2b
k8s.io/apimachinery/pkg/util/wait.JitterUntil.func1(0xc0003d0750)
/Users/[redacted]/go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/wait.go:152 +0x5f
k8s.io/apimachinery/pkg/util/wait.JitterUntil(0xc0003d0750, 0x3b9aca00, 0x0, 0x1, 0xc0000461e0)
/Users/[redacted]/go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/wait.go:153 +0x105
k8s.io/apimachinery/pkg/util/wait.Until(0xc0003d0750, 0x3b9aca00, 0xc0000461e0)
/Users/[redacted]/go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/wait.go:88 +0x4d
created by sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func1
/Users/[redacted]/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:193 +0x32d
The promise of this project is great - but it seems like it's been dropped by the developer. The developer is not even an active team member at this point. I am opening up this discussion PR to see if we should try to take this project over in another repository somewhere?
It looks like the CA was originally captured and returned when getting a signed certificate, but was commented out. I looked at this history, and this is from the initial commit. Why isn't the CA returned in this method?
The current implementation (since 6629878) requires the controller to get its credentials from a Secret object. Can you make that a conditional only if the secret is defined, and support the default credential chain? This will allow operators to use standard means like IAM Roles for Service Accounts, secrets as a pod's environment variables. The SDK region should be inferred from the standard configuration points too (env var/config file/IMDS).
It would be really nice to not have to reference a secret to set non-secret values such as the Cert ARN in the provisioner, and just directly state that value.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.