okteto / cert-manager-webhook-civo Goto Github PK
View Code? Open in Web Editor NEWA webhook to use CIVO DNS as a DNS issuer for cert-manager.
License: Apache License 2.0
A webhook to use CIVO DNS as a DNS issuer for cert-manager.
License: Apache License 2.0
after
helm repo add jetstack https://charts.jetstack.io
helm repo add okteto https://charts.okteto.com
helm repo update
helm install cert-manager jetstack/cert-manager --namespace cert-manager --create-namespace --version v1.7.1 --set installCRDs=true
i run
helm install --namespace cert-manager cert-manager-webhook-civo okteto/cert-manager-webhook-civo
and i get
Error: INSTALLATION FAILED: unable to build kubernetes objects from release manifest: unable to recognize "": no matches for kind "APIService" in version "apiregistration.k8s.io/v1beta1"
cleanup
helm --namespace cert-manager delete cert-manager
kubectl delete namespace cert-manager
helm uninstall --namespace cert-manager cert-manager-webhook-civo
Fix CVE-2023-45142 once https://github.com/cert-manager/cert-manager publishes a release that supports go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.44.0 (should be 1.3.2, it's already in main)
Hello,
I am trying to get Cert Manager (with Let's Encrypt) to issue a wild card cert using DNS01 and the Civo webhook on my K8S cluster on Civo. I have Istio installed and the secret containing the cert was successfully generated in the istio-system namespace.
My website is in a different namespace so I am using https://github.com/emberstack/kubernetes-reflector to copy the cert (secret) to the namespace of my website.
On initial setup, things somehow worked and I could find the replicated secret in my website's namespace. However when I changed some certificate parameter to cause the certificate to re-issue I see that the certificate remains stuck in a pending state. Looking into the logs of the civo-webhook pod I see this:
W0520 16:34:00.041392 1 reflector.go:324] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: failed to list *v1beta2.PriorityLevelConfiguration: prioritylevelconfigurations.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:cert-manager:cert-manager-webhook-civo" cannot list resource "prioritylevelconfigurations" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope
E0520 16:34:00.041685 1 reflector.go:138] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: Failed to watch *v1beta2.PriorityLevelConfiguration: failed to list *v1beta2.PriorityLevelConfiguration: prioritylevelconfigurations.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:cert-manager:cert-manager-webhook-civo" cannot list resource "prioritylevelconfigurations" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope
I am still quite green with respect to Kubernetes/Istio so wondering if you could shed light on whether:
This is my ClusterIssuer yaml:
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-staging-cluster
namespace: istio-system
spec:
acme:
email: [email protected]
server: https://acme-staging-v02.api.letsencrypt.org/directory
privateKeySecretRef:
name: letsencrypt-staging-cluster
solvers:
- dns01:
webhook:
solverName: "civo"
groupName: civo.webhook.okteto.com
config:
secretName: civo-secret
And my Certificate.yaml:
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: mydomain-cert-staging
namespace: istio-system
spec:
secretName: mydomain-cert-staging
duration: 2160h # 90d
renewBefore: 360h # 15d
isCA: false
privateKey:
algorithm: RSA
encoding: PKCS1
size: 2048
usages:
- server auth
- client auth
commonName: "whoami.mydomain.com"
dnsNames:
- "whoami.mydomain.com"
issuerRef:
name: letsencrypt-staging-cluster
kind: ClusterIssuer
group: cert-manager.io
secretTemplate:
annotations:
reflector.v1.k8s.emberstack.com/reflection-allowed: "true"
reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces: "ns-twb-staging" # Control destination namespaces.
reflector.v1.k8s.emberstack.com/reflection-auto-enabled: "true" # Auto create reflection for matching namespaces.
reflector.v1.k8s.emberstack.com/reflection-auto-namespaces: "ns-twb-staging" # Control auto-reflection namespace.
Thanks!
See docs for details
Hi there,
We are testing the integration of this webhook with otomi-core project.
Would you consider running it as a non-root user ?
It would strengthen the security posture and allow to define a proper security context in the values.yaml
file.
E.g.:
# Pod Security Context
# ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
# Container Security Context to be set on the controller component container
# ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
Cheers!
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.