puzzle / cert-manager-webhook-dnsimple Goto Github PK
View Code? Open in Web Editor NEWThis project forked from cert-manager/webhook-example
A cert-manager ACME DNS01 solver webhook for DNSimple.
License: Apache License 2.0
This project forked from cert-manager/webhook-example
A cert-manager ACME DNS01 solver webhook for DNSimple.
License: Apache License 2.0
Yeah, I'm running an arm cluster and want to attempt getting this up and running.
The best way to do this would be to switch to ko instead of docker build as building go stuff in docker for multi-arch is painful (arm emulation is slow).
I could probably knock up a PR for your release.sh to do this (I'm currently testing on a fork with github actions) if you want?
Consiguration zone
zone IN NS ns
ns IN A 127.0.0.1
@ IN A 127.0.0.1
* IN A 172.0.0.1
Giv error
kubectl get cert -A
NAMESPACE NAME READY SECRET AGE
cert-manager cert-manager-webhook-dnsimple-ca True cert-manager-webhook-dnsimple-ca 31d
cert-manager cert-manager-webhook-dnsimple-webhook-tls True cert-manager-webhook-dnsimple-webhook-tls 31d
app cert-app False tls-app 3d20h
Describe
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
annotations:
meta.helm.sh/release-name: cert-app
meta.helm.sh/release-namespace: app
creationTimestamp: "2022-09-07T12:58:32Z"
generation: 1
labels:
app.kubernetes.io/managed-by: Helm
name: cert-app
namespace: app
resourceVersion: "375638018"
uid: f5ca2340-79f9-4804-af32-fba9d5e32067
spec:
dnsNames:
- <protected>
issuerRef:
kind: ClusterIssuer
name: clusterissuer-dnsimple-zerossl
secretName: tls-app
status:
conditions:
- lastTransitionTime: "2022-09-07T12:58:32Z"
message: Issuing certificate as Secret does not exist
observedGeneration: 1
reason: DoesNotExist
status: "False"
type: Ready
- lastTransitionTime: "2022-09-07T12:58:32Z"
message: Issuing certificate as Secret does not exist
observedGeneration: 1
reason: DoesNotExist
status: "True"
type: Issuing
nextPrivateKeySecretName: cert-app
This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.
These updates have all been created already. Click a checkbox below to force a retry/rebase of any.
k8s.io/apiextensions-apiserver
, k8s.io/apimachinery
, k8s.io/client-go
).github/workflows/build-images.yaml
actions/checkout v4
actions/setup-go v5
ko-build/setup-ko v0.6
.github/workflows/helm-release.yaml
actions/checkout v4
helm/chart-releaser-action v1.6.0
.github/workflows/test-go.yaml
actions/checkout v4
actions/setup-go v5
.github/workflows/test-kubernetes.yaml
actions/checkout v4
src/go.mod
go 1.22
github.com/cert-manager/cert-manager v1.12.1
github.com/dnsimple/dnsimple-go v1.2.0
k8s.io/apiextensions-apiserver v0.27.3
k8s.io/apimachinery v0.27.3
k8s.io/client-go v0.27.3
k8s.io/klog v1.0.0
charts/cert-manager-webhook-dnsimple/values.yaml
ghcr.io/puzzle/cert-manager-webhook-dnsimple 0.1.2
Hey ho, thank you for your project!
I wanted to use it in my cluster but i use the cert-manager in version 1.6.1 and so the Certificate and Issuer from your project can't be applied according to upgrading 1.5-1.6.
Is it possible to raise the versions? Hope, there are not more upgrade issues coming :D
All the best!
on the staging cluster issuer, the dnsimple account field is not quoted, ending up in an error like:
Error presenting challenge: error decoding solver config: json: cannot unmarshal number into Go struct field dnsimpleDNSProviderConfig.account of type string.
Apparently the neoskop Helm Repo deleted this chart.
Hi,
When depploying with helm the following warnings are received:
rbac.authorization.k8s.io/v1beta1 ClusterRole is deprecated in v1.17+, unavailable in v1.22+; use rbac.authorization.k8s.io/v1 ClusterRole
rbac.authorization.k8s.io/v1beta1 ClusterRoleBinding is deprecated in v1.17+, unavailable in v1.22+; use rbac.authorization.k8s.io/v1 ClusterRoleBinding
rbac.authorization.k8s.io/v1beta1 ClusterRoleBinding is deprecated in v1.17+, unavailable in v1.22+; use rbac.authorization.k8s.io/v1 ClusterRoleBinding
rbac.authorization.k8s.io/v1beta1 RoleBinding is deprecated in v1.17+, unavailable in v1.22+; use rbac.authorization.k8s.io/v1 RoleBinding
apiregistration.k8s.io/v1beta1 APIService is deprecated in v1.19+, unavailable in v1.22+; use apiregistration.k8s.io/v1 APIService
Hey people ๐ Thank you so much for this project!
I had been trying to implement this myself a while back but gave up - so I was delighted to come across this when I decided to check recently if anyone had tackled it โค๏ธ
After deploying via the chart, I'm seeing this message being constantly spat out in the logs:
E0824 22:41:28.654568 1 configmap_cafile_content.go:246] key failed with : missing content for CA bundle "client-ca::kube-system::extension-apiserver-authentication::requestheader-client-ca-file"
Any ideas?
on the challenges.acme.cert-manager.io
, the challenge is failing against simpledns with this msg:
Accepting challenge authorization failed: acme: authorization error for emailpref.com: 400 urn:ietf:params:acme:error:dns: DNS problem: SERVFAIL looking up TXT for _acme-challenge.<MYDOMAIN> - the domain's nameservers may be malfunctioning
Could it be a misconfiguration on my part? how can I debug this further?
Thanks in advance.
When the helm chart is run with --dry-run
, one can see that the Deployment yaml looks like this:
# Source: cert-manager-webhook-dnsimple/templates/deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: cert-manager-webhook-dnsimple
labels:
app: cert-manager-webhook-dnsimple
chart: cert-manager-webhook-dnsimple-0.1.0
release: cert-manager-webhook-dnsimple
heritage: Helm
spec:
replicas:
selector:
matchLabels:
app: cert-manager-webhook-dnsimple
release: cert-manager-webhook-dnsimple
template:
metadata:
labels:
app: cert-manager-webhook-dnsimple
release: cert-manager-webhook-dnsimple
spec:
serviceAccountName: cert-manager-webhook-dnsimple
containers:
- name: cert-manager-webhook-dnsimple
image: "neoskop/cert-manager-webhook-dnsimple:0.1.0"
imagePullPolicy: IfNotPresent
args:
- --tls-cert-file=/tls/tls.crt
- --tls-private-key-file=/tls/tls.key
env:
- name: GROUP_NAME
value: "your.group.name"
ports:
- name: https
containerPort: 443
protocol: TCP
livenessProbe:
httpGet:
scheme: HTTPS
path: /healthz
port: https
readinessProbe:
httpGet:
scheme: HTTPS
path: /healthz
port: https
volumeMounts:
- name: certs
mountPath: /tls
readOnly: true
resources:
{}
volumes:
- name: certs
secret:
secretName: cert-manager-webhook-dnsimple-webhook-tls
Importantly, the volume is attempting to mount from the secret named cert-manager-webhook-dnsimple-webhook-tls
. This automatically gets created according to the documentation from the Certificate
's secretName
that's also in the yaml generated by the helm chart in --dry-run
mode.
However, when I install everything, the pod remains in ContainerCreating
forever, and the description of the pod says:
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Scheduled 24s default-scheduler Successfully assigned default/cert-manager-webhook-dnsimple-5df7648688-28h8r to kn1
Warning FailedMount 9s (x6 over 24s) kubelet MountVolume.SetUp failed for volume "certs" : secret "cert-manager-webhook-dnsimple-webhook-tls" not found
It turns out that everything in the yaml file (where appropriate) gets created in the cert-manager
namespace except for the Deployment, and so the deployment can't mount that volume because the secret is in a different namespace.
Hi there,
I was trying to use your webhook service - without success. I'm using cert-manager 1.1.0. I installed your service as documented using Helm3.
I get the following logs from the dnsimple-webhook:
-- | --
Thu, Apr 21 2022 15:08:06 | I0421 13:08:06.623337 1 requestheader_controller.go:169] Starting RequestHeaderAuthRequestController
Thu, Apr 21 2022 15:08:06 | I0421 13:08:06.623433 1 shared_informer.go:240] Waiting for caches to sync for RequestHeaderAuthRequestController
Thu, Apr 21 2022 15:08:06 | I0421 13:08:06.623704 1 configmap_cafile_content.go:202] Starting client-ca::kube-system::extension-apiserver-authentication::client-ca-file
Thu, Apr 21 2022 15:08:06 | I0421 13:08:06.623729 1 shared_informer.go:240] Waiting for caches to sync for client-ca::kube-system::extension-apiserver-authentication::client-ca-file
Thu, Apr 21 2022 15:08:06 | I0421 13:08:06.624020 1 dynamic_serving_content.go:130] Starting serving-cert::/tls/tls.crt::/tls/tls.key
Thu, Apr 21 2022 15:08:06 | I0421 13:08:06.624105 1 configmap_cafile_content.go:202] Starting client-ca::kube-system::extension-apiserver-authentication::requestheader-client-ca-file
Thu, Apr 21 2022 15:08:06 | I0421 13:08:06.624118 1 shared_informer.go:240] Waiting for caches to sync for client-ca::kube-system::extension-apiserver-authentication::requestheader-client-ca-file
Thu, Apr 21 2022 15:08:06 | I0421 13:08:06.723322 1 tlsconfig.go:240] Starting DynamicServingCertificateController
Thu, Apr 21 2022 15:08:06 | I0421 13:08:06.723278 1 secure_serving.go:197] Serving securely on [::]:443
Thu, Apr 21 2022 15:08:06 | I0421 13:08:06.824738 1 shared_informer.go:247] Caches are synced for client-ca::kube-system::extension-apiserver-authentication::client-ca-file
Thu, Apr 21 2022 15:08:06 | I0421 13:08:06.825633 1 shared_informer.go:247] Caches are synced for client-ca::kube-system::extension-apiserver-authentication::requestheader-client-ca-file
Thu, Apr 21 2022 15:08:07 | I0421 13:08:07.023702 1 shared_informer.go:247] Caches are synced for RequestHeaderAuthRequestController
I get this error when trying to create a wildcard cert:
Challenge monorepo-preview-wildcart-cert-wxbcs-3162575813-1321718204Error presenting challenge: Unexpected response code 'SERVFAIL' for XXXXXX.
--
[Challenge monorepo-preview-wildcart-cert-wxbcs-3162575813-1321718204](XXXX/dashboard/c/c-f7gwk/explorer/event/monorepo-preview/monorepo-preview-wildcart-cert-wxbcs-3162575813-1321718204.16e7ebf17e027fa1)
Error presenting challenge: Unexpected response code 'SERVFAIL' for XXXXX.
Following cert:
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
annotations:
creationTimestamp: "2022-04-21T12:58:08Z"
generation: 2
name: monorepo-preview-wildcart-cert
namespace: monorepo-preview
resourceVersion: "301748995"
uid: a7b650b2-ef77-4f73-920a-645177bd66eb
spec:
commonName: '*.monorepo-preview.eu.XXX.com'
dnsNames:
- '*.monorepo-preview.eu.XXX.com'
issuerRef:
kind: ClusterIssuer
name: cert-manager-webhook-dnsimple-production
secretName: monorepo-preview-wildcart-cert
status:
conditions:
- lastTransitionTime: "2022-04-21T12:58:08Z"
message: Issuing certificate as Secret does not exist
reason: DoesNotExist
status: "False"
type: Ready
- lastTransitionTime: "2022-04-21T12:58:08Z"
message: Issuing certificate as Secret does not exist
reason: DoesNotExist
status: "True"
type: Issuing
nextPrivateKeySecretName: monorepo-preview-wildcart-cert-xcqpw
Not sure what the story is here, may be a configuration issue on my end. Also not super sure what groupName is supposed to be - the base domain?
Log dump:
cert-manager pod:
I0708 15:32:22.403679 1 dns.go:88] cert-manager/controller/challenges/Present "msg"="presenting DNS01 challenge for domain" "dnsName"="FOOBAR.org" "domain"="FOOBAR.org" "resource_kind"="Challenge" "resource_name"="FOOBAR-endpoint-prod-tls-4bgsl-741142588-1044387275" "resource_namespace"="FOOBAR" "resource_version"="v1" "type"="DNS-01"
E0708 15:32:22.885550 1 controller.go:164] cert-manager/controller/challenges "msg"="re-queuing item due to error processing" "error"="the server is currently unable to handle the request (post dnsimple.FOOBAR.org)" "key"="FOOBAR/FOOBAR-endpoint-prod-tls-4bgsl-741142588-1044387275"
cert-manager-webhook-dnsimple pod:
I0708 15:30:04.960857 1 requestheader_controller.go:169] Starting RequestHeaderAuthRequestController
I0708 15:30:04.961406 1 shared_informer.go:240] Waiting for caches to sync for RequestHeaderAuthRequestController
I0708 15:30:04.961614 1 configmap_cafile_content.go:202] Starting client-ca::kube-system::extension-apiserver-authentication::client-ca-file
I0708 15:30:04.961736 1 dynamic_serving_content.go:130] Starting serving-cert::/tls/tls.crt::/tls/tls.key
I0708 15:30:04.961738 1 shared_informer.go:240] Waiting for caches to sync for client-ca::kube-system::extension-apiserver-authentication::client-ca-file
I0708 15:30:04.961725 1 tlsconfig.go:240] Starting DynamicServingCertificateController
I0708 15:30:04.961701 1 secure_serving.go:197] Serving securely on [::]:443
I0708 15:30:04.962682 1 configmap_cafile_content.go:202] Starting client-ca::kube-system::extension-apiserver-authentication::requestheader-client-ca-file
I0708 15:30:04.962852 1 shared_informer.go:240] Waiting for caches to sync for client-ca::kube-system::extension-apiserver-authentication::requestheader-client-ca-file
I0708 15:30:05.061751 1 shared_informer.go:247] Caches are synced for RequestHeaderAuthRequestController
I0708 15:30:05.061863 1 shared_informer.go:247] Caches are synced for client-ca::kube-system::extension-apiserver-authentication::client-ca-file
I0708 15:30:05.063406 1 shared_informer.go:247] Caches are synced for client-ca::kube-system::extension-apiserver-authentication::requestheader-client-ca-file
E0708 15:32:22.870024 1 runtime.go:76] Observed a panic: runtime error: invalid memory address or nil pointer dereference
goroutine 1329 [running]:
k8s.io/apiserver/pkg/endpoints/handlers.finishRequest.func1.1(0xc0003605a0)
/go/pkg/mod/k8s.io/[email protected]/pkg/endpoints/handlers/rest.go:233 +0xd5
panic(0x1b65fe0, 0x2ce83a0)
/usr/local/go/src/runtime/panic.go:969 +0x1b9
main.Whoami(0xc000643cc0, 0xc0006dfa40, 0xc00096dd50, 0xc, 0xc000643cc0)
/workspace/main.go:182 +0x83
main.(*dnsimpleDNSProviderSolver).Present(0xc00030c4b0, 0xc00073abd0, 0xc000745e01, 0xc00073abd0)
/workspace/main.go:202 +0x185
github.com/jetstack/cert-manager/pkg/acme/webhook/registry/challengepayload.(*REST).callSolver(0xc0005fbf20, 0x0, 0x0, 0xc00096dd18, 0x7, 0xc00096dd20, 0x6, 0xc00096dd30, 0xb, 0xc00072aa20, ...)
/go/pkg/mod/github.com/jetstack/[email protected]/pkg/acme/webhook/registry/challengepayload/challenge_payload.go:86 +0xf8
github.com/jetstack/cert-manager/pkg/acme/webhook/registry/challengepayload.(*REST).Create(0xc0005fbf20, 0x20975c0, 0xc000463260, 0x2055600, 0xc000463380, 0x1ed7438, 0xc000a18910, 0x0, 0x1000, 0x2049680, ...)
/go/pkg/mod/github.com/jetstack/[email protected]/pkg/acme/webhook/registry/challengepayload/challenge_payload.go:66 +0xe5
k8s.io/apiserver/pkg/endpoints/handlers.(*namedCreaterAdapter).Create(0xc00064cce0, 0x20975c0, 0xc000463260, 0x0, 0x0, 0x2055600, 0xc000463380, 0x1ed7438, 0xc000a18910, 0x3, ...)
/go/pkg/mod/k8s.io/[email protected]/pkg/endpoints/handlers/create.go:208 +0x7f
k8s.io/apiserver/pkg/endpoints/handlers.createHandler.func1.1(0x1b9fbe0, 0x0, 0x0, 0x0)
/go/pkg/mod/k8s.io/[email protected]/pkg/endpoints/handlers/create.go:145 +0x13b
k8s.io/apiserver/pkg/endpoints/handlers.createHandler.func1.2(0x0, 0x1, 0x0, 0x0)
/go/pkg/mod/k8s.io/[email protected]/pkg/endpoints/handlers/create.go:166 +0xf5
k8s.io/apiserver/pkg/endpoints/handlers.finishRequest.func1(0xc0003605a0, 0xc000360120, 0xc000360240, 0xc000360180)
/go/pkg/mod/k8s.io/[email protected]/pkg/endpoints/handlers/rest.go:241 +0x62
created by k8s.io/apiserver/pkg/endpoints/handlers.finishRequest
/go/pkg/mod/k8s.io/[email protected]/pkg/endpoints/handlers/rest.go:222 +0xd4
goroutine 1321 [running]:
k8s.io/apiserver/pkg/server/filters.(*timeoutHandler).ServeHTTP.func1.1(0xc00056a2a0)
/go/pkg/mod/k8s.io/[email protected]/pkg/server/filters/timeout.go:108 +0x113
panic(0x1ad1820, 0xc000c88bb0)
/usr/local/go/src/runtime/panic.go:969 +0x1b9
k8s.io/apiserver/pkg/endpoints/handlers.finishRequest(0x7ea8ed400, 0xc000360120, 0x21, 0x0, 0x0, 0x0)
/go/pkg/mod/k8s.io/[email protected]/pkg/endpoints/handlers/rest.go:259 +0x505
k8s.io/apiserver/pkg/endpoints/handlers.createHandler.func1(0x2092380, 0xc00049c758, 0xc000930600)
/go/pkg/mod/k8s.io/[email protected]/pkg/endpoints/handlers/create.go:153 +0x17b8
k8s.io/apiserver/pkg/endpoints.restfulCreateResource.func1(0xc0004630e0, 0xc000408460)
/go/pkg/mod/k8s.io/[email protected]/pkg/endpoints/installer.go:1169 +0xe4
k8s.io/apiserver/pkg/endpoints/metrics.InstrumentRouteFunc.func1(0xc0004630e0, 0xc000408460)
/go/pkg/mod/k8s.io/[email protected]/pkg/endpoints/metrics/metrics.go:384 +0x282
github.com/emicklei/go-restful.(*Container).dispatch(0xc000610ea0, 0x7f2946d0d698, 0xc00030c678, 0xc000930600)
/go/pkg/mod/github.com/emicklei/[email protected]+incompatible/container.go:288 +0xa84
github.com/emicklei/go-restful.(*Container).Dispatch(...)
/go/pkg/mod/github.com/emicklei/[email protected]+incompatible/container.go:199
k8s.io/apiserver/pkg/server.director.ServeHTTP(0x1e086ec, 0x10, 0xc000610ea0, 0xc0004081c0, 0x7f2946d0d698, 0xc00030c678, 0xc000930600)
/go/pkg/mod/k8s.io/[email protected]/pkg/server/handler.go:146 +0x539
k8s.io/apiserver/pkg/endpoints/filters.WithAuthorization.func1(0x7f2946d0d698, 0xc00030c678, 0xc000930600)
/go/pkg/mod/k8s.io/[email protected]/pkg/endpoints/filters/authorization.go:64 +0x563
net/http.HandlerFunc.ServeHTTP(0xc0005eabc0, 0x7f2946d0d698, 0xc00030c678, 0xc000930600)
/usr/local/go/src/net/http/server.go:2042 +0x44
k8s.io/apiserver/pkg/server/filters.WithMaxInFlightLimit.func2(0x7f2946d0d698, 0xc00030c678, 0xc000930600)
/go/pkg/mod/k8s.io/[email protected]/pkg/server/filters/maxinflight.go:175 +0x4cf
net/http.HandlerFunc.ServeHTTP(0xc0005f5530, 0x7f2946d0d698, 0xc00030c678, 0xc000930600)
/usr/local/go/src/net/http/server.go:2042 +0x44
k8s.io/apiserver/pkg/endpoints/filters.WithImpersonation.func1(0x7f2946d0d698, 0xc00030c678, 0xc000930600)
/go/pkg/mod/k8s.io/[email protected]/pkg/endpoints/filters/impersonation.go:50 +0x203d
net/http.HandlerFunc.ServeHTTP(0xc0005eac00, 0x7f2946d0d698, 0xc00030c678, 0xc000930600)
/usr/local/go/src/net/http/server.go:2042 +0x44
k8s.io/apiserver/pkg/endpoints/filters.WithAuthentication.func1(0x7f2946d0d698, 0xc00030c678, 0xc000930500)
/go/pkg/mod/k8s.io/[email protected]/pkg/endpoints/filters/authentication.go:70 +0x672
net/http.HandlerFunc.ServeHTTP(0xc00031f9f0, 0x7f2946d0d698, 0xc00030c678, 0xc000930500)
/usr/local/go/src/net/http/server.go:2042 +0x44
k8s.io/apiserver/pkg/server/filters.(*timeoutHandler).ServeHTTP.func1(0xc00056a2a0, 0xc000612a00, 0x2097cc0, 0xc00030c678, 0xc000930500)
/go/pkg/mod/k8s.io/[email protected]/pkg/server/filters/timeout.go:113 +0xb8
created by k8s.io/apiserver/pkg/server/filters.(*timeoutHandler).ServeHTTP
/go/pkg/mod/k8s.io/[email protected]/pkg/server/filters/timeout.go:99 +0x1cc
goroutine 1320 [running]:
k8s.io/apimachinery/pkg/util/runtime.logPanic(0x1ad1820, 0xc000c88bf0)
/go/pkg/mod/k8s.io/[email protected]/pkg/util/runtime/runtime.go:74 +0xa6
k8s.io/apimachinery/pkg/util/runtime.HandleCrash(0xc000761c98, 0x1, 0x1)
/go/pkg/mod/k8s.io/[email protected]/pkg/util/runtime/runtime.go:48 +0x89
panic(0x1ad1820, 0xc000c88bf0)
/usr/local/go/src/runtime/panic.go:969 +0x1b9
k8s.io/apiserver/pkg/server/filters.(*timeoutHandler).ServeHTTP(0xc000612a00, 0x2092500, 0xc00036a770, 0xc000930500)
/go/pkg/mod/k8s.io/[email protected]/pkg/server/filters/timeout.go:119 +0x448
k8s.io/apiserver/pkg/server/filters.WithWaitGroup.func1(0x2092500, 0xc00036a770, 0xc000930400)
/go/pkg/mod/k8s.io/[email protected]/pkg/server/filters/waitgroup.go:59 +0x137
net/http.HandlerFunc.ServeHTTP(0xc0005f5560, 0x2092500, 0xc00036a770, 0xc000930400)
/usr/local/go/src/net/http/server.go:2042 +0x44
k8s.io/apiserver/pkg/endpoints/filters.WithRequestInfo.func1(0x2092500, 0xc00036a770, 0xc000930300)
/go/pkg/mod/k8s.io/[email protected]/pkg/endpoints/filters/requestinfo.go:39 +0x269
net/http.HandlerFunc.ServeHTTP(0xc0005f5590, 0x2092500, 0xc00036a770, 0xc000930300)
/usr/local/go/src/net/http/server.go:2042 +0x44
k8s.io/apiserver/pkg/endpoints/filters.WithWarningRecorder.func1(0x2092500, 0xc00036a770, 0xc000930200)
/go/pkg/mod/k8s.io/[email protected]/pkg/endpoints/filters/warning.go:35 +0x1a7
net/http.HandlerFunc.ServeHTTP(0xc000612a20, 0x2092500, 0xc00036a770, 0xc000930200)
/usr/local/go/src/net/http/server.go:2042 +0x44
k8s.io/apiserver/pkg/endpoints/filters.WithCacheControl.func1(0x2092500, 0xc00036a770, 0xc000930200)
/go/pkg/mod/k8s.io/[email protected]/pkg/endpoints/filters/cachecontrol.go:31 +0xa8
net/http.HandlerFunc.ServeHTTP(0xc000612a40, 0x2092500, 0xc00036a770, 0xc000930200)
/usr/local/go/src/net/http/server.go:2042 +0x44
k8s.io/apiserver/pkg/server/httplog.WithLogging.func1(0x20855c0, 0xc00030c660, 0xc000930100)
/go/pkg/mod/k8s.io/[email protected]/pkg/server/httplog/httplog.go:91 +0x2f2
net/http.HandlerFunc.ServeHTTP(0xc000612a60, 0x20855c0, 0xc00030c660, 0xc000930100)
/usr/local/go/src/net/http/server.go:2042 +0x44
k8s.io/apiserver/pkg/server/filters.withPanicRecovery.func1(0x20855c0, 0xc00030c660, 0xc000930100)
/go/pkg/mod/k8s.io/[email protected]/pkg/server/filters/wrap.go:51 +0xe6
net/http.HandlerFunc.ServeHTTP(0xc000612a80, 0x20855c0, 0xc00030c660, 0xc000930100)
/usr/local/go/src/net/http/server.go:2042 +0x44
k8s.io/apiserver/pkg/server.(*APIServerHandler).ServeHTTP(0xc0005f55c0, 0x20855c0, 0xc00030c660, 0xc000930100)
/go/pkg/mod/k8s.io/[email protected]/pkg/server/handler.go:189 +0x51
net/http.serverHandler.ServeHTTP(0xc0008aa8c0, 0x20855c0, 0xc00030c660, 0xc000930100)
/usr/local/go/src/net/http/server.go:2843 +0xa3
net/http.initALPNRequest.ServeHTTP(0x20975c0, 0xc0004c9dd0, 0xc000770e00, 0xc0008aa8c0, 0x20855c0, 0xc00030c660, 0xc000930100)
/usr/local/go/src/net/http/server.go:3415 +0x8d
golang.org/x/net/http2.(*serverConn).runHandler(0xc0004e5500, 0xc00030c660, 0xc000930100, 0xc000754aa0)
/go/pkg/mod/golang.org/x/[email protected]/http2/server.go:2147 +0x8b
created by golang.org/x/net/http2.(*serverConn).processHeaders
/go/pkg/mod/golang.org/x/[email protected]/http2/server.go:1881 +0x505
E0708 15:32:22.876499 1 wrap.go:39] apiserver panic'd on POST /apis/FOOBAR.org/v1alpha1/dnsimple
http2: panic serving 10.7.0.2:56684: runtime error: invalid memory address or nil pointer dereference
goroutine 1329 [running]:
k8s.io/apiserver/pkg/endpoints/handlers.finishRequest.func1.1(0xc0003605a0)
/go/pkg/mod/k8s.io/[email protected]/pkg/endpoints/handlers/rest.go:233 +0xd5
panic(0x1b65fe0, 0x2ce83a0)
/usr/local/go/src/runtime/panic.go:969 +0x1b9
main.Whoami(0xc000643cc0, 0xc0006dfa40, 0xc00096dd50, 0xc, 0xc000643cc0)
/workspace/main.go:182 +0x83
main.(*dnsimpleDNSProviderSolver).Present(0xc00030c4b0, 0xc00073abd0, 0xc000745e01, 0xc00073abd0)
/workspace/main.go:202 +0x185
github.com/jetstack/cert-manager/pkg/acme/webhook/registry/challengepayload.(*REST).callSolver(0xc0005fbf20, 0x0, 0x0, 0xc00096dd18, 0x7, 0xc00096dd20, 0x6, 0xc00096dd30, 0xb, 0xc00072aa20, ...)
/go/pkg/mod/github.com/jetstack/[email protected]/pkg/acme/webhook/registry/challengepayload/challenge_payload.go:86 +0xf8
github.com/jetstack/cert-manager/pkg/acme/webhook/registry/challengepayload.(*REST).Create(0xc0005fbf20, 0x20975c0, 0xc000463260, 0x2055600, 0xc000463380, 0x1ed7438, 0xc000a18910, 0x0, 0x1000, 0x2049680, ...)
/go/pkg/mod/github.com/jetstack/[email protected]/pkg/acme/webhook/registry/challengepayload/challenge_payload.go:66 +0xe5
k8s.io/apiserver/pkg/endpoints/handlers.(*namedCreaterAdapter).Create(0xc00064cce0, 0x20975c0, 0xc000463260, 0x0, 0x0, 0x2055600, 0xc000463380, 0x1ed7438, 0xc000a18910, 0x3, ...)
/go/pkg/mod/k8s.io/[email protected]/pkg/endpoints/handlers/create.go:208 +0x7f
k8s.io/apiserver/pkg/endpoints/handlers.createHandler.func1.1(0x1b9fbe0, 0x0, 0x0, 0x0)
/go/pkg/mod/k8s.io/[email protected]/pkg/endpoints/handlers/create.go:145 +0x13b
k8s.io/apiserver/pkg/endpoints/handlers.createHandler.func1.2(0x0, 0x1, 0x0, 0x0)
/go/pkg/mod/k8s.io/[email protected]/pkg/endpoints/handlers/create.go:166 +0xf5
k8s.io/apiserver/pkg/endpoints/handlers.finishRequest.func1(0xc0003605a0, 0xc000360120, 0xc000360240, 0xc000360180)
/go/pkg/mod/k8s.io/[email protected]/pkg/endpoints/handlers/rest.go:241 +0x62
created by k8s.io/apiserver/pkg/endpoints/handlers.finishRequest
/go/pkg/mod/k8s.io/[email protected]/pkg/endpoints/handlers/rest.go:222 +0xd4
goroutine 1321 [running]:
k8s.io/apiserver/pkg/server/filters.(*timeoutHandler).ServeHTTP.func1.1(0xc00056a2a0)
/go/pkg/mod/k8s.io/[email protected]/pkg/server/filters/timeout.go:108 +0x113
panic(0x1ad1820, 0xc000c88bb0)
/usr/local/go/src/runtime/panic.go:969 +0x1b9
k8s.io/apiserver/pkg/endpoints/handlers.finishRequest(0x7ea8ed400, 0xc000360120, 0x21, 0x0, 0x0, 0x0)
/go/pkg/mod/k8s.io/[email protected]/pkg/endpoints/handlers/rest.go:259 +0x505
k8s.io/apiserver/pkg/endpoints/handlers.createHandler.func1(0x2092380, 0xc00049c758, 0xc000930600)
/go/pkg/mod/k8s.io/[email protected]/pkg/endpoints/handlers/create.go:153 +0x17b8
k8s.io/apiserver/pkg/endpoints.restfulCreateResource.func1(0xc0004630e0, 0xc000408460)
/go/pkg/mod/k8s.io/[email protected]/pkg/endpoints/installer.go:1169 +0xe4
k8s.io/apiserver/pkg/endpoints/metrics.InstrumentRouteFunc.func1(0xc0004630e0, 0xc000408460)
/go/pkg/mod/k8s.io/[email protected]/pkg/endpoints/metrics/metrics.go:384 +0x282
github.com/emicklei/go-restful.(*Container).dispatch(0xc000610ea0, 0x7f2946d0d698, 0xc00030c678, 0xc000930600)
/go/pkg/mod/github.com/emicklei/[email protected]+incompatible/container.go:288 +0xa84
github.com/emicklei/go-restful.(*Container).Dispatch(...)
/go/pkg/mod/github.com/emicklei/[email protected]+incompatible/container.go:199
k8s.io/apiserver/pkg/server.director.ServeHTTP(0x1e086ec, 0x10, 0xc000610ea0, 0xc0004081c0, 0x7f2946d0d698, 0xc00030c678, 0xc000930600)
/go/pkg/mod/k8s.io/[email protected]/pkg/server/handler.go:146 +0x539
k8s.io/apiserver/pkg/endpoints/filters.WithAuthorization.func1(0x7f2946d0d698, 0xc00030c678, 0xc000930600)
/go/pkg/mod/k8s.io/[email protected]/pkg/endpoints/filters/authorization.go:64 +0x563
net/http.HandlerFunc.ServeHTTP(0xc0005eabc0, 0x7f2946d0d698, 0xc00030c678, 0xc000930600)
/usr/local/go/src/net/http/server.go:2042 +0x44
k8s.io/apiserver/pkg/server/filters.WithMaxInFlightLimit.func2(0x7f2946d0d698, 0xc00030c678, 0xc000930600)
/go/pkg/mod/k8s.io/[email protected]/pkg/server/filters/maxinflight.go:175 +0x4cf
net/http.HandlerFunc.ServeHTTP(0xc0005f5530, 0x7f2946d0d698, 0xc00030c678, 0xc000930600)
/usr/local/go/src/net/http/server.go:2042 +0x44
k8s.io/apiserver/pkg/endpoints/filters.WithImpersonation.func1(0x7f2946d0d698, 0xc00030c678, 0xc000930600)
/go/pkg/mod/k8s.io/[email protected]/pkg/endpoints/filters/impersonation.go:50 +0x203d
net/http.HandlerFunc.ServeHTTP(0xc0005eac00, 0x7f2946d0d698, 0xc00030c678, 0xc000930600)
/usr/local/go/src/net/http/server.go:2042 +0x44
k8s.io/apiserver/pkg/endpoints/filters.WithAuthentication.func1(0x7f2946d0d698, 0xc00030c678, 0xc000930500)
/go/pkg/mod/k8s.io/[email protected]/pkg/endpoints/filters/authentication.go:70 +0x672
net/http.HandlerFunc.ServeHTTP(0xc00031f9f0, 0x7f2946d0d698, 0xc00030c678, 0xc000930500)
/usr/local/go/src/net/http/server.go:2042 +0x44
k8s.io/apiserver/pkg/server/filters.(*timeoutHandler).ServeHTTP.func1(0xc00056a2a0, 0xc000612a00, 0x2097cc0, 0xc00030c678, 0xc000930500)
/go/pkg/mod/k8s.io/[email protected]/pkg/server/filters/timeout.go:113 +0xb8
created by k8s.io/apiserver/pkg/server/filters.(*timeoutHandler).ServeHTTP
/go/pkg/mod/k8s.io/[email protected]/pkg/server/filters/timeout.go:99 +0x1cc
goroutine 1320 [running]:
golang.org/x/net/http2.(*serverConn).runHandler.func1(0xc00030c660, 0xc000761f8e, 0xc0004e5500)
/go/pkg/mod/golang.org/x/[email protected]/http2/server.go:2140 +0x16f
panic(0x1ad1820, 0xc000c88bf0)
/usr/local/go/src/runtime/panic.go:969 +0x1b9
k8s.io/apimachinery/pkg/util/runtime.HandleCrash(0xc000761c98, 0x1, 0x1)
/go/pkg/mod/k8s.io/[email protected]/pkg/util/runtime/runtime.go:55 +0x10c
panic(0x1ad1820, 0xc000c88bf0)
/usr/local/go/src/runtime/panic.go:969 +0x1b9
k8s.io/apiserver/pkg/server/filters.(*timeoutHandler).ServeHTTP(0xc000612a00, 0x2092500, 0xc00036a770, 0xc000930500)
/go/pkg/mod/k8s.io/[email protected]/pkg/server/filters/timeout.go:119 +0x448
k8s.io/apiserver/pkg/server/filters.WithWaitGroup.func1(0x2092500, 0xc00036a770, 0xc000930400)
/go/pkg/mod/k8s.io/[email protected]/pkg/server/filters/waitgroup.go:59 +0x137
net/http.HandlerFunc.ServeHTTP(0xc0005f5560, 0x2092500, 0xc00036a770, 0xc000930400)
/usr/local/go/src/net/http/server.go:2042 +0x44
k8s.io/apiserver/pkg/endpoints/filters.WithRequestInfo.func1(0x2092500, 0xc00036a770, 0xc000930300)
/go/pkg/mod/k8s.io/[email protected]/pkg/endpoints/filters/requestinfo.go:39 +0x269
net/http.HandlerFunc.ServeHTTP(0xc0005f5590, 0x2092500, 0xc00036a770, 0xc000930300)
/usr/local/go/src/net/http/server.go:2042 +0x44
k8s.io/apiserver/pkg/endpoints/filters.WithWarningRecorder.func1(0x2092500, 0xc00036a770, 0xc000930200)
/go/pkg/mod/k8s.io/[email protected]/pkg/endpoints/filters/warning.go:35 +0x1a7
net/http.HandlerFunc.ServeHTTP(0xc000612a20, 0x2092500, 0xc00036a770, 0xc000930200)
/usr/local/go/src/net/http/server.go:2042 +0x44
k8s.io/apiserver/pkg/endpoints/filters.WithCacheControl.func1(0x2092500, 0xc00036a770, 0xc000930200)
/go/pkg/mod/k8s.io/[email protected]/pkg/endpoints/filters/cachecontrol.go:31 +0xa8
net/http.HandlerFunc.ServeHTTP(0xc000612a40, 0x2092500, 0xc00036a770, 0xc000930200)
/usr/local/go/src/net/http/server.go:2042 +0x44
k8s.io/apiserver/pkg/server/httplog.WithLogging.func1(0x20855c0, 0xc00030c660, 0xc000930100)
/go/pkg/mod/k8s.io/[email protected]/pkg/server/httplog/httplog.go:91 +0x2f2
net/http.HandlerFunc.ServeHTTP(0xc000612a60, 0x20855c0, 0xc00030c660, 0xc000930100)
/usr/local/go/src/net/http/server.go:2042 +0x44
k8s.io/apiserver/pkg/server/filters.withPanicRecovery.func1(0x20855c0, 0xc00030c660, 0xc000930100)
/go/pkg/mod/k8s.io/[email protected]/pkg/server/filters/wrap.go:51 +0xe6
net/http.HandlerFunc.ServeHTTP(0xc000612a80, 0x20855c0, 0xc00030c660, 0xc000930100)
/usr/local/go/src/net/http/server.go:2042 +0x44
k8s.io/apiserver/pkg/server.(*APIServerHandler).ServeHTTP(0xc0005f55c0, 0x20855c0, 0xc00030c660, 0xc000930100)
/go/pkg/mod/k8s.io/[email protected]/pkg/server/handler.go:189 +0x51
net/http.serverHandler.ServeHTTP(0xc0008aa8c0, 0x20855c0, 0xc00030c660, 0xc000930100)
/usr/local/go/src/net/http/server.go:2843 +0xa3
net/http.initALPNRequest.ServeHTTP(0x20975c0, 0xc0004c9dd0, 0xc000770e00, 0xc0008aa8c0, 0x20855c0, 0xc00030c660, 0xc000930100)
/usr/local/go/src/net/http/server.go:3415 +0x8d
golang.org/x/net/http2.(*serverConn).runHandler(0xc0004e5500, 0xc00030c660, 0xc000930100, 0xc000754aa0)
/go/pkg/mod/golang.org/x/[email protected]/http2/server.go:2147 +0x8b
created by golang.org/x/net/http2.(*serverConn).processHeaders
/go/pkg/mod/golang.org/x/[email protected]/http2/server.go:1881 +0x505
As discussed in #2 it makes sense to integrate this repository into hub.helm.sh.
Secret token creation is truncated if we use this kind of token :
dnsimple:
token: "9irzedrtrtbvDDZWHom2$asF"
At the end, the secret only contains:
'9irzedrtrtbvDDZWHom2'
$asF is missing
I receive the following error when using either the default groupName
or changing it to something unique as denoted in the docs:
Error presenting challenge: dnsimple.acme.tapcart.com is forbidden: User "system:serviceaccount:routing:cert-manager" cannot create resource "dnsimple" in API group "acme.tapcart.com" at the cluster scope
What is the groupName for and what should we be setting it to?
Do we need additional RBAC configurations for it?
Deploying cert-manager-webhook-dnsimple on GKE cluster running Kubernetes 1.17.15-gke.800 result in the follow errors:
I0119 23:04:51.030632 1 configmap_cafile_content.go:202] Starting client-ca::kube-system::extension-apiserver-authentication::client-ca-file
I0119 23:04:51.030689 1 configmap_cafile_content.go:202] Starting client-ca::kube-system::extension-apiserver-authentication::requestheader-client-ca-file
I0119 23:04:51.030723 1 shared_informer.go:240] Waiting for caches to sync for client-ca::kube-system::extension-apiserver-authentication::client-ca-file
I0119 23:04:51.030721 1 requestheader_controller.go:169] Starting RequestHeaderAuthRequestController
I0119 23:04:51.030725 1 shared_informer.go:240] Waiting for caches to sync for client-ca::kube-system::extension-apiserver-authentication::requestheader-client-ca-file
I0119 23:04:51.030818 1 shared_informer.go:240] Waiting for caches to sync for RequestHeaderAuthRequestController
I0119 23:04:51.031057 1 dynamic_serving_content.go:130] Starting serving-cert::/tls/tls.crt::/tls/tls.key
I0119 23:04:51.032297 1 secure_serving.go:197] Serving securely on [::]:443
I0119 23:04:51.032772 1 tlsconfig.go:240] Starting DynamicServingCertificateController
I0119 23:04:51.033118 1 apf_controller.go:249] Starting API Priority and Fairness config controller
E0119 23:04:51.036000 1 reflector.go:138] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: Failed to watch *v1beta1.PriorityLevelConfiguration: failed to list *v1beta1.PriorityLevelConfiguration: prioritylevelconfigurations.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:cert-manager:cert-manager-webhook-dnsimple" cannot list resource "prioritylevelconfigurations" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope
E0119 23:04:51.036045 1 reflector.go:138] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: Failed to watch *v1beta1.FlowSchema: failed to list *v1beta1.FlowSchema: flowschemas.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:cert-manager:cert-manager-webhook-dnsimple" cannot list resource "flowschemas" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope
I0119 23:04:51.130931 1 shared_informer.go:247] Caches are synced for client-ca::kube-system::extension-apiserver-authentication::client-ca-file
I0119 23:04:51.130993 1 shared_informer.go:247] Caches are synced for RequestHeaderAuthRequestController
I0119 23:04:51.131026 1 shared_informer.go:247] Caches are synced for client-ca::kube-system::extension-apiserver-authentication::requestheader-client-ca-file
E0119 23:04:52.179462 1 reflector.go:138] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: Failed to watch *v1beta1.FlowSchema: failed to list *v1beta1.FlowSchema: flowschemas.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:cert-manager:cert-manager-webhook-dnsimple" cannot list resource "flowschemas" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope
E0119 23:04:52.188664 1 reflector.go:138] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: Failed to watch *v1beta1.PriorityLevelConfiguration: failed to list *v1beta1.PriorityLevelConfiguration: prioritylevelconfigurations.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:cert-manager:cert-manager-webhook-dnsimple" cannot list resource "prioritylevelconfigurations" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope
E0119 23:04:53.896237 1 reflector.go:138] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: Failed to watch *v1beta1.PriorityLevelConfiguration: failed to list *v1beta1.PriorityLevelConfiguration: prioritylevelconfigurations.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:cert-manager:cert-manager-webhook-dnsimple" cannot list resource "prioritylevelconfigurations" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope
E0119 23:04:54.880564 1 reflector.go:138] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: Failed to watch *v1beta1.FlowSchema: failed to list *v1beta1.FlowSchema: flowschemas.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:cert-manager:cert-manager-webhook-dnsimple" cannot list resource "flowschemas" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope
E0119 23:04:57.600281 1 reflector.go:138] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: Failed to watch *v1beta1.PriorityLevelConfiguration: failed to list *v1beta1.PriorityLevelConfiguration: prioritylevelconfigurations.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:cert-manager:cert-manager-webhook-dnsimple" cannot list resource "prioritylevelconfigurations" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope
E0119 23:04:58.393101 1 reflector.go:138] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: Failed to watch *v1beta1.FlowSchema: failed to list *v1beta1.FlowSchema: flowschemas.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:cert-manager:cert-manager-webhook-dnsimple" cannot list resource "flowschemas" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope
E0119 23:05:05.928899 1 reflector.go:138] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: Failed to watch *v1beta1.PriorityLevelConfiguration: failed to list *v1beta1.PriorityLevelConfiguration: prioritylevelconfigurations.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:cert-manager:cert-manager-webhook-dnsimple" cannot list resource "prioritylevelconfigurations" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope
E0119 23:05:08.093017 1 reflector.go:138] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: Failed to watch *v1beta1.FlowSchema: failed to list *v1beta1.FlowSchema: flowschemas.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:cert-manager:cert-manager-webhook-dnsimple" cannot list resource "flowschemas" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope
The problem seems to be a mismatch between the v0.20.0 client libraries and Kubernetes 1.17. Downgrading to the v0.19.0 client libraries solves the problem. Kubernetes 1.17.15-gke.800 is the latest stable release on GKE, so upgrading the cluster is not an option for users running production environments on stable.
cert-manager-webhook-dnsimple seems to work despite these errors, but on the other hand, there is nothing in cert-manager-webhook-dnsimple that needs the newer client libraries.
Was so thankful when I found this for dnsimple but it appears there is no arm published image in the repository neoskop/cert-manager-webhook-dnsimple
that supports arm. Therefore I get the exec format error on my raspberry pi 4 cluster.
I am investigating some of the forks of this project as it looks like they may have added that but hoping you can publish arm images along with amd64.
Thanks in advance
Currently the container is exposing port 443, which belongs to the privileged port range.
IMHO the use of this privileged port is unnecessary, as we can "hide" the privileged port behind a Kubernetes service.
Not using a privileged port would allow the container to be run on more restrictive container platforms, such as OpenShift.
Could you maybe make the port configurable as en environment variable?
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.