Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Reflector error inside logs for cert-manager-webhook-civo pod #14

Open
posinautinc opened this issue May 20, 2022 · 2 comments
Open

Reflector error inside logs for cert-manager-webhook-civo pod #14

posinautinc opened this issue May 20, 2022 · 2 comments

Comments

@posinautinc
Copy link

posinautinc commented May 20, 2022

Hello,

I am trying to get Cert Manager (with Let's Encrypt) to issue a wild card cert using DNS01 and the Civo webhook on my K8S cluster on Civo. I have Istio installed and the secret containing the cert was successfully generated in the istio-system namespace.

My website is in a different namespace so I am using https://github.com/emberstack/kubernetes-reflector to copy the cert (secret) to the namespace of my website.

On initial setup, things somehow worked and I could find the replicated secret in my website's namespace. However when I changed some certificate parameter to cause the certificate to re-issue I see that the certificate remains stuck in a pending state. Looking into the logs of the civo-webhook pod I see this:

W0520 16:34:00.041392 1 reflector.go:324] pkg/mod/k8s.io/client-go@v0.23.5/tools/cache/reflector.go:167: failed to list *v1beta2.PriorityLevelConfiguration: prioritylevelconfigurations.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:cert-manager:cert-manager-webhook-civo" cannot list resource "prioritylevelconfigurations" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope
E0520 16:34:00.041685 1 reflector.go:138] pkg/mod/k8s.io/client-go@v0.23.5/tools/cache/reflector.go:167: Failed to watch *v1beta2.PriorityLevelConfiguration: failed to list *v1beta2.PriorityLevelConfiguration: prioritylevelconfigurations.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:cert-manager:cert-manager-webhook-civo" cannot list resource "prioritylevelconfigurations" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope

I am still quite green with respect to Kubernetes/Istio so wondering if you could shed light on whether:

  1. this is the wrong approach?
  2. I need to configure permissions/roles somehow?
  3. this is not supported by the Civo-webhook?
  4. some other problem?

This is my ClusterIssuer yaml:

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-staging-cluster
namespace: istio-system
spec:
acme:
email: someone@gmail.com
server: https://acme-staging-v02.api.letsencrypt.org/directory
privateKeySecretRef:
name: letsencrypt-staging-cluster
solvers:
- dns01:
webhook:
solverName: "civo"
groupName: civo.webhook.okteto.com
config:
secretName: civo-secret

And my Certificate.yaml:

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: mydomain-cert-staging
namespace: istio-system
spec:
secretName: mydomain-cert-staging
duration: 2160h # 90d
renewBefore: 360h # 15d
isCA: false
privateKey:
algorithm: RSA
encoding: PKCS1
size: 2048
usages:
- server auth
- client auth
commonName: "whoami.mydomain.com"
dnsNames:
- "whoami.mydomain.com"
issuerRef:
name: letsencrypt-staging-cluster
kind: ClusterIssuer
group: cert-manager.io
secretTemplate:
annotations:
reflector.v1.k8s.emberstack.com/reflection-allowed: "true"
reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces: "ns-twb-staging" # Control destination namespaces.
reflector.v1.k8s.emberstack.com/reflection-auto-enabled: "true" # Auto create reflection for matching namespaces.
reflector.v1.k8s.emberstack.com/reflection-auto-namespaces: "ns-twb-staging" # Control auto-reflection namespace.

Thanks!

@malwatt
Copy link

malwatt commented Sep 6, 2022

I have exactly the same errors, but without using emberstack/kubernetes-reflector. Was a solution found?

@rberrelleza
Copy link
Member

Can you provide a sample? My guess is that the permissions that the chart have are not enough for what you need. We could include an option for you to bring your serviceAccount or your role to give the permission model more flexibility.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants