Permissions issue

[WebSpider]

Hi!

I have cert-manager installed via helm with default settings. When installing this chart, I get the following permissions error:

rook-ceph     23m         Warning   PresentError         challenge/ceph-tls-55tl8-3331809567-906918078          Error presenting challenge: hetzner.acme.example.org is forbidden: User "system:serviceaccount:cert-manager:certbot-cert-manager" cannot create resource "hetzner" in API group "acme.example.org" at the cluster scope

In my cert-manager deploy i have the following helm values set:

(jetstack certbot v1.6.1, pasting the terraform options as they directly translate to chart values)

  set {
    name  = "global.rbac.create"
    value = "true"
  }

  set {
    name  = "serviceAccount.create"
    value = "true"
  }

  set {
    name  = "prometheus.enabled"
    value = "false"
  }

  set {
    name  = "webhook.enabled"
    value = "true"
  }

  set {
    name  = "cainjector.enabled"
    value = "true"
  }
  set {
    name  = "installCRDs"
    value = "true"
  }

Whats going on here ?

[dnlsndr]

This issue arises if your configured API group in the helm chart does not match the groupName in your Issuer. Make sure to configure the --set groupName=acme.yourdomain.tld setting when installing the helm chart and set the groupName in your issuer to the exact same value. This should fix the issue.

[WebSpider]

Thanks .. it turns out that when using helm to deploy cert-manager, the cert-manager service account actually isnt called "cert-manager", but "{deploy-name}-cert-manager". In my case, I had to set the certManager serviceAccountName accordingly.