cert-manager-webhook-dnsimple throws errors on GKE running Kubernetes 1.17.15-gke.800 about cert-manager-webhook-dnsimple HOT 9 CLOSED

I found this issue when I was searching solution for the same problem, I solved it by adding new clusterRole/Binding to the webhook service account (not the cert-manager service account ) ...like this:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: {{ include "cert-manager-webhook-hetzner.fullname" . }}:flowcontrol-solver
  labels:
    app: {{ include "cert-manager-webhook-hetzner.name" . }}
    chart: {{ include "cert-manager-webhook-hetzner.chart" . }}
    release: {{ .Release.Name }}
    heritage: {{ .Release.Service }}
rules:
  - apiGroups:
      - "flowcontrol.apiserver.k8s.io"
    resources:
      - 'prioritylevelconfigurations'
      - 'flowschemas'
    verbs:
      - 'list'
      - 'watch'
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: {{ include "cert-manager-webhook-hetzner.fullname" . }}:flowcontrol-solver
  labels:
    app: {{ include "cert-manager-webhook-hetzner.name" . }}
    chart: {{ include "cert-manager-webhook-hetzner.chart" . }}
    release: {{ .Release.Name }}
    heritage: {{ .Release.Service }}
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: {{ include "cert-manager-webhook-hetzner.fullname" . }}:flowcontrol-solver
subjects:
  - apiGroup: ""
    kind: ServiceAccount
    name: {{ include "cert-manager-webhook-hetzner.fullname" . }}
    namespace: {{ .Release.Namespace | quote }}
---

from cert-manager-webhook-dnsimple.

Hey, I just saw this error in our clusters an google'd it and then ended here in the ticket of my own project 😅 - this totally got lost in my inbox. Sorry! I think a downgrade is the most viable solution, but I will check what the other webhooks are doing and will report back.

from cert-manager-webhook-dnsimple.

Looking around I noticed that one can add in the rbac yaml file to the ClusterRole :domain-solver (from https://github.com/gattytto/cert-manager-acme-he-webhook/blob/master/deploy/acme-he-webhook/templates/rbac.yaml)

  - apiGroups:
      - "flowcontrol.apiserver.k8s.io"
    resources:
      - 'prioritylevelconfigurations'
      - 'flowschemas'
    verbs:
      - 'list'
      - 'watch'

But it seems to still not solve the problem. I get the same issue ebrianne/cert-manager-webhook-duckdns#2

from cert-manager-webhook-dnsimple.

@ebrianne Which Kubernetes version are you seeing this with?

from cert-manager-webhook-dnsimple.

@arnediekmann Any news?

from cert-manager-webhook-dnsimple.

Just to be clear: FlowSchema and PriorityLevelConfiguration were in Alpha in Kubernetes v1.19 (https://v1-19.docs.kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#flowschema-v1alpha1-flowcontrol-apiserver-k8s-io and https://v1-18.docs.kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#prioritylevelconfiguration-v1alpha1-flowcontrol-apiserver-k8s-io). They don't enter Beta until v1.20. So any client library that tries to list those resources in the Beta namespace will fail on a pre-1.20 cluster.

from cert-manager-webhook-dnsimple.

@parmus I am using a k3s cluster v1.20.4 and thought I could solve the problem finally. Last time I downgraded to 1.19 for the client which solved the problem as indeed the feature was in alpha at that time. It seems at the moment a viable solution.

from cert-manager-webhook-dnsimple.

Whoops, this got auto-closed by my commit. I just release version 0.1.0. In our clusters (Version 1.19.8) 11fb703 and the release seem to do the trick. But please do check in your environments and report back. Sorry for taking so long with this and thanks for your patience 😇

from cert-manager-webhook-dnsimple.

@parmus somewhat off-topic but the release also encompasses your PRs. Thanks again for those contributions!

from cert-manager-webhook-dnsimple.