hpi-schul-cloud / infra-otc-cert-manager-webhook Goto Github PK
View Code? Open in Web Editor NEWCert manager acme dns01 webhook provider for the Open Telekom Cloud (OTC).
License: MIT License
infra-otc-cert-manager-webhook's Issues
ACME Challenge failed in OTC due forbidden resource creation otcdns
I followed your instructions but the ACME challenge failed: Error presenting challenge: otcdns.xxx-development.otc-cert-manager-webhook is forbidden: User "system:serviceaccount:xxx-certmanager:certmanager-cert-manager-controller" cannot create resource "otcdns" in API group "xxx-development.otc-cert-manager-webhook" at the cluster scope
I have no idea, that what I have done for troubleshooting:
(a) Setup: values.yaml
infra-otc-cert-manager-webhook:
groupName: xxx-development.otc-cert-manager-webhook
cert-manager:
namespace: xxx-certmanager
serviceAccountName: certmanager-cert-manager-webhook
image:
repository: swr.eu-de.otc.t-systems.com/xxxxx-development/infra-otc-cert-manager-webhook
tag: latest
pullSecret: secretregistryotc
(b) Cluster issuer (Credentials secrets are existing too)
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: xxx-certmanager-clusterissuer-letsencrypt-staging-otcdns
spec:
acme:
# The ACME server URL
server: https://acme-staging-v02.api.letsencrypt.org/directory
# Email address used for ACME registration
email: [email protected] # REPLACE THIS WITH YOUR EMAIL!!!
# Name of a secret used to store the ACME account private key
privateKeySecretRef:
name: letsencrypt-staging-otcdms
solvers:
- dns01:
webhook:
groupName: xxx-development.otc-cert-manager-webhook
solverName: otcdns
config:
authURL: "https://iam.eu-de.otc.t-systems.com:443/v3"
region: "eu-de"
# Only for local testing, if no secrets are available.
# accessKey: ACCESSKEY
# secretKey: SECRETKEY
accessKeySecretRef:
name: otcdns-credentials
key: accessKey
secretKeySecretRef:
name: otcdns-credentials
key: secretKey
(c) Ingress Configuration (Helm extracted)
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: keycloak
namespace: "xxx-keycloak"
labels:
app.kubernetes.io/name: keycloak
helm.sh/chart: keycloak-15.1.7
app.kubernetes.io/instance: keycloak
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: keycloak
annotations:
cert-manager.io/cluster-issuer: xxx-certmanager-clusterissuer-letsencrypt-staging-otcdns
kubernetes.io/elb.class: performance
kubernetes.io/elb.id: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
kubernetes.io/elb.port: "443"
spec:
ingressClassName: "cce"
rules:
- host: "xxx-cloud.de"
http:
paths:
- path: /iam/
pathType: ImplementationSpecific
backend:
service:
name: keycloak
port:
name: http
tls:
- hosts:
- "xxxxxxxxxxxxxxxx.de"
secretName: xxx.de-tls
(d) Certificates are created in differnt namepsace (not certmanager)
Name: xxx-cloud.de-tls
Namespace: xxx-keycloak
Labels: app.kubernetes.io/component=keycloak
app.kubernetes.io/instance=keycloak
app.kubernetes.io/managed-by=Helm
app.kubernetes.io/name=keycloak
helm.sh/chart=keycloak-15.1.7
Annotations: <none>
API Version: cert-manager.io/v1
Kind: Certificate
Metadata:
Creation Timestamp: 2023-08-24T10:39:49Z
Generation: 1
Owner References:
API Version: networking.k8s.io/v1
Block Owner Deletion: true
Controller: true
Kind: Ingress
Name: keycloak
UID: a0087ade-a18c-4988-aab8-21c638c04e08
Resource Version: 4650231
UID: fdd70cf8-c6ca-4b94-a420-0e0580c3cb5a
Spec:
Dns Names:
xxx-cloud.de
Issuer Ref:
Group: cert-manager.io
Kind: ClusterIssuer
Name: xxx-certmanager-clusterissuer-letsencrypt-staging-otcdns
Secret Name: xxx-cloud.de-tls
Usages:
digital signature
key encipherment
Status:
Conditions:
Last Transition Time: 2023-08-24T10:39:49Z
Message: Issuing certificate as Secret does not exist
Observed Generation: 1
Reason: DoesNotExist
Status: False
Type: Ready
Last Transition Time: 2023-08-24T10:39:49Z
Message: Issuing certificate as Secret does not exist
Observed Generation: 1
Reason: DoesNotExist
Status: True
Type: Issuing
Next Private Key Secret Name: xxx.de-tls-sj845
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Issuing 18m cert-manager-certificates-trigger Issuing certificate as Secret does not exist
Normal Generated 18m cert-manager-certificates-key-manager Stored new private key in temporary Secret resource "xxx-cloud.de-tls-sj845"
Normal Requested 18m cert-manager-certificates-request-manager Created new CertificateRequest resource "xxx-cloud.de-tls-7qdrq"
(e) Certificate request
Name: xxx.de-tls-7qdrq
Namespace: xxx-keycloak
Labels: app.kubernetes.io/component=keycloak
app.kubernetes.io/instance=keycloak
app.kubernetes.io/managed-by=Helm
app.kubernetes.io/name=keycloak
helm.sh/chart=keycloak-15.1.7
Annotations: cert-manager.io/certificate-name: xxx-cloud.de-tls
cert-manager.io/certificate-revision: 1
cert-manager.io/private-key-secret-name: xxx-cloud.de-tls-sj845
API Version: cert-manager.io/v1
Kind: CertificateRequest
Metadata:
Creation Timestamp: 2023-08-24T10:39:49Z
Generate Name: xxx-cloud.de-tls-
Generation: 1
Owner References:
API Version: cert-manager.io/v1
Block Owner Deletion: true
Controller: true
Kind: Certificate
Name: xxx-cloud.de-tls
UID: fdd70cf8-c6ca-4b94-a420-0e0580c3cb5a
Resource Version: 4650252
UID: 5d016903-5319-4753-bfaf-9c5756121533
Spec:
Extra:
authentication.kubernetes.io/pod-name:
certmanager-cert-manager-controller-5489f79646-7w4zj
authentication.kubernetes.io/pod-uid:
10ebd0e2-77fc-4ce1-ac98-69479264467a
Groups:
system:serviceaccounts
system:serviceaccounts:xxx-certmanager
system:authenticated
Issuer Ref:
Group: cert-manager.io
Kind: ClusterIssuer
Name: xxx-certmanager-clusterissuer-letsencrypt-staging-otcdns
Request: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQ2dqQ0NBV29DQVFBd0FEQ0NBU0l3RFFZSktvWklodmNOQVFFQkJRQURnZ0VQQURDQ0FRb0NnZ0VCQUxsawp2bDd6dTlvdkozUU5URXoyRmxqS2NFZkswRFhqWmRYU3dMV3B2NXpQTGZnelRZZjkwOWdDNjYyWithWXVyWDE5CmhBYVJEemRnMW1SeENrdkxWT0JETGt5ZFBZWTZIZE1wY2VZMGEvWHVlOVE2RmlSYnpwaFBrbGdXVzFmMHlOQU4KLzZNcWwvM2ptSjl0WDJFaU9RbkVKRFF3RkZ0SzAxOGdzYlV1Y21VNXVXNDVDSEgzTFJ4VWNmRmFDYWVXSzBpcQpreVZ1VTdVdm9hRWdEanV2TVFuN3lkZ1RsV3ZEcll3QWVoVUVlZnp2eTM1QjdoVnlUQzVMVnYzMVV0Mys3RzNtCkFhSGdRVnVEcUdJeGZGM1A3UjN3b3MyTzJQVU1PMldFVGJFeHRWVFFEWXo1OHB5empwdFl6TVc2Um5JSm9rOWUKVXZDS1dLdGFkRVRzZ1JzUmFCVUNBd0VBQWFBOU1Ec0dDU3FHU0liM0RRRUpEakV1TUN3d0hRWURWUjBSQkJZdwpGSUlTYUdNdGRtbHphVzl1TFdOc2IzVmtMbVJsTUFzR0ExVWREd1FFQXdJRm9EQU5CZ2txaGtpRzl3MEJBUXNGCkFBT0NBUUVBc3hqOHV4RVNQYjVaQ0ZxcW9nYlEwbjY1S2U5NmhnTytWeXlBNDNvZGxDTXcvekFRSEN5ZmtYR1AKZGNaSTVsNEdXSk5DeCtXVGprTmNNZUlSRFVyWnV1dVFBTWVVSi9nY1QxY2Roc0RKTFJFYzhUM3NrVHVYMENaSQpFdW1vaXAzK0VOcVR1Qjk3S3c4N1hpcmtpTTgvV2lqb3J5ejF4ay91d1RvM2xQNXJ0OU11NTJkc08zTHRBdUppCm1DYWZZNlFWekVjYWRkaWVIdklsL3VNaDVxNmJKYnlmVlFyRHl4RW5jc0ZJRmJXc3I2L1hjcjJQUzVCdUhXTTEKVVVuSGpPNWR0eUZBVFpIUjU3RGRRUENOSlVwRUcxdTg2K3JMeWxzVFNqQzVOTlprTVN2dWRpTGVRVkU3VVZjWApva21YQXkxNmJ6L0tyU1RWSjNYRUZ5aXU5R2sza0E9PQotLS0tLUVORCBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0K
UID: b08953a3-459a-48e1-a43b-8e964fb5a6b1
Usages:
digital signature
key encipherment
Username: system:serviceaccount:xxx-certmanager:certmanager-cert-manager-controller
Status:
Conditions:
Last Transition Time: 2023-08-24T10:39:49Z
Message: Certificate request has been approved by cert-manager.io
Reason: cert-manager.io
Status: True
Type: Approved
Last Transition Time: 2023-08-24T10:39:49Z
Message: Waiting on certificate issuance from order xxx-keycloak/xxx-cloud.de-tls-7qdrq-3502903507: "pending"
Reason: Pending
Status: False
Type: Ready
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal WaitingForApproval 24m cert-manager-certificaterequests-issuer-ca Not signing CertificateRequest until it is Approved
Normal WaitingForApproval 24m cert-manager-certificaterequests-issuer-venafi Not signing CertificateRequest until it is Approved
Normal WaitingForApproval 24m cert-manager-certificaterequests-issuer-vault Not signing CertificateRequest until it is Approved
Normal WaitingForApproval 24m cert-manager-certificaterequests-issuer-selfsigned Not signing CertificateRequest until it is Approved
Normal WaitingForApproval 24m cert-manager-certificaterequests-issuer-acme Not signing CertificateRequest until it is Approved
Normal cert-manager.io 24m cert-manager-certificaterequests-approver Certificate request has been approved by cert-manager.io
Normal OrderCreated 24m cert-manager-certificaterequests-issuer-acme Created Order resource xxx-keycloak/xxx-cloud.de-tls-7qdrq-3502903507
Normal OrderPending 24m cert-manager-certificaterequests-issuer-acme Waiting on certificate issuance from order xxx-keycloak/xxx-cloud.de-tls-7qdrq-3502903507: ""
(f) Order
Name: xxx-cloud.de-tls-7qdrq-3502903507
Namespace: xxx-keycloak
Labels: app.kubernetes.io/component=keycloak
app.kubernetes.io/instance=keycloak
app.kubernetes.io/managed-by=Helm
app.kubernetes.io/name=keycloak
helm.sh/chart=keycloak-15.1.7
Annotations: cert-manager.io/certificate-name: xxx-cloud.de-tls
cert-manager.io/certificate-revision: 1
cert-manager.io/private-key-secret-name: xxx-cloud.de-tls-sj845
API Version: acme.cert-manager.io/v1
Kind: Order
Metadata:
Creation Timestamp: 2023-08-24T10:39:49Z
Generation: 1
Owner References:
API Version: cert-manager.io/v1
Block Owner Deletion: true
Controller: true
Kind: CertificateRequest
Name: xxx-cloud.de-tls-7qdrq
UID: 5d016903-5319-4753-bfaf-9c5756121533
Resource Version: 4650254
UID: 7ce873d9-ad09-45e5-8b5d-4063b31bfcae
Spec:
Dns Names:
xxx-cloud.de
Issuer Ref:
Group: cert-manager.io
Kind: ClusterIssuer
Name: xxx-certmanager-clusterissuer-letsencrypt-staging-otcdns
Request: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQ2dqQ0NBV29DQVFBd0FEQ0NBU0l3RFFZSktvWklodmNOQVFFQkJRQURnZ0VQQURDQ0FRb0NnZ0VCQUxsawp2bDd6dTlvdkozUU5URXoyRmxqS2NFZkswRFhqWmRYU3dMV3B2NXpQTGZnelRZZjkwOWdDNjYyWithWXVyWDE5CmhBYVJEemRnMW1SeENrdkxWT0JETGt5ZFBZWTZIZE1wY2VZMGEvWHVlOVE2RmlSYnpwaFBrbGdXVzFmMHlOQU4KLzZNcWwvM2ptSjl0WDJFaU9RbkVKRFF3RkZ0SzAxOGdzYlV1Y21VNXVXNDVDSEgzTFJ4VWNmRmFDYWVXSzBpcQpreVZ1VTdVdm9hRWdEanV2TVFuN3lkZ1RsV3ZEcll3QWVoVUVlZnp2eTM1QjdoVnlUQzVMVnYzMVV0Mys3RzNtCkFhSGdRVnVEcUdJeGZGM1A3UjN3b3MyTzJQVU1PMldFVGJFeHRWVFFEWXo1OHB5empwdFl6TVc2Um5JSm9rOWUKVXZDS1dLdGFkRVRzZ1JzUmFCVUNBd0VBQWFBOU1Ec0dDU3FHU0liM0RRRUpEakV1TUN3d0hRWURWUjBSQkJZdwpGSUlTYUdNdGRtbHphVzl1TFdOc2IzVmtMbVJsTUFzR0ExVWREd1FFQXdJRm9EQU5CZ2txaGtpRzl3MEJBUXNGCkFBT0NBUUVBc3hqOHV4RVNQYjVaQ0ZxcW9nYlEwbjY1S2U5NmhnTytWeXlBNDNvZGxDTXcvekFRSEN5ZmtYR1AKZGNaSTVsNEdXSk5DeCtXVGprTmNNZUlSRFVyWnV1dVFBTWVVSi9nY1QxY2Roc0RKTFJFYzhUM3NrVHVYMENaSQpFdW1vaXAzK0VOcVR1Qjk3S3c4N1hpcmtpTTgvV2lqb3J5ejF4ay91d1RvM2xQNXJ0OU11NTJkc08zTHRBdUppCm1DYWZZNlFWekVjYWRkaWVIdklsL3VNaDVxNmJKYnlmVlFyRHl4RW5jc0ZJRmJXc3I2L1hjcjJQUzVCdUhXTTEKVVVuSGpPNWR0eUZBVFpIUjU3RGRRUENOSlVwRUcxdTg2K3JMeWxzVFNqQzVOTlprTVN2dWRpTGVRVkU3VVZjWApva21YQXkxNmJ6L0tyU1RWSjNYRUZ5aXU5R2sza0E9PQotLS0tLUVORCBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0K
Status:
Authorizations:
Challenges:
Token: r6yVH_-cSlegASlsmRlVp7rZGGwPTBF0G9o_ivltR-4
Type: http-01
URL: https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/7898030084/ShWR4A
Token: r6yVH_-cSlegASlsmRlVp7rZGGwPTBF0G9o_ivltR-4
Type: dns-01
URL: https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/7898030084/3dlcFw
Token: r6yVH_-cSlegASlsmRlVp7rZGGwPTBF0G9o_ivltR-4
Type: tls-alpn-01
URL: https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/7898030084/i4oMiA
Identifier: xxx-cloud.de
Initial State: pending
URL: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/7898030084
Wildcard: false
Finalize URL: https://acme-staging-v02.api.letsencrypt.org/acme/finalize/115937054/10473000664
State: pending
URL: https://acme-staging-v02.api.letsencrypt.org/acme/order/115937054/10473000664
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Created 25m cert-manager-orders Created Challenge resource "xxx-cloud.de-tls-7qdrq-3502903507-2917238827" for domain "xxx-cloud.de"
(g) ACME Challenge
Name: xxx-cloud.de-tls-7qdrq-3502903507-2917238827
Namespace: xxx-keycloak
Labels: <none>
Annotations: <none>
API Version: acme.cert-manager.io/v1
Kind: Challenge
Metadata:
Creation Timestamp: 2023-08-24T10:39:51Z
Finalizers:
finalizer.acme.cert-manager.io
Generation: 1
Owner References:
API Version: acme.cert-manager.io/v1
Block Owner Deletion: true
Controller: true
Kind: Order
Name: xxx-cloud.de-tls-7qdrq-3502903507
UID: 7ce873d9-ad09-45e5-8b5d-4063b31bfcae
Resource Version: 4650268
UID: 780aefbc-edff-48cd-bbd4-1c69c707562a
Spec:
Authorization URL: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/7898030084
Dns Name: xxx-cloud.de
Issuer Ref:
Group: cert-manager.io
Kind: ClusterIssuer
Name: xxx-certmanager-clusterissuer-letsencrypt-staging-otcdns
Key: cGlSqs15z01PWk_PhWLi5WS4zm1QgQ4LnMs5vHmsenI
Solver:
dns01:
Webhook:
Config:
Access Key Secret Ref:
Key: accessKey
Name: otcdns-credentials
Auth URL: https://iam.eu-de.otc.t-systems.com:443/v3
Region: eu-de
Secret Key Secret Ref:
Key: secretKey
Name: otcdns-credentials
Group Name: xxx-development.otc-cert-manager-webhook
Solver Name: otcdns
Token: r6yVH_-cSlegASlsmRlVp7rZGGwPTBF0G9o_ivltR-4
Type: DNS-01
URL: https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/7898030084/3dlcFw
Wildcard: false
Status:
Presented: false
Processing: true
Reason: otcdns.xxx-development.otc-cert-manager-webhook is forbidden: User "system:serviceaccount:xxx-certmanager:certmanager-cert-manager-controller" cannot create resource "otcdns" in API group "xxx-development.otc-cert-manager-webhook" at the cluster scope
State: pending
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Started 27m cert-manager-challenges Challenge scheduled for processing
Warning PresentError 6m20s (x9 over 27m) cert-manager-challenges Error presenting challenge: otcdns.xxx-development.otc-cert-manager-webhook is forbidden: User "system:serviceaccount:xxx-certmanager:certmanager-cert-manager-controller" cannot create resource "otcdns" in API group "xxx-development.otc-cert-manager-webhook" at the cluster scope
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.