Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cert-manager account cannot create resource regru-dns at the cluster scope #9

Open
Voldemat opened this issue Feb 16, 2023 · 7 comments
Open

Cert-manager account cannot create resource regru-dns at the cluster scope #9

Voldemat opened this issue Feb 16, 2023 · 7 comments

Comments

@Voldemat
Copy link

Cluster was obtained using Yandex.Cloud Managed Kubernetes solution.
Any modifications of RBAC roles didn't work.

kubectl get challenge letsencrypt-jvzb2-2152256332-2670382356 -o yaml

apiVersion: acme.cert-manager.io/v1
kind: Challenge
metadata:
  creationTimestamp: "2023-02-16T06:07:51Z"
  finalizers:
  - finalizer.acme.cert-manager.io
  generation: 1
  name: letsencrypt-jvzb2-2152256332-2670382356
  namespace: quickclick-prod
  ownerReferences:
  - apiVersion: acme.cert-manager.io/v1
    blockOwnerDeletion: true
    controller: true
    kind: Order
    name: letsencrypt-jvzb2-2152256332
    uid: f5b3b927-e3ff-4f09-b92a-cb7521949d21
  resourceVersion: "1634916"
  uid: 6182c5bc-8c09-4d26-be53-60c45578b3b8
spec:
  authorizationURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/203731144196
  dnsName: quickclick.online
  issuerRef:
    group: cert-manager.io
    kind: ClusterIssuer
    name: letsencrypt
  key: dDlzkoMWZo5NLYFs8-XpPvEmEGdikSbIOfVu3WNJW84
  solver:
    dns01:
      webhook:
        config:
          regruPasswordSecretRef:
            key: REGRU_PASSWORD
            name: regru-password
        groupName: acme.regru.ru
        solverName: regru-dns
  token: O8lRYSJ9eiWHWXUT0DR00EQxRt8RRmvsT5QbznbKqTc
  type: DNS-01
  url: https://acme-v02.api.letsencrypt.org/acme/chall-v3/203731144196/Y_IJnA
  wildcard: true
status:
  presented: false
  processing: true
  reason: 'regru-dns.acme.regru.ru is forbidden: User "system:serviceaccount:cert-manager:cert-manager"
    cannot create resource "regru-dns" in API group "acme.regru.ru" at the cluster
    scope'
  state: pending

Chunk of web hook pod logs:

W0216 14:36:52.248111       1 reflector.go:324] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: failed to list *v1beta2.FlowSchema: flowschemas.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:cert-manager:regru-webhook-regru-cluster-issuer" cannot list resource "flowschemas" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope
E0216 14:36:52.248146       1 reflector.go:138] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: Failed to watch *v1beta2.FlowSchema: failed to list *v1beta2.FlowSchema: flowschemas.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:cert-manager:regru-webhook-regru-cluster-issuer" cannot list resource "flowschemas" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope
W0216 14:37:12.841566       1 reflector.go:324] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: failed to list *v1beta2.PriorityLevelConfiguration: prioritylevelconfigurations.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:cert-manager:regru-webhook-regru-cluster-issuer" cannot list resource "prioritylevelconfigurations" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope
E0216 14:37:12.841599       1 reflector.go:138] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: Failed to watch *v1beta2.PriorityLevelConfiguration: failed to list *v1beta2.PriorityLevelConfiguration: prioritylevelconfigurations.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:cert-manager:regru-webhook-regru-cluster-issuer" cannot list resource "prioritylevelconfigurations" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope
W0216 14:37:36.658052       1 reflector.go:324] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: failed to list *v1beta2.FlowSchema: flowschemas.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:cert-manager:regru-webhook-regru-cluster-issuer" cannot list resource "flowschemas" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope
E0216 14:37:36.658085       1 reflector.go:138] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: Failed to watch *v1beta2.FlowSchema: failed to list *v1beta2.FlowSchema: flowschemas.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:cert-manager:regru-webhook-regru-cluster-issuer" cannot list resource "flowschemas" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope
W0216 14:37:50.056745       1 reflector.go:324] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: failed to list *v1beta2.PriorityLevelConfiguration: prioritylevelconfigurations.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:cert-manager:regru-webhook-regru-cluster-issuer" cannot list resource "prioritylevelconfigurations" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope
E0216 14:37:50.056784       1 reflector.go:138] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: Failed to watch *v1beta2.PriorityLevelConfiguration: failed to list *v1beta2.PriorityLevelConfiguration: prioritylevelconfigurations.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:cert-manager:regru-webhook-regru-cluster-issuer" cannot list resource "prioritylevelconfigurations" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope
W0216 14:38:11.480925       1 reflector.go:324] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: failed to list *v1beta2.FlowSchema: flowschemas.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:cert-manager:regru-webhook-regru-cluster-issuer" cannot list resource "flowschemas" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope
E0216 14:38:11.480971       1 reflector.go:138] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: Failed to watch *v1beta2.FlowSchema: failed to list *v1beta2.FlowSchema: flowschemas.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:cert-manager:regru-webhook-regru-cluster-issuer" cannot list resource "flowschemas" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope
W0216 14:38:30.946739       1 reflector.go:324] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: failed to list *v1beta2.PriorityLevelConfiguration: prioritylevelconfigurations.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:cert-manager:regru-webhook-regru-cluster-issuer" cannot list resource "prioritylevelconfigurations" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope
E0216 14:38:30.946771       1 reflector.go:138] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: Failed to watch *v1beta2.PriorityLevelConfiguration: failed to list *v1beta2.PriorityLevelConfiguration: prioritylevelconfigurations.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:cert-manager:regru-webhook-regru-cluster-issuer" cannot list resource "prioritylevelconfigurations" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope
W0216 14:38:59.318790       1 reflector.go:324] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: failed to list *v1beta2.FlowSchema: flowschemas.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:cert-manager:regru-webhook-regru-cluster-issuer" cannot list resource "flowschemas" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope
E0216 14:38:59.318823       1 reflector.go:138] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: Failed to watch *v1beta2.FlowSchema: failed to list *v1beta2.FlowSchema: flowschemas.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:cert-manager:regru-webhook-regru-cluster-issuer" cannot list resource "flowschemas" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope
W0216 14:39:06.331360       1 reflector.go:324] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: failed to list *v1beta2.PriorityLevelConfiguration: prioritylevelconfigurations.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:cert-manager:regru-webhook-regru-cluster-issuer" cannot list resource "prioritylevelconfigurations" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope
E0216 14:39:06.331395       1 reflector.go:138] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: Failed to watch *v1beta2.PriorityLevelConfiguration: failed to list *v1beta2.PriorityLevelConfiguration: prioritylevelconfigurations.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:cert-manager:regru-webhook-regru-cluster-issuer" cannot list resource "prioritylevelconfigurations" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope
W0216 14:39:41.699617       1 reflector.go:324] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: failed to list *v1beta2.PriorityLevelConfiguration: prioritylevelconfigurations.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:cert-manager:regru-webhook-regru-cluster-issuer" cannot list resource "prioritylevelconfigurations" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope
E0216 14:39:41.699647       1 reflector.go:138] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: Failed to watch *v1beta2.PriorityLevelConfiguration: failed to list *v1beta2.PriorityLevelConfiguration: prioritylevelconfigurations.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:cert-manager:regru-webhook-regru-cluster-issuer" cannot list resource "prioritylevelconfigurations" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope
W0216 14:39:53.112315       1 reflector.go:324] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: failed to list *v1beta2.FlowSchema: flowschemas.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:cert-manager:regru-webhook-regru-cluster-issuer" cannot list resource "flowschemas" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope
E0216 14:39:53.112346       1 reflector.go:138] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: Failed to watch *v1beta2.FlowSchema: failed to list *v1beta2.FlowSchema: flowschemas.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:cert-manager:regru-webhook-regru-cluster-issuer" cannot list resource "flowschemas" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope
W0216 14:40:14.262299       1 reflector.go:324] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: failed to list *v1beta2.PriorityLevelConfiguration: prioritylevelconfigurations.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:cert-manager:regru-webhook-regru-cluster-issuer" cannot list resource "prioritylevelconfigurations" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope
E0216 14:40:14.262335       1 reflector.go:138] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: Failed to watch *v1beta2.PriorityLevelConfiguration: failed to list *v1beta2.PriorityLevelConfiguration: prioritylevelconfigurations.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:cert-manager:regru-webhook-regru-cluster-issuer" cannot list resource "prioritylevelconfigurations" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope
W0216 14:40:44.408353       1 reflector.go:324] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: failed to list *v1beta2.FlowSchema: flowschemas.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:cert-manager:regru-webhook-regru-cluster-issuer" cannot list resource "flowschemas" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope
E0216 14:40:44.408388       1 reflector.go:138] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: Failed to watch *v1beta2.FlowSchema: failed to list *v1beta2.FlowSchema: flowschemas.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:cert-manager:regru-webhook-regru-cluster-issuer" cannot list resource "flowschemas" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope
W0216 14:40:56.726358       1 reflector.go:324] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: failed to list *v1beta2.PriorityLevelConfiguration: prioritylevelconfigurations.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:cert-manager:regru-webhook-regru-cluster-issuer" cannot list resource "prioritylevelconfigurations" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope
E0216 14:40:56.726393       1 reflector.go:138] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: Failed to watch *v1beta2.PriorityLevelConfiguration: failed to list *v1beta2.PriorityLevelConfiguration: prioritylevelconfigurations.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:cert-manager:regru-webhook-regru-cluster-issuer" cannot list resource "prioritylevelconfigurations" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope
W0216 14:41:31.558256       1 reflector.go:324] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: failed to list *v1beta2.FlowSchema: flowschemas.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:cert-manager:regru-webhook-regru-cluster-issuer" cannot list resource "flowschemas" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope
E0216 14:41:31.558295       1 reflector.go:138] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: Failed to watch *v1beta2.FlowSchema: failed to list *v1beta2.FlowSchema: flowschemas.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:cert-manager:regru-webhook-regru-cluster-issuer" cannot list resource "flowschemas" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope
W0216 14:41:49.052948       1 reflector.go:324] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: failed to list *v1beta2.PriorityLevelConfiguration: prioritylevelconfigurations.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:cert-manager:regru-webhook-regru-cluster-issuer" cannot list resource "prioritylevelconfigurations" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope
E0216 14:41:49.052976       1 reflector.go:138] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: Failed to watch *v1beta2.PriorityLevelConfiguration: failed to list *v1beta2.PriorityLevelConfiguration: prioritylevelconfigurations.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:cert-manager:regru-webhook-regru-cluster-issuer" cannot list resource "prioritylevelconfigurations" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope
W0216 14:42:19.766463       1 reflector.go:324] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: failed to list *v1beta2.FlowSchema: flowschemas.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:cert-manager:regru-webhook-regru-cluster-issuer" cannot list resource "flowschemas" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope
E0216 14:42:19.766503       1 reflector.go:138] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: Failed to watch *v1beta2.FlowSchema: failed to list *v1beta2.FlowSchema: flowschemas.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:cert-manager:regru-webhook-regru-cluster-issuer" cannot list resource "flowschemas" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope
W0216 14:42:45.955955       1 reflector.go:324] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: failed to list *v1beta2.PriorityLevelConfiguration: prioritylevelconfigurations.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:cert-manager:regru-webhook-regru-cluster-issuer" cannot list resource "prioritylevelconfigurations" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope
E0216 14:42:45.955983       1 reflector.go:138] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: Failed to watch *v1beta2.PriorityLevelConfiguration: failed to list *v1beta2.PriorityLevelConfiguration: prioritylevelconfigurations.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:cert-manager:regru-webhook-regru-cluster-issuer" cannot list resource "prioritylevelconfigurations" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope
@TFK70
Copy link

TFK70 commented Feb 20, 2023
edited
Loading

I've faced the same issue on k3s cluster running inside multipass VM (Ubuntu 22.04)
I was able to fix it by editing secrets-reader ClusterRole resource in rbac.yaml like this:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: {{ include \"cert-manager-webhook-regru.fullname\" . }}:secrets-reader
  labels:
    app: {{ include \"cert-manager-webhook-regru.name\" . }}
    chart: {{ include \"cert-manager-webhook-regru.chart\" . }}
    release: {{ .Release.Name }}
    heritage: {{ .Release.Service }}
rules:
  - apiGroups:
      - ''
      - 'flowcontrol.apiserver.k8s.io'
    resources:
      - '*'
    verbs:
      - 'get'
      - 'list'
      - 'watch'

So I've just added here flowcontrol.apiserver.k8s.io item inside apiGroups

I'm not sure if it is supposed to work like this, so I prefer to consider it as a temporary workaround and it would be cool if someone could explain this incident

@Voldemat
Copy link
Author

Voldemat commented Feb 21, 2023
edited
Loading

Thank you for your advice. After editing this cluster role, error logs from pod was gone. But problem with creating resource regru-dns still remains.

Pod logs

I0221 15:18:09.976204       1 requestheader_controller.go:169] Starting RequestHeaderAuthRequestController
I0221 15:18:09.976345       1 shared_informer.go:240] Waiting for caches to sync for RequestHeaderAuthRequestController
I0221 15:18:09.976209       1 configmap_cafile_content.go:201] "Starting controller" name="client-ca::kube-system::extension-apiserver-authentication::client-ca-file"
I0221 15:18:09.976397       1 shared_informer.go:240] Waiting for caches to sync for client-ca::kube-system::extension-apiserver-authentication::client-ca-file
I0221 15:18:09.976580       1 dynamic_serving_content.go:131] "Starting controller" name="serving-cert::/tls/tls.crt::/tls/tls.key"
I0221 15:18:09.976611       1 secure_serving.go:266] Serving securely on [::]:443
I0221 15:18:09.976654       1 tlsconfig.go:240] "Starting DynamicServingCertificateController"
I0221 15:18:09.976253       1 configmap_cafile_content.go:201] "Starting controller" name="client-ca::kube-system::extension-apiserver-authentication::requestheader-client-ca-file"
I0221 15:18:09.976690       1 shared_informer.go:240] Waiting for caches to sync for client-ca::kube-system::extension-apiserver-authentication::requestheader-client-ca-file
I0221 15:18:09.976727       1 main.go:86] call function Initialize
I0221 15:18:09.977160       1 apf_controller.go:317] Starting API Priority and Fairness config controller
I0221 15:18:10.077433       1 shared_informer.go:247] Caches are synced for client-ca::kube-system::extension-apiserver-authentication::client-ca-file
I0221 15:18:10.077479       1 apf_controller.go:322] Running API Priority and Fairness config worker
I0221 15:18:10.077453       1 shared_informer.go:247] Caches are synced for RequestHeaderAuthRequestController
I0221 15:18:10.077609       1 shared_informer.go:247] Caches are synced for client-ca::kube-system::extension-apiserver-authentication::requestheader-client-ca-file

@TFK70
Copy link

TFK70 commented Feb 21, 2023

I can't see any error logs here, also I'm not sure about what you meant by regru-dns resource, I don't remember any resource with that name, tbh

Personally I've faced some errors after editing rbac rules as well, I've had some errors like this:

Failed to watch *v1beta3.PriorityLevelConfiguration: failed to list *v1beta3.PriorityLevelConfiguration: the server could not find the requested resource

But this errors didn't affect anything, my certificate was successfully created after some time (Also, perhaps, these errors may be caused by k3s distribution in my case, as I'm not using "vanilla k8s")

Also I may advice you to check out the spec.acme.server field in ClusterIssuer resource you're creating. Personally I was using staging url for tests (https://acme-v02-staging.api.letsencrypt.org/directory) and with that url your ACME challenge won't complete. You should try it on production url (https://acme-v02.api.letsencrypt.org/directory) if you want to see your flow fully completed

@Voldemat
Copy link
Author

I think my error may be related to cluster issuer solverName, what solverName did you set?

ClusterIssuer.yaml

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: qk-issuer
  namespace: cert-manager
spec:
  acme:
    server: https://acme-v02.api.letsencrypt.org/directory
    email: [email protected]
    privateKeySecretRef:
      name: quickclick.online.cert
    solvers:
    - http01:
        ingress:
          class: nginx
    - dns01:
        webhook:
          config:
            regruPasswordSecretRef:
              name: regru-password
              key: REGRU_PASSWORD
          solverName: regru-dns
          groupName: acme.regru.ru

@TFK70
Copy link

TFK70 commented Feb 22, 2023

Same as you did:

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  creationTimestamp: "2023-02-19T21:17:10Z"
  generation: 1
  name: regru-dns
  resourceVersion: "933"
  uid: 8654a09f-8ce0-4cdb-a419-92f10e463de5
spec:
  acme:
    email: [email protected]
    preferredChain: ""
    privateKeySecretRef:
      name: cert-manager-letsencrypt-private-key
    server: https://acme-v02.api.letsencrypt.org/directory
    solvers:
    - dns01:
        webhook:
          config:
            regruPasswordSecretRef:
              key: REGRU_PASSWORD
              name: regru-password
          groupName: acme.regru.ru
          solverName: regru-dns

But I can see that we have different values for privateKeySecretRef

@wildGecko
Copy link
Contributor

@Voldemat, hello! What is quickclick.online.cert? You need set value cert-manager-letsencrypt-private-key

@melazyk
Copy link

melazyk commented May 18, 2023

The following RBAC configuration resolved this permission issues.

# I have found the same problem in cert-manager issuer
# https://github.com/vadimkim/cert-manager-webhook-hetzner/pull/37/files

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: regru-webhook-regru-cluster-issuer:flowcontrol-solver
  labels:
    app: regru-cluster-issuer
rules:
  - apiGroups:
      - "flowcontrol.apiserver.k8s.io"
    resources:
      - 'prioritylevelconfigurations'
      - 'flowschemas'
    verbs:
      - 'list'
      - 'watch'

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: regru-webhook-regru-cluster-issuer:flowcontrol-solver
  labels:
    app: regru-cluster-issuer
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: regru-webhook-regru-cluster-issuer:flowcontrol-solver
subjects:
  - apiGroup: ""
    kind: ServiceAccount
    name: regru-webhook-regru-cluster-issuer
    namespace: cert-manager

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@melazyk @TFK70 @wildGecko @Voldemat