Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CertificateRequest approved but stuck with empty status #165

Closed
leotomas837 opened this issue Dec 2, 2022 · 1 comment
Closed

CertificateRequest approved but stuck with empty status #165

leotomas837 opened this issue Dec 2, 2022 · 1 comment

Comments

@leotomas837
Copy link

leotomas837 commented Dec 2, 2022
edited

I installed approver-policy 0.4.2 with cert-manager 1.10.0 and when issuing a certificate, it creates the CertficateRequest but then get stuck without any status (whole status section missing). I can see that it was approved by the policy in the events of the CR, but the status section is missing. Looks like approver-policy is not setting the status once approved ? Find below some details.

$> kubectl describe cr Istio-ca-lzjr8
...
Events:
  Type    Reason    Age                    From                    Message
  ----    ------    ----                   ----                    -------
  Normal  Approved  2m36s (x17 over 8m4s)  policy.cert-manager.io  Approved by CertificateRequestPolicy: "my-root"

$> kubectl get cr Istio-ca-lzjr8
NAMESPACE      NAME             APPROVED   DENIED   READY   ISSUER   REQUESTOR                                         AGE
istio-system   istio-ca-lzjr8                               root     system:serviceaccount:cert-manager:cert-manager   9m7s

Here is the content of my policy (which works fine. I can see in the events that depending on the certificate spec, the CR gets approved or not depending on wether it complies with the CertificateRequestPolicy).

apiVersion: policy.cert-manager.io/v1alpha1
kind: CertificateRequestPolicy
metadata:
  name: my-root
spec:
  allowed:
    isCA: true
    dnsNames:
      required: true
      values:
        - example.com
    subject:
      organizations:
        values:
          - cluster.local
          - cert-manager
  constraints:
    minDuration: 8760h # 1year
    maxDuration: 87600h # 10year
    privateKey:
      algorithm: RSA
      minSize: 2048
      maxSize: 2048
  selector:
    issuerRef:
      name: root
      kind: KMSIssuer
      group: cert-manager.skyscanner.net
@leotomas837 leotomas837 changed the title CertificateRequest approved with empty status CertificateRequest approved but stuck with empty status Dec 2, 2022
@leotomas837
Copy link
Author

Looks like the sa to be given the permission to approve signers for external issuer (here KMSIssuer) must be the cert-manager-approver-policy sa not the cert-manager sa. Working now, closing the issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@leotomas837