Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

IssuerNotFound with ClusterIssuer and nginx on GKE #43

Closed
Humbertda opened this issue Jun 17, 2021 · 3 comments
Closed

IssuerNotFound with ClusterIssuer and nginx on GKE #43

Humbertda opened this issue Jun 17, 2021 · 3 comments

Comments

@Humbertda
Copy link

I am having an issue configuring google-cas-issuer in GKE.

Here is the script I used to configure cert-manager and google-cas-issuer:

kubectl create namespace cert-manager
helm repo add jetstack https://charts.jetstack.io
helm repo update
helm install \
  cert-manager jetstack/cert-manager \
  --namespace cert-manager \
  --create-namespace \
  --version v1.4.0 \
  --set installCRDs=true

kubectl apply -f https://github.com/jetstack/google-cas-issuer/releases/download/v0.5.2/google-cas-issuer-v0.5.2.yaml

(I have also configured workload identity)

And here is the yaml configuration for kubernates:

apiVersion: cas-issuer.jetstack.io/v1beta1
kind: GoogleCASClusterIssuer
metadata:
  name: cert-app-issuercluster
spec:
  project: (my project id here)
  location: europe-west1
  caPoolId: www-my-app
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: cert-my-app
spec:
  secretName: my-app-tls
  duration: 24h
  renewBefore: 8h
  commonName: my.app
  dnsNames:
    - my.app
  issuerRef:
    group: cas-issuer.jetstack.io
    kind: GoogleCASClusterIssuer
    name: cert-app-issuercluster
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: ingress-all
  annotations:
    cert-manager.io/cluster-issuer: cert-app-issuercluster
    kubernetes.io/ingress.class: "nginx"
spec:
  rules:
  - host: my.app
    http:
      paths:
      - pathType: Prefix
        path: /
        backend:
          service: 
            name: angular-app
            port: 
              number: 80
  tls:
  - hosts:
    - my.app
    secretName: my-app-tls

certificate request description:

Normal IssuerNotFound 19s (x5 over 19s) cert-manager Referenced "ClusterIssuer" not found: clusterissuer.cert-manager.io "cert-app-issuercluster" not found

kubectl get googlecasclusterissuers output:

NAME READY REASON MESSAGE
cert-app-issuercluster True CASClientOK Successfully constructed CAS client

Is there an issue from my configuration ? (I have replaced host names to my.app)
@Humbertda Humbertda changed the title IssuerNotFound with IssuerCluster and nginx IssuerNotFound with ClusterIssuer and nginx on GKE Jun 18, 2021
@jakexks
Copy link
Member

jakexks commented Jun 22, 2021
edited
Loading

Hi @Humbertda
On your ingress you will also have to add the issuer-kind/group annotation to reference the external issuer:

cert-manager.io/issuer-kind: GoogleCASClusterIssuer
cert-manager.io/issuer-group: cas-issuer.jetstack.io

See the ingress-shim documentation here: https://cert-manager.io/docs/usage/ingress/

@Humbertda
Copy link
Author

After adding this, and fixing an IAM issue, it seems to work!

@yeyep yeyep mentioned this issue Jun 29, 2022
Open
@hamzabll5858
Copy link

@Humbertda what IAM permissions did you solved?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jakexks @Humbertda @hamzabll5858