Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ClusterIssuer not created with k3s #1519

giovannicandido opened this Issue Apr 3, 2019 · 4 comments


None yet
4 participants
Copy link

commented Apr 3, 2019

Describe the bug:
Creating a ClusterIssuer for acme server the validation hook says there is no resource of this type
I'm using k3s for kubernestes cluster (super easy to install)

Expected behaviour:

The issuer should be created

Steps to reproduce the bug:

kind: ClusterIssuer                                                          
  name: letsencrypt-staging                                                  
  namespace: cert-manager                                                    
      name: letsencrypt-staging                                              
    http01: {}                                                                                                                                 

kubectl apply -f issuer.yaml


Error from server (InternalError): error when creating "issuer.yaml": Internal error occurred: failed calling webhook "": an error on the server ("Internal Server Error: "/apis/": the server could not find the requested resource") has prevented the request from succeeding

kubectl logs:

    GOROOT/src/net/http/server.go:1964 +0x44                                             *timeoutHandler).ServeHT
TP.func1(0xc0007e31a0, 0xc0004a9c80, 0x196a2a0, 0xc00000ca98, 0xc00079ef00)
vendor/ +0xb3
created by*timeoutHandl
vendor/ +0x1b0

logging error output: "Internal Server Error: "/apis/
s": the server could not find the requested resource\n"
[kubectl/v1.13.5 (linux/amd64) kubernetes/256ea73]

Anything else we need to know?:

Changing ClusterIssuer to Issuer works.

Environment details::

  • Kubernetes version (e.g. v1.10.2): 1.13.5
  • Cloud-provider/provisioner (e.g. GKE, kops AWS, etc): None
  • cert-manager version (e.g. v0.4.0): v0.7.0
  • Install method (e.g. helm or static manifests):

Using lightweight add a helm installation in directory /var/lib/rancher/k3s/server/manifests/certmanager.yaml with contents:

kind: HelmChart
  name: cert-manager
  namespace: kube-system
  chart: cert-manager
  version: v0.7.0
  targetNamespace: cert-manager
    ingressShim.defaultIssuerName: letsencrypt-prod
    ingressShim.defaultIssuerKind: ClusterIssuer
    webhook.enabled: "false"

Restart: systemctl restart k3s

/kind bug


This comment has been minimized.

Copy link

commented Apr 4, 2019

Update: Issuer works because I removed the webhook validation from the namespace. ClusterIssuer keeps validating.
I did try to disable in helm installation and it does not disable the thing :-). Will check that later.


This comment has been minimized.

Copy link

commented Apr 9, 2019

We don't run e2e tests against k3s, and I'm not too sure what features are removed from it compared to normal k8s, so this is particularly hard to debug.

Due to the fact that k3s is ultimately a fork of Kubernetes, I'm not really able to provide much extra help here - if anyone else has experience with it, please do comment 😄

@munnerz munnerz added the area/deploy label Apr 9, 2019

@munnerz munnerz changed the title ClusterIssuer not created ClusterIssuer not created with k3s Apr 9, 2019


This comment has been minimized.

Copy link

commented Apr 17, 2019

Looks like the webhook validation on k3s is not working, as well as the helm option to disable. There is a discussion in rancher/k3s#117


This comment has been minimized.

Copy link

commented Apr 22, 2019

I'm unable to reproduce this when installing cert-manager the "normal" way with helm. I.e. as you would in any other k8s cluster.

Maybe I'm missing something, but shouldn't the custom resource definitions be applied separately before the chart is installed? This is what the documentation states. I had no problems following those steps with k3s. Webhook working and ClusterIssuer created.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.