-
Notifications
You must be signed in to change notification settings - Fork 24
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Log error 'missing content for CA bundle' #4
Comments
Hi @cmacrae, I waited a lot for this plug-in as well until it got to a point where we needed it so desperately in a project that I was willing to just give it a shot. The code needed was actually not complicated at all - sometimes you just need the proper motivation to write it 😉 The log line you attached is one I usually see in the plugin's log first until the client ca is seemingly injected after a few moments. Then everything works fine. Can you check that the
and if it does: can you elaborate on the environment (say GKE, AKS et al.) and the Kubernetes and cert-manager versions? |
Thanks for the prompt reply @arnediekmann 👋 Yep, the role binding does exist :) Here's some info on my environment:
cert-manager chart values cert-manager:
installCRDs: true cert-manager-webhook-dnsimple chart values cert-manager-webhook-dnsimple:
image:
repository: neoskop/cert-manager-webhook-dnsimple
tag: 0.0.3
replicaCount: 1
dnsimple:
account: < REDACTED >
token: < REDACTED >
clusterIssuer:
staging:
enabled: true
email: < REDACTED > Let me know if there's anything else I can provide to help debug :) |
Not sure if these are any help, but here's an excerpt from cert-manager's
So, it does look like it's doing its job |
Hmm this does seem to look like the logs I receive. Take these for example:
However I always found the numerous errors a little concerning even though they don't seem to prevent the web hook from working properly. I think they emerge from the library provided by Jetstack, however. I will create a follow-up issue on their end and link the issue here. |
Ahh I'm sorry, I just realized that you meant the CA injector was working properly, not the web hook. Nevertheless your setup looks very sound and shouldn't have any problems. I'm therefore not really sure where to start looking and will still create an issue in jetstack/cert-manager-webhook-example to enquire further and will get back to you! |
No worries! Thanks very much 🙇 I'll be digging into the cert-manager-webhook-example code in the meantime to try and determine what the error means 😄 |
As far as I understand it, initially the plug-in will read the
|
Ahh, interesting. I was having a dig around and I can see that the Nevertheless, here's the info you requested: Role binding output apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
annotations:
kubectl.kubernetes.io/last-applied-configuration: |
{"apiVersion":"rbac.authorization.k8s.io/v1beta1","kind":"RoleBinding","metadata":{"annotations":{},"labels":{"app":"cert-manager-webhook-dnsimple","app.kubernetes.io/instance":"cert-manager-webhook-dnsimple","chart":"cert-manager-webhook-dnsimple-0.0.4","heritage":"Tiller","release":"cert-manager-webhook-dnsimple"},"name":"cert-manager-webhook-dnsimple:webhook-authentication-reader","namespace":"kube-system"},"roleRef":{"apiGroup":"rbac.authorization.k8s.io","kind":"Role","name":"extension-apiserver-authentication-reader"},"subjects":[{"apiGroup":"","kind":"ServiceAccount","name":"cert-manager-webhook-dnsimple","namespace":"cert-manager"}]}
creationTimestamp: "2020-08-16T15:43:03Z"
labels:
app: cert-manager-webhook-dnsimple
app.kubernetes.io/instance: cert-manager-webhook-dnsimple
chart: cert-manager-webhook-dnsimple-0.0.4
heritage: Tiller
release: cert-manager-webhook-dnsimple
managedFields:
- apiVersion: rbac.authorization.k8s.io/v1beta1
fieldsType: FieldsV1
fieldsV1:
f:metadata:
f:annotations:
.: {}
f:kubectl.kubernetes.io/last-applied-configuration: {}
f:labels:
.: {}
f:app: {}
f:app.kubernetes.io/instance: {}
f:chart: {}
f:heritage: {}
f:release: {}
f:roleRef:
f:apiGroup: {}
f:kind: {}
f:name: {}
f:subjects: {}
manager: argocd-application-controller
operation: Update
time: "2020-08-25T09:27:17Z"
name: cert-manager-webhook-dnsimple:webhook-authentication-reader
namespace: kube-system
resourceVersion: "4566455"
selfLink: /apis/rbac.authorization.k8s.io/v1/namespaces/kube-system/rolebindings/cert-manager-webhook-dnsimple:webhook-authentication-reader
uid: ede03b14-62b1-4021-af65-e1561c114241
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: extension-apiserver-authentication-reader
subjects:
- kind: ServiceAccount
name: cert-manager-webhook-dnsimple
namespace: cert-manager Helm major version Namespace info |
Our clusters (Tested MetaKube, AKS, EKS, GKE) do:
This might be the root cause. According to cert-manager/cert-manager#1149 which in turn references voyagermesh/voyager#888 (comment) you might have to enable the aggregation layer of the kube-apiserver component. The k8s documentation provides some insights into the flags needed, but maybe there is an easier way to enable that in your cluster depending on your way of setting the cluster up. Can you check whether the kube-apiserver is missing the flags mentioned in the docs and see if there is a way to provide those? |
Thanks so much for the thorough research! The links really helped 🙌 I managed to get the API aggregation turned on, and the So, one step further! Here's where I am now:
|
I'm not really sure what the error is indicating there. I couldn't really find anything while searching for it. Maybe the certificates for the front-proxy are not configured properly or the cert-manager pods that rely on the aggregated API server need to be restarted. If that does not fix the problem, maybe you can share the kube-apiserver flags you are using. |
Got it working! I just needed to configure my cluster's auth settings I can now see records being created in dnsimple! 🎉 Now I just have to figure out forwarding any Thanks so much for this project and all your help @arnediekmann 🙏 |
Very cool! 🎊 I'm glad you got it working!
I found it easiest to just exclusively rely on DNSimple. But we are usually setting up clusters with Pulumi which allows me to grab the load balancer IPs from the cluster and create records in DNSimple programmatically. |
Gotcha, that sounds like a nice setup 👍 All my stuff is on-prem (DNSimple is the first external service I'll be relying upon), so I'm doing self-hosted PowerDNS with external-dns handling record creation, which makes it the authoritave NS for my subdomain. But, I'm pretty sure I could get a setup with CoreDNS to match requests for We'll see! I'll be blogging about this stuff at some point, and of course I'll be mentioning this project 😁 |
Very interesting setup - haven't made much use of CoreDNS in Kubernetes / other DNS servers yet. Might be something worth considering. Will keep an eye out for that blog post 🙂 |
Hey people 👋 Thank you so much for this project!
I had been trying to implement this myself a while back but gave up - so I was delighted to come across this when I decided to check recently if anyone had tackled it ❤️
After deploying via the chart, I'm seeing this message being constantly spat out in the logs:
Any ideas?
The text was updated successfully, but these errors were encountered: