-
Notifications
You must be signed in to change notification settings - Fork 2.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
cert-manager is not able to create CertificateRequest (OVHCloud Managed Kubernetes) #4418
Comments
Thanks for creating the issue.
This error comes from cert-manager validating webhook here. The identity fields ( Have you got any
How do you upgrade the CRDs? Are there any other values that are configured for the deployment?
You should probably upgrade to I wonder if we should print the actual not-matching identity fields to those validating webhook error messages, so it's easier to debug. |
Hi @irbekrm
No, I tried many different Issuers and every one of them is exiting before - with the above error message.
I tried both ways. Setting the install crds parameter in values.yaml or Installing it from a raw yaml like this.
That would be very helpful! I'm still thinking that this is an OVH problem. That would explain the uniqueness of the issue. Thank you for all your work and in advance for any further |
Hey @vanillathunder1337 - just hit the same issue, and you guessed it — on OVH k8s as well! :) |
Hmm I'm still having problems with let's encrypt.. Even if I reinstall the entire cluster |
Hi @vanillathunder1337 , I had the same problem. I contacted OVH support and they told me to restart the control plane : After reinstalling helm cert-manager everything worked fine. |
/retitle cert-manager is not able to create CertificateRequest (OVH Cloud Managed Kubernetes) |
Hi @zakov-kara , it worked for me as well. I'm still wondering why but whatever ... @maelvls I think the "bug" is solved but some enhanced logging would be nice. Regards |
Thanks for the update @zakov-kara and @vanillathunder1337! I agree, the error message is somehow cryptic. For example, it doesn't say what is the username of the "requester" (the one who tries to create the certificaterequest; in this case, that would be cert-manager itself). A message with "expect/got" may be more helpful maybe:
I am still confused as to how all this should be interpreted though. |
I'll close the issue for now since a fix has been found. I'll try to have a PR with better error messages. |
I decided to dig a bit more, I find it surprising that OVHCloud's apiserver needs to be restarted. When the CertificateRequest is created, the apiserver does 2 calls to cert-manager-webhook:
|
Problem description:
regardless of the kind of issuer/clusterissuer I'm using, the certificates won't be created.
Currently im using a selfsigned clusterissuer to repair the certificate process.
It already stucks, before the issuer can take action. Im getting the following error message when executing
After that I increased the debug level of cert-manager to 6 and deployed it again. In the logs of the main pod of the cert-manager I found the following messages that are interesting as well:
So it looks like the pod is getting a 406 when trying to create a certificaterequest.
I also checked if the pod is generally able to communicate with the api:
Expected behaviour:
Clean creation of the CertificateRequests
Steps to reproduce the bug:
kubectl describe certificate
ClusterIssuer and Certificate yaml's:
clusterissuer.yaml
(!! Tried many different issuers - but the error message isn't different)
certificate.yaml
(!! Also tried many different ways of creating certificates - but this one is the easiest)
Environment details::
OVH Cloud Managed Kubernetes
currently 1.3.1
also tried 1.5.3
I also tried to modify some variables, which are maybe related with this issue, in the values.yaml.. But im getting the same errors as with the default configuration.
my guesses
I'm honestly thinking, that there is a problem with the rbac or any other kind of access restrictions.
I'm kind of tired searching for the error messages that literally give no results anywhere in the internet. Maybe someone of you already faced this issue and can help me with this.
Thank you in advance for any help.
The text was updated successfully, but these errors were encountered: