-
Notifications
You must be signed in to change notification settings - Fork 2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Cannot create http01 ClusterIssuer with DigitalOcean provider using new static manifests #1149
Comments
Note that on master there is now only a single static manifest that does include the webhook thing, whereas previously there was a |
Using non-webhook cert-manager from 4283138 (parent of cdd513c) allows for Is the removal of the non-webhook manifest intentional? |
Hey - it looks like you’re trying to install the manifests and follow the instructions for ‘master’ instead of the latest stable release (v0.5.2). As you’ve noticed, we’ve removed the separation between different manifest types in favour of an all-in-one bundle for the upcoming v0.6 release. For the time being, check out the documentation for ‘latest’ (or more specifically, release-0.5). This will guide you through using either the static manifests or the Helm chart as you’ve noted. 0.6 isn’t available yet, as some additional documentation needs putting together (although features in the project itself are done!) You should have a much smoother experience if you stick to the latest release branch of the project 😄 |
For a bit of clarity on this issue, can you share the step by step commands you're running, and exactly which guide you're following and running into these problems? |
Seems like you didn't quite catch it, or maybe I wasn't clear... I admit it's quite a convoluted story. As I mentioned earlier (see the links of my original message): Attempt to install 0.5.2I first tried to install 0.5.2 following the matching "latest" documentation (not master), the only instructions being:
Commands used:
... except now pods won't start due to missing Attempt to install 0.6 from master (i.e with webhook)I followed the exact instructions here except with
Attempt to install 0.6 without webhookSame commands, except
|
RBAC-only is the way to go for sure but how are you supposed to install the no-webhook variant with a single static manifest? Or is there no no-webhook option anymore by design?
That's what I thought at first but to be honest as a static manifest user, master was a much more pleasant experience ;) |
Before stumbling on this issue I also first tried to deploy from the master branch without success. With v0.5, after creating
|
Is there a resolution here? It looks very similar to what I'm seeing:
|
As a workaround, my last attempt in one of the above comment is successful. |
Please take a read of the webhook component documentation, as well as the troubleshooting instructions now available in the docs: https://cert-manager.readthedocs.io/en/latest/getting-started/webhook.html I'm going to close this issue, as it's a deployment configuration problem that we have documentation to cover. If you're still running into problems, feel free to jump onto our Slack channel and we can work through it to get things sorted 😄 |
I upgraded from v0.6.0 to v0.6.2 (helm chart version v0.6.6) and I'm running into this issue too.
I'm not on EKS (I'm on AWS but running k8s myself on EC2 instances). I've looked at the doc linked to in the previous comment and haven't found anything helpful.
What am I missing? |
Thanks @Yanson, that steered me in the right direction. Found this in my k8s apiserver logs:
That API address corresponds to the service:
I can confirm that I can't hit it from within the apiserver's pod:
I'm not on EKS/GKE, if anyone has any pointers on how to fix this, please let me know! Edit: just to be clear, I am on a mostly default kops-created cluster on AWS. |
@tsuna looking at the output here, it looks like you've misconfigured your Kubernetes cluster's service CIDR (unless I am mistaken!)
|
It's not a public IP address. https://tools.ietf.org/html/rfc6598#section-7
It's the default range used by |
I am also seeing in my api logs the same error: I thought of opening a new issue, but it is the same here, I have 2 issuers (below), one using let's encrypt, and one is self signed, I managed to create certificates using the self signed issuere, how can I solve this issue: kubectl describe issuer -n ingressName: cert-manager-webhook-ca Name: cert-manager-webhook-selfsign |
Following along with interest in your progress @tsuna, as my team is seeing similar issues in a kops created cluster running in EC2. |
@tsuna further analysis showed that for us it was only a single master node that couldn't reach the cert-manager-webhook service. restarting that master node magically fixed everything. ¯_(ツ)_/¯ |
Describe the bug:
Following documentation to install with static manifests, then attempting to create an
Issuer
orClusterIssuer
on a fresh DO k8s cluster results in the following error:Issue seems quite different from #1103.
Expected behaviour:
An
Issuer
orClusterIssuer
should be able to be created after following documentation instructions for static manifests.Steps to reproduce the bug:
Issuer
orClusterIssuer
Anything else we need to know?:
I first tried to setup cert-manager 0.5.2 with static manifests but the documentation is severely lacking, CRDs are absent, and there are a number of other missing things, like pods failing to start with log output
missing secret "webhook-ca"
.While looking for a way to solve it I noticed that there seems to be quite a refactoring with much better documentation and manifests on master. With CRDs set up and namespace created, everything seemed to be in order except that I had to
apply -f
with--validate=false
due to #1143.I then proceeded to create a
ClusterIssuer
following this part of the documentation:Nothing of significance appears in the pod logs.
Since there were no match in cert-manager issues I looked for similar errors in other kubernetes projects involving admission webhooks and found this.
by running
kubectl describe configmap -n kube-system extension-apiserver-authentication
, which does containrequestheader-client-ca-file
.So I ran
kubectl get apiservice clusterissuers.admission.certmanager.k8s.io -o yaml
which I suppose is expected to return something along the lines of:But returns this error instead:
So I tried a more general
kubectl get apiservice
for which the output contains a single reference to anything related tocertmanager.k8s.io
:with no trace of
issuers.admission.certmanager.k8s.io
,clusterissuers.admission.certmanager.k8s.io
, orcertificates.admission.certmanager.k8s.io
.The output of
kubectl describe apiservice v1beta1.admission.certmanager.k8s.io
contains:Environment details::
/kind bug
The text was updated successfully, but these errors were encountered: