Webhook does not work for kubernetes 1.26+

[Pentusha]

Hello, I'm trying to complete DNS-01 challenge on k3s version v1.28.5+k3s1

It looks like the webhook is not working correctly if you look at the logs:

pentusha at arco in ~ 
$ kubectl logs yandex-webhook-cert-manager-webhook-yandex-5cd9d96999-k49nf -n cert-manager --tail 2
E0206 11:33:52.928712       1 reflector.go:138] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: Failed to watch *v1beta1.PriorityLevelConfiguration: failed to list *v1beta1.PriorityLevelConfiguration: the server could not find the requested resource
E0206 11:34:15.513545       1 reflector.go:138] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: Failed to watch *v1beta1.FlowSchema: failed to list *v1beta1.FlowSchema: the server could not find the requested resource

I did some googling and found that this scheme was deprecated and was actually removed since 1.26.

[al-cheb]

I observe these errors in the output, but it does not affect the process of obtaining certificates.

My environment:

$ kubectl get nodes
NAME                    STATUS   ROLES           AGE   VERSION
kind-control-plane      Ready    control-plane   87s  v1.28.7

Logs:

$ kubectl logs cert-manager-6c69f9f796-tcpp9 -n cert-manager --timestamps

2024-02-15T13:53:06.282364162Z I0215 13:53:06.282209       1 conditions.go:252] Found status change for CertificateRequest "echo-tls-1" condition "Ready": "False" -> "True"; setting lastTransitionTime to 2024-02-15 13:53:06.282195989 +0000 UTC m=+105.660101412
2024-02-15T13:53:06.314906133Z I0215 13:53:06.314833       1 conditions.go:192] Found status change for Certificate "echo-tls" condition "Ready": "False" -> "True"; setting lastTransitionTime to 2024-02-15 13:53:06.314821962 +0000 UTC m=+105.692727381
2024-02-15T13:53:06.331386073Z I0215 13:53:06.331312       1 controller.go:162] "re-queuing item due to optimistic locking on resource" logger="cert-manager.certificates-readiness" key="echo/echo-tls" error="Operation cannot be fulfilled on certificates.cert-manager.io \"echo-tls\": the object has been modified; please apply your changes to the latest version and try again"
2024-02-15T13:53:06.332676000Z I0215 13:53:06.332639       1 conditions.go:192] Found status change for Certificate "echo-tls" condition "Ready": "False" -> "True"; setting lastTransitionTime to 2024-02-15 13:53:06.332633012 +0000 UTC m=+105.710538420

tls:

$ kubectl -n echo get secrets
NAME                         TYPE                 DATA   AGE
echo-tls                     kubernetes.io/tls    2      56m

$ kubectl -n echo get secret/echo-tls -o jsonpath='{.data}' | jq -r '."tls.crt"' | base64 -d | openssl x509 -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            04:b7:c1:9c:c4:da:87:16:7b:bb:cd:0d:9b:d4:30:80:a6:f3
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = US, O = Let's Encrypt, CN = R3
        Validity
            Not Before: Feb 15 12:53:04 2024 GMT
            Not After : May 15 12:53:03 2024 GMT

[cyxou]

Should be reopened according to this: cert-manager/webhook-example#27

[kolesaev]

Try to build a new container image from the following fork

https://github.com/dokerplp/cert-manager-webhook-yandex/tree/master

then publish built image into your prefer container registry, would be nice if repo has a public access, and finally use the repo and tag you created with this chart