hpi-schul-cloud / infra-otc-cert-manager-webhook Goto Github PK

View Code? Open in Web Editor NEW

7.0 11.0 0.0 107 KB

Cert manager acme dns01 webhook provider for the Open Telekom Cloud (OTC).

License: MIT License

Dockerfile 0.76% Makefile 3.37% Go 92.51% Mustache 3.36%

cert-manager-webhook otc cert-manager letsencrypt telekom

infra-otc-cert-manager-webhook's Introduction

Let's Encrypt ACME Webhook for the Open Telekom Cloud DNS (OTCDNS)

This project provides a cert-manager webhook for the Open Telekom Cloud (OTC) DNS.

This webhook is available on GitHub hpi-schul-cloud / infra-otc-cert-manager-webhook. It is written in Go and uses the Go API of the OTC gophertelekomcloud. The gophertelekomcloud is part of the Open Telekom Cloud (T-Systems, Deutsche Telekom) project available on GitHub https://github.com/opentelekomcloud.

Requirements

kubernetes >= v1.18.0
cert-manager >= 1.3.1
helm >= v3.0.0

Configuration

The Helm chart for this project is located in the deploy/infra-otc-cert-manager-webhook directory.

The following table lists the configurable parameters of the infra-otc-cert-manager-webhook chart and their default values.

Parameter	Description	Default
`groupName`	The groupName is used to identify your company or business unit that created this webhook. For example, this may be "acme.mycompany.com". This name will need to be referenced in each Issuer's `webhook` stanza to inform cert-manager of where to send ChallengePayload resources in order to solve the DNS01 challenge. This group name should be unique, hence using your own company's domain here is recommended.	`infra-otc-cert-manager-webhook.hpi-schul-cloud.github.com`
`credentialsSecretRef`	The name of secret where the credentials to access the OTCDNS are stored.	`otcdns-credentials`
`certManager.namespace`	Namespace where cert-manager is deployed to.	`cert-manager`
`certManager.serviceAccountName`	Service account of cert-manager installation.	`cert-manager`
`image.repository`	Image repository	`schulcloud/infra-otc-cert-manager-webhook`
`image.tag`	Image tag	`sha-6e4a13b`
`image.pullPolicy`	Image pull policy	`IfNotPresent`
`nameOverride`	Override for the chartname	``
`fullnameOverride`	Override for the fullname of the chart	``
`loglevel`	Number for the log level verbosity of webhook.	2
`service.type`	API service type	`ClusterIP`
`service.port`	API service port	`443`
`resources`	CPU/memory resource requests/limits	`{}`
`nodeSelector`	Node labels for pod assignment	`{}`
`affinity`	Node affinity for pod assignment	`{}`
`tolerations`	Node tolerations for pod assignment	`[]`

Installation

cert-manager

Follow the instructions using the cert-manager documentation to install it within your cluster.

OTC Credentials

To access the OTC IAM and OTC DNS an access key and and a secret key (AK/SK) are needed. See Automating the Open Telekom Cloud with APIs, chapter API authentication. The webhook will read this information to get access to the OTC. The user that provides the key must have grants to create and read DNS records.

An example file is provided in _examples/secret-otcdns-credentials.yaml:

apiVersion: v1
kind: Secret
metadata:
  name: otcdns-credentials
  namespace: cert-manager
type: Opaque
data:
  accessKey: "[OTCDNS ACCESSKEY BASE64]"
  secretKey: "[OTCDNS SECRETKEY BASE64]"

Copy the example to another directory. Preferably ignored by Git (e.g. "testdata").
Replace the placeholders with the base64 encoded values of your OTC access user.
Apply the secret-otcdns-credentials.yaml to your Kubernetes installation.

kubectl apply -f secret-otcdns-credentials.yaml

Webhook

Install the webhook

helm repo add otcdnswebhook https://hpi-schul-cloud.github.io/infra-otc-cert-manager-webhook/
helm repo update
helm install --namespace cert-manager otcdns-release otcdnswebhook/infra-otc-cert-manager-webhook

To uninstall run

helm uninstall --namespace cert-manager otcdns-release

Issuer

When the cert-manager finds an Ingress annotation or Certificate resource it can handle, it will start the issuing process. Multiple issuers can coexist and each issuer can have multiple solvers that help to solve the challenges. This OTCDNS webhook can be configured as solver in a ClusterIssuer or Issuer resource. For more information, see Issuing an ACME certificate using DNS validation

Example files are provided in _examples/clusterissuer-solver-dns01-webhook.yaml and _examples/clusterissuer-staging-solver-dns01-webhook.yaml.

This is an example for Let's Encrypt staging:

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: sc-cert-manager-clusterissuer-letsencrypt-staging-otcdns
spec:
  acme:
    # The ACME server URL
    server: https://acme-staging-v02.api.letsencrypt.org/directory

    # Email address used for ACME registration
    email: [email protected] # REPLACE THIS WITH YOUR EMAIL!!!

    # Name of a secret used to store the ACME account private key
    privateKeySecretRef:
      name: letsencrypt-staging-otcdms

    solvers:
      - dns01:
          webhook:
            groupName: infra-otc-cert-manager-webhook.hpi-schul-cloud.github.com
            solverName: otcdns
            config:
              authURL: "https://iam.eu-de.otc.t-systems.com:443/v3"
              region: "eu-de"
              
              # Only for local testing, if no secrets are available.
              # accessKey: ACCESSKEY
              # secretKey: SECRETKEY

              accessKeySecretRef:
                name: otcdns-credentials
                key: accessKey
              secretKeySecretRef:
                name: otcdns-credentials
                key: secretKey

The groupName must match the groupName in the Helm chart configuration. The default value is set here and should usually be fine.

The commented out accessKey and secretKey entries are for local testing only. They shall be removed if used on Kubernetes.

accessKeySecretRef.name and secretKeySecretRef.name point to the secret created above. This will give the webhook access to the OTC API.

Copy the example to another directory. Preferably ignored by Git (e.g. "testdata"). Use the staging or the prod yaml as template.
Usually it is necessary to edit the email field only. The other values should be fine as they are in the template.
Apply the edited _examples/clusterissuer-solver-dns01-webhook.yaml or _examples/clusterissuer-staging-solver-dns01-webhook.yaml to your Kubernetes installation.

The cert-manager can now identify the installed OTCDNS webhook and forward the selected solver configuration to it.

Create a certificate

To trigger the certificate creation you can a) create a Certificate resource or b) define an Ingress annotation for the cert-manager. We use method a) here.

Examples Certificate resources can be found here: _examples/wildcard-certificate-examplesubdomain.yaml and _examples/wildcard-certificate-staging-examplesubdomain.yaml

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: wildcard-certificate-staging-examplesubdomain
  namespace: examplesubdomain
spec:
  # commonName: *.examplesubdomain.example.com
  dnsNames:
  - '*.examplesubdomain.example.com'
  - '*.dev.examplesubdomain.example.com'
  issuerRef:
    kind: ClusterIssuer
    name: sc-cert-manager-clusterissuer-letsencrypt-staging-otcdns
  secretName: wildcard-certificate-staging-examplesubdomain-tls

The dnsNames will appear as common name (the first one) and als subject alternative names in the issued certificate. You must be the legitimized owner of the domain.

The issuerRef.name must match the Issuer you want to use (see above).

The secretName is the name of the secret where the certificate given by the issuer is finally stored. This is the secret that must be configured in the Ingress of your application as tls.secretName, if you want to use the certificate.

Create the certificate yaml and upload it to Kubernetes

The cert-manager will detect it and start the issuing process. See Troubleshooting a failed certificate request to see how to track its state in detail.

Development

Requirements

go >= 1.13.0

Configure the tests

clouds.yaml

There is an example clouds.yaml configuration in _examples/clouds.yaml. The clouds.yaml is part of the Openstack Telekom configuration.

Copy it to ~/.config/openstack/
Add the OTC credentials you want to use for testing.

There are tests that have no credential input parameters. These use the local clouds.yaml config (EnvOS). E.g. all tests that call NewDNSV2Client, will behave that way.

config.json

There is an example config.json in _examples/config.json

Copy it to testdata/otcdns/manifests/
Configure the OTC credentials in the accessKey and secretKey variables.

Note that the ...secretRef cannot be used in a local context. For local tests use "accessKey" and "secretKey". In Kubernetes use the "...SecretRef" entries.

The config.json is used in tests that have credentials as input parameters. E.g. all tests that call NewDNSV2ClientWithAuth and especially the conformance test in main_test.go.

Run the tests

Makefile

Run "make" to download kubebuilder into _test/kubebuilder/bin and to run the main testsuite.

make

When the credentials are configured as described above, the tests shall immediatly succeed.

The tests you just ran using the makefile are described in the next two chapters.

Optional: Run "make rendered-manifest.yaml" to render the Helmchart into the "_out" directory. This give you an impression about the Kubernetes configuration.

Optional: Run "make build" to locally build the Docker container.

Note that a docker image of the Webhook application is not needed for running tests. The source code is sufficient.

OTC DNS Client Tests

The test functionality concerning the OTC API is in otcdns/client_test.go.

As of today a valid OTC setup is needed. This means you need a local ~/.config/openstack/clouds.yaml. The clouds.yaml must contain a profile "otcaksk" and "otcuser" (see config.go > otcProfileName). More details can be found here Telekom - Open Telekom Cloud extensions Python configuration. There is an example clouds.yaml in the _examples/clouds.yaml directory.

To run all OTC DNS Client tests from the command line:

cd otcdns
go test -v .

Cert-Manager Solver Tests

The solver tests are located in main_test.go.

The solver tests rely on the kubebuilder binaries. They are installed by the first target in the Makefile.

cd into the main project directory where the Makefile is and run make:

make

This will install the kubebuilder testenvironment and run the cert-manager solver testsuite tests within it.

If the kubebuilder is already installed, you can run

go test -v .

instead.

infra-otc-cert-manager-webhook's People

Contributors

Stargazers

Watchers

infra-otc-cert-manager-webhook's Issues

ACME Challenge failed in OTC due forbidden resource creation otcdns

I followed your instructions but the ACME challenge failed: Error presenting challenge: otcdns.xxx-development.otc-cert-manager-webhook is forbidden: User "system:serviceaccount:xxx-certmanager:certmanager-cert-manager-controller" cannot create resource "otcdns" in API group "xxx-development.otc-cert-manager-webhook" at the cluster scope

I have no idea, that what I have done for troubleshooting:

(a) Setup: values.yaml

infra-otc-cert-manager-webhook:
  groupName: xxx-development.otc-cert-manager-webhook
  cert-manager:
    namespace: xxx-certmanager
    serviceAccountName: certmanager-cert-manager-webhook 
  image:
    repository: swr.eu-de.otc.t-systems.com/xxxxx-development/infra-otc-cert-manager-webhook
    tag: latest
    pullSecret: secretregistryotc

(b) Cluster issuer (Credentials secrets are existing too)

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: xxx-certmanager-clusterissuer-letsencrypt-staging-otcdns
spec:
  acme:
    # The ACME server URL
    server: https://acme-staging-v02.api.letsencrypt.org/directory

    # Email address used for ACME registration
    email: [email protected] # REPLACE THIS WITH YOUR EMAIL!!!

    # Name of a secret used to store the ACME account private key
    privateKeySecretRef:
      name: letsencrypt-staging-otcdms

    solvers:
      - dns01:
          webhook:
            groupName: xxx-development.otc-cert-manager-webhook
            solverName: otcdns
            config:
              authURL: "https://iam.eu-de.otc.t-systems.com:443/v3"
              region: "eu-de"
              
              # Only for local testing, if no secrets are available.
              # accessKey: ACCESSKEY
              # secretKey: SECRETKEY

              accessKeySecretRef:
                name: otcdns-credentials
                key: accessKey
              secretKeySecretRef:
                name: otcdns-credentials
                key: secretKey

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: keycloak
  namespace: "xxx-keycloak"
  labels:
    app.kubernetes.io/name: keycloak
    helm.sh/chart: keycloak-15.1.7
    app.kubernetes.io/instance: keycloak
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: keycloak
  annotations:
    cert-manager.io/cluster-issuer: xxx-certmanager-clusterissuer-letsencrypt-staging-otcdns
    kubernetes.io/elb.class: performance
    kubernetes.io/elb.id: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    kubernetes.io/elb.port: "443"
spec:
  ingressClassName: "cce"
  rules:
    - host: "xxx-cloud.de"
      http:
        paths:
          - path: /iam/
            pathType: ImplementationSpecific
            backend:
              service:
                name: keycloak
                port:
                  name: http
  tls:
    - hosts:
        - "xxxxxxxxxxxxxxxx.de"
      secretName: xxx.de-tls

(d) Certificates are created in differnt namepsace (not certmanager)

Name:         xxx-cloud.de-tls
Namespace:    xxx-keycloak
Labels:       app.kubernetes.io/component=keycloak
              app.kubernetes.io/instance=keycloak
              app.kubernetes.io/managed-by=Helm
              app.kubernetes.io/name=keycloak
              helm.sh/chart=keycloak-15.1.7
Annotations:  <none>
API Version:  cert-manager.io/v1
Kind:         Certificate
Metadata:
  Creation Timestamp:  2023-08-24T10:39:49Z
  Generation:          1
  Owner References:
    API Version:           networking.k8s.io/v1
    Block Owner Deletion:  true
    Controller:            true
    Kind:                  Ingress
    Name:                  keycloak
    UID:                   a0087ade-a18c-4988-aab8-21c638c04e08
  Resource Version:        4650231
  UID:                     fdd70cf8-c6ca-4b94-a420-0e0580c3cb5a
Spec:
  Dns Names:
    xxx-cloud.de
  Issuer Ref:
    Group:      cert-manager.io
    Kind:       ClusterIssuer
    Name:       xxx-certmanager-clusterissuer-letsencrypt-staging-otcdns
  Secret Name:  xxx-cloud.de-tls
  Usages:
    digital signature
    key encipherment
Status:
  Conditions:
    Last Transition Time:        2023-08-24T10:39:49Z
    Message:                     Issuing certificate as Secret does not exist
    Observed Generation:         1
    Reason:                      DoesNotExist
    Status:                      False
    Type:                        Ready
    Last Transition Time:        2023-08-24T10:39:49Z
    Message:                     Issuing certificate as Secret does not exist
    Observed Generation:         1
    Reason:                      DoesNotExist
    Status:                      True
    Type:                        Issuing
  Next Private Key Secret Name:  xxx.de-tls-sj845
Events:
  Type    Reason     Age   From                                       Message
  ----    ------     ----  ----                                       -------
  Normal  Issuing    18m   cert-manager-certificates-trigger          Issuing certificate as Secret does not exist
  Normal  Generated  18m   cert-manager-certificates-key-manager      Stored new private key in temporary Secret resource "xxx-cloud.de-tls-sj845"
  Normal  Requested  18m   cert-manager-certificates-request-manager  Created new CertificateRequest resource "xxx-cloud.de-tls-7qdrq"

(e) Certificate request


Name:         xxx.de-tls-7qdrq
Namespace:    xxx-keycloak
Labels:       app.kubernetes.io/component=keycloak
              app.kubernetes.io/instance=keycloak
              app.kubernetes.io/managed-by=Helm
              app.kubernetes.io/name=keycloak
              helm.sh/chart=keycloak-15.1.7
Annotations:  cert-manager.io/certificate-name: xxx-cloud.de-tls
              cert-manager.io/certificate-revision: 1
              cert-manager.io/private-key-secret-name: xxx-cloud.de-tls-sj845
API Version:  cert-manager.io/v1
Kind:         CertificateRequest
Metadata:
  Creation Timestamp:  2023-08-24T10:39:49Z
  Generate Name:       xxx-cloud.de-tls-
  Generation:          1
  Owner References:
    API Version:           cert-manager.io/v1
    Block Owner Deletion:  true
    Controller:            true
    Kind:                  Certificate
    Name:                  xxx-cloud.de-tls
    UID:                   fdd70cf8-c6ca-4b94-a420-0e0580c3cb5a
  Resource Version:        4650252
  UID:                     5d016903-5319-4753-bfaf-9c5756121533
Spec:
  Extra:
    authentication.kubernetes.io/pod-name:
      certmanager-cert-manager-controller-5489f79646-7w4zj
    authentication.kubernetes.io/pod-uid:
      10ebd0e2-77fc-4ce1-ac98-69479264467a
  Groups:
    system:serviceaccounts
    system:serviceaccounts:xxx-certmanager
    system:authenticated
  Issuer Ref:
    Group:  cert-manager.io
    Kind:   ClusterIssuer
    Name:   xxx-certmanager-clusterissuer-letsencrypt-staging-otcdns
  Request:  LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQ2dqQ0NBV29DQVFBd0FEQ0NBU0l3RFFZSktvWklodmNOQVFFQkJRQURnZ0VQQURDQ0FRb0NnZ0VCQUxsawp2bDd6dTlvdkozUU5URXoyRmxqS2NFZkswRFhqWmRYU3dMV3B2NXpQTGZnelRZZjkwOWdDNjYyWithWXVyWDE5CmhBYVJEemRnMW1SeENrdkxWT0JETGt5ZFBZWTZIZE1wY2VZMGEvWHVlOVE2RmlSYnpwaFBrbGdXVzFmMHlOQU4KLzZNcWwvM2ptSjl0WDJFaU9RbkVKRFF3RkZ0SzAxOGdzYlV1Y21VNXVXNDVDSEgzTFJ4VWNmRmFDYWVXSzBpcQpreVZ1VTdVdm9hRWdEanV2TVFuN3lkZ1RsV3ZEcll3QWVoVUVlZnp2eTM1QjdoVnlUQzVMVnYzMVV0Mys3RzNtCkFhSGdRVnVEcUdJeGZGM1A3UjN3b3MyTzJQVU1PMldFVGJFeHRWVFFEWXo1OHB5empwdFl6TVc2Um5JSm9rOWUKVXZDS1dLdGFkRVRzZ1JzUmFCVUNBd0VBQWFBOU1Ec0dDU3FHU0liM0RRRUpEakV1TUN3d0hRWURWUjBSQkJZdwpGSUlTYUdNdGRtbHphVzl1TFdOc2IzVmtMbVJsTUFzR0ExVWREd1FFQXdJRm9EQU5CZ2txaGtpRzl3MEJBUXNGCkFBT0NBUUVBc3hqOHV4RVNQYjVaQ0ZxcW9nYlEwbjY1S2U5NmhnTytWeXlBNDNvZGxDTXcvekFRSEN5ZmtYR1AKZGNaSTVsNEdXSk5DeCtXVGprTmNNZUlSRFVyWnV1dVFBTWVVSi9nY1QxY2Roc0RKTFJFYzhUM3NrVHVYMENaSQpFdW1vaXAzK0VOcVR1Qjk3S3c4N1hpcmtpTTgvV2lqb3J5ejF4ay91d1RvM2xQNXJ0OU11NTJkc08zTHRBdUppCm1DYWZZNlFWekVjYWRkaWVIdklsL3VNaDVxNmJKYnlmVlFyRHl4RW5jc0ZJRmJXc3I2L1hjcjJQUzVCdUhXTTEKVVVuSGpPNWR0eUZBVFpIUjU3RGRRUENOSlVwRUcxdTg2K3JMeWxzVFNqQzVOTlprTVN2dWRpTGVRVkU3VVZjWApva21YQXkxNmJ6L0tyU1RWSjNYRUZ5aXU5R2sza0E9PQotLS0tLUVORCBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0K
  UID:      b08953a3-459a-48e1-a43b-8e964fb5a6b1
  Usages:
    digital signature
    key encipherment
  Username:  system:serviceaccount:xxx-certmanager:certmanager-cert-manager-controller
Status:
  Conditions:
    Last Transition Time:  2023-08-24T10:39:49Z
    Message:               Certificate request has been approved by cert-manager.io
    Reason:                cert-manager.io
    Status:                True
    Type:                  Approved
    Last Transition Time:  2023-08-24T10:39:49Z
    Message:               Waiting on certificate issuance from order xxx-keycloak/xxx-cloud.de-tls-7qdrq-3502903507: "pending"
    Reason:                Pending
    Status:                False
    Type:                  Ready
Events:
  Type    Reason              Age   From                                                Message
  ----    ------              ----  ----                                                -------
  Normal  WaitingForApproval  24m   cert-manager-certificaterequests-issuer-ca          Not signing CertificateRequest until it is Approved
  Normal  WaitingForApproval  24m   cert-manager-certificaterequests-issuer-venafi      Not signing CertificateRequest until it is Approved
  Normal  WaitingForApproval  24m   cert-manager-certificaterequests-issuer-vault       Not signing CertificateRequest until it is Approved
  Normal  WaitingForApproval  24m   cert-manager-certificaterequests-issuer-selfsigned  Not signing CertificateRequest until it is Approved
  Normal  WaitingForApproval  24m   cert-manager-certificaterequests-issuer-acme        Not signing CertificateRequest until it is Approved
  Normal  cert-manager.io     24m   cert-manager-certificaterequests-approver           Certificate request has been approved by cert-manager.io
  Normal  OrderCreated        24m   cert-manager-certificaterequests-issuer-acme        Created Order resource xxx-keycloak/xxx-cloud.de-tls-7qdrq-3502903507
  Normal  OrderPending        24m   cert-manager-certificaterequests-issuer-acme        Waiting on certificate issuance from order xxx-keycloak/xxx-cloud.de-tls-7qdrq-3502903507: ""

(f) Order

Name:         xxx-cloud.de-tls-7qdrq-3502903507
Namespace:    xxx-keycloak
Labels:       app.kubernetes.io/component=keycloak
              app.kubernetes.io/instance=keycloak
              app.kubernetes.io/managed-by=Helm
              app.kubernetes.io/name=keycloak
              helm.sh/chart=keycloak-15.1.7
Annotations:  cert-manager.io/certificate-name: xxx-cloud.de-tls
              cert-manager.io/certificate-revision: 1
              cert-manager.io/private-key-secret-name: xxx-cloud.de-tls-sj845
API Version:  acme.cert-manager.io/v1
Kind:         Order
Metadata:
  Creation Timestamp:  2023-08-24T10:39:49Z
  Generation:          1
  Owner References:
    API Version:           cert-manager.io/v1
    Block Owner Deletion:  true
    Controller:            true
    Kind:                  CertificateRequest
    Name:                  xxx-cloud.de-tls-7qdrq
    UID:                   5d016903-5319-4753-bfaf-9c5756121533
  Resource Version:        4650254
  UID:                     7ce873d9-ad09-45e5-8b5d-4063b31bfcae
Spec:
  Dns Names:
    xxx-cloud.de
  Issuer Ref:
    Group:  cert-manager.io
    Kind:   ClusterIssuer
    Name:   xxx-certmanager-clusterissuer-letsencrypt-staging-otcdns
  Request:  LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQ2dqQ0NBV29DQVFBd0FEQ0NBU0l3RFFZSktvWklodmNOQVFFQkJRQURnZ0VQQURDQ0FRb0NnZ0VCQUxsawp2bDd6dTlvdkozUU5URXoyRmxqS2NFZkswRFhqWmRYU3dMV3B2NXpQTGZnelRZZjkwOWdDNjYyWithWXVyWDE5CmhBYVJEemRnMW1SeENrdkxWT0JETGt5ZFBZWTZIZE1wY2VZMGEvWHVlOVE2RmlSYnpwaFBrbGdXVzFmMHlOQU4KLzZNcWwvM2ptSjl0WDJFaU9RbkVKRFF3RkZ0SzAxOGdzYlV1Y21VNXVXNDVDSEgzTFJ4VWNmRmFDYWVXSzBpcQpreVZ1VTdVdm9hRWdEanV2TVFuN3lkZ1RsV3ZEcll3QWVoVUVlZnp2eTM1QjdoVnlUQzVMVnYzMVV0Mys3RzNtCkFhSGdRVnVEcUdJeGZGM1A3UjN3b3MyTzJQVU1PMldFVGJFeHRWVFFEWXo1OHB5empwdFl6TVc2Um5JSm9rOWUKVXZDS1dLdGFkRVRzZ1JzUmFCVUNBd0VBQWFBOU1Ec0dDU3FHU0liM0RRRUpEakV1TUN3d0hRWURWUjBSQkJZdwpGSUlTYUdNdGRtbHphVzl1TFdOc2IzVmtMbVJsTUFzR0ExVWREd1FFQXdJRm9EQU5CZ2txaGtpRzl3MEJBUXNGCkFBT0NBUUVBc3hqOHV4RVNQYjVaQ0ZxcW9nYlEwbjY1S2U5NmhnTytWeXlBNDNvZGxDTXcvekFRSEN5ZmtYR1AKZGNaSTVsNEdXSk5DeCtXVGprTmNNZUlSRFVyWnV1dVFBTWVVSi9nY1QxY2Roc0RKTFJFYzhUM3NrVHVYMENaSQpFdW1vaXAzK0VOcVR1Qjk3S3c4N1hpcmtpTTgvV2lqb3J5ejF4ay91d1RvM2xQNXJ0OU11NTJkc08zTHRBdUppCm1DYWZZNlFWekVjYWRkaWVIdklsL3VNaDVxNmJKYnlmVlFyRHl4RW5jc0ZJRmJXc3I2L1hjcjJQUzVCdUhXTTEKVVVuSGpPNWR0eUZBVFpIUjU3RGRRUENOSlVwRUcxdTg2K3JMeWxzVFNqQzVOTlprTVN2dWRpTGVRVkU3VVZjWApva21YQXkxNmJ6L0tyU1RWSjNYRUZ5aXU5R2sza0E9PQotLS0tLUVORCBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0K
Status:
  Authorizations:
    Challenges:
      Token:        r6yVH_-cSlegASlsmRlVp7rZGGwPTBF0G9o_ivltR-4
      Type:         http-01
      URL:          https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/7898030084/ShWR4A
      Token:        r6yVH_-cSlegASlsmRlVp7rZGGwPTBF0G9o_ivltR-4
      Type:         dns-01
      URL:          https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/7898030084/3dlcFw
      Token:        r6yVH_-cSlegASlsmRlVp7rZGGwPTBF0G9o_ivltR-4
      Type:         tls-alpn-01
      URL:          https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/7898030084/i4oMiA
    Identifier:     xxx-cloud.de
    Initial State:  pending
    URL:            https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/7898030084
    Wildcard:       false
  Finalize URL:     https://acme-staging-v02.api.letsencrypt.org/acme/finalize/115937054/10473000664
  State:            pending
  URL:              https://acme-staging-v02.api.letsencrypt.org/acme/order/115937054/10473000664
Events:
  Type    Reason   Age   From                 Message
  ----    ------   ----  ----                 -------
  Normal  Created  25m   cert-manager-orders  Created Challenge resource "xxx-cloud.de-tls-7qdrq-3502903507-2917238827" for domain "xxx-cloud.de"

(g) ACME Challenge

Name:         xxx-cloud.de-tls-7qdrq-3502903507-2917238827
Namespace:    xxx-keycloak
Labels:       <none>
Annotations:  <none>
API Version:  acme.cert-manager.io/v1
Kind:         Challenge
Metadata:
  Creation Timestamp:  2023-08-24T10:39:51Z
  Finalizers:
    finalizer.acme.cert-manager.io
  Generation:  1
  Owner References:
    API Version:           acme.cert-manager.io/v1
    Block Owner Deletion:  true
    Controller:            true
    Kind:                  Order
    Name:                  xxx-cloud.de-tls-7qdrq-3502903507
    UID:                   7ce873d9-ad09-45e5-8b5d-4063b31bfcae
  Resource Version:        4650268
  UID:                     780aefbc-edff-48cd-bbd4-1c69c707562a
Spec:
  Authorization URL:  https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/7898030084
  Dns Name:           xxx-cloud.de
  Issuer Ref:
    Group:  cert-manager.io
    Kind:   ClusterIssuer
    Name:   xxx-certmanager-clusterissuer-letsencrypt-staging-otcdns
  Key:      cGlSqs15z01PWk_PhWLi5WS4zm1QgQ4LnMs5vHmsenI
  Solver:
    dns01:
      Webhook:
        Config:
          Access Key Secret Ref:
            Key:     accessKey
            Name:    otcdns-credentials
          Auth URL:  https://iam.eu-de.otc.t-systems.com:443/v3
          Region:    eu-de
          Secret Key Secret Ref:
            Key:      secretKey
            Name:     otcdns-credentials
        Group Name:   xxx-development.otc-cert-manager-webhook
        Solver Name:  otcdns
  Token:              r6yVH_-cSlegASlsmRlVp7rZGGwPTBF0G9o_ivltR-4
  Type:               DNS-01
  URL:                https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/7898030084/3dlcFw
  Wildcard:           false
Status:
  Presented:   false
  Processing:  true
  Reason:      otcdns.xxx-development.otc-cert-manager-webhook is forbidden: User "system:serviceaccount:xxx-certmanager:certmanager-cert-manager-controller" cannot create resource "otcdns" in API group "xxx-development.otc-cert-manager-webhook" at the cluster scope
  State:       pending
Events:
  Type     Reason        Age                  From                     Message
  ----     ------        ----                 ----                     -------
  Normal   Started       27m                  cert-manager-challenges  Challenge scheduled for processing
  Warning  PresentError  6m20s (x9 over 27m)  cert-manager-challenges  Error presenting challenge: otcdns.xxx-development.otc-cert-manager-webhook is forbidden: User "system:serviceaccount:xxx-certmanager:certmanager-cert-manager-controller" cannot create resource "otcdns" in API group "xxx-development.otc-cert-manager-webhook" at the cluster scope

Recommend Projects

React

A declarative, efficient, and flexible JavaScript library for building user interfaces.
Vue.js

🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript

TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
TensorFlow

An Open Source Machine Learning Framework for Everyone
Django

The Web framework for perfectionists with deadlines.
Laravel

A PHP framework for web artisans
D3

Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

javascript

JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
web

Some thing interesting about web. New door for the world.
server

A server is a program made to process requests and deliver data to clients.
Machine learning

Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Visualization

Some thing interesting about visualization, use data art
Game

Some thing interesting about game, make everyone happy.

Recommend Org

Facebook

We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft

Open source projects and samples from Microsoft.
Google

Google ❤️ Open Source for everyone.
Alibaba

Alibaba Open Source for everyone
D3

Data-Driven Documents codes.
Tencent

China tencent open source team.