failed to get working the dns challenge
zerr0s opened this issue · comments
Hi,
I'm trying to use this webhook to get wildcard certificates from LE and ovh DNS api. But it stucks with these errors:
I0110 19:30:38.311687 1 dns.go:88] cert-manager/challenges/Present "msg"="presenting DNS01 challenge for domain" "dnsName"="xxxx.com" "domain"="xxxx.com" "resource_kind"="Challenge" "resource_name"="xxxx.com-tls-bllzj-3833872274-269418431" "resource_namespace"="ns" "resource_version"="v1" "type"="DNS-01"
E0110 19:30:38.317566 1 controller.go:167] cert-manager/challenges "msg"="re-queuing item due to error processing" "error"="ovh.xxxx.com is forbidden: User \"system:serviceaccount:cert-manager-system:tf-certmanager-cert-manager-controller\" cannot create resource \"ovh\" in API group \"xxx.com\" at the cluster scope" "key"="ns/xxxx.com-tls-bllzj-3833872274-269418431"
It seems to be a simple rbac issue, but I don't understand what to do because of rbac has already been set by the chart.
the values (xxxx is the domain in ovh):
groupName: xxx.com
certManager:
namespace: cert-manager-system
serviceAccountName: cert-manager
issuers:
# Name of this issuer
- name: le-ovh-staging
create: true
kind: ClusterIssuer
namespace: cert-manager-system
cnameStrategy: None
acmeServerUrl: https://acme-staging-v02.api.letsencrypt.org/directory
email: xxxxxxxx@gmail.com
ovhEndpointName: ovh-eu
ovhAuthenticationRef:
applicationKeyRef:
name: ovh-credentials
key: applicationKey
applicationSecretRef:
name: ovh-credentials
key: applicationSecret
consumerKeyRef:
name: ovh-credentials
key: consumerKey
securityContext:
enabled: true
runAsUser: 1000
runAsGroup: 1000
allowPrivilegeEscalation: false
image:
repository: ghcr.io/aureq/cert-manager-webhook-ovh
tag: v0.4.1
pullPolicy: IfNotPresent
pullSecrets: []
nameOverride: ""
fullnameOverride: ""
# Use this field to add environment variables relevant to this webhook.
# These fields will be passed on to the container when Chart is deployed.
environment:
# Use these variables to configure the HTTP_PROXY environment variables
# HTTP_PROXY: "http://proxy:8080"
# HTTPS_PROXY: "http://proxy:8080"
# NO_PROXY: "127.0.0.1,localhost,10.0.0.0/8"
# number of replicas in this deployment
replicas: 1
service:
type: ClusterIP
port: 443
resources: {}
nodeSelector: {}
tolerations: []
affinity: {}
Any idea please ?
Hello,
I have uninstall all and reinstall from scratch and still not working. what am I doing bad ???
Error presenting challenge: ovh.mydomain.com is forbidden: User "system:serviceaccount:cert-manager-system:tf-certmanager-cert-manager-controller" cannot create resource "ovh" in API group "youshopia.com" at the cluster scope
it seems to be a rbac problem ...
Are you sure the OVH credentials are correct? And correctly set in ovh-credentials secret?
ok found. The cert-manager controller was already installed with custom values and the serviceAccountName used by this component was different.
I set the correct serviceAccountName (tf-certmanager-cert-manager-controller) and all is working now !
Maybe an indication in the documentation could help :)
Could you please further explain ?
my cert-manager congtroller was deployed using customs values from terraform and argocd. The serviceaccountnanme used my the controller (not the webhook) was "tf-certmanager-cert-manager-controller".
But in the chart values of the webhook I have put "cert-manager-system". So the crontroller wasn't able to create any resource in the groupName because there wasn't any binding for "tf-certmanager-cert-manager-controller".
The serviceAccountName of the webhook needs to be the same of the serviceAccountName used by the controller.
and voila
Thanks @zerr0s That makes more sense now. I'll update the doc to make it clear that the 2 values need to match.