imroc / cert-manager-webhook-dnspod Goto Github PK

View Code? Open in Web Editor NEW

46.0 46.0 18.0 51 KB

cert-manager webhook resolver for DNSPod

License: Apache License 2.0

Dockerfile 2.90% Makefile 2.60% Mustache 13.92% Go 80.58%

cert-manager-webhook-dnspod's People

Contributors

Stargazers

Watchers

Forkers

ktlcove miles-canton chengqing-su sunwuyan yinjiayi yanming-zhang scwang18 freeysw scjtqs2 zgldh brileyhe jimorsm coderwangke donxan moechs macrow yankeguo chinaphp

cert-manager-webhook-dnspod's Issues

如何支持.top域名的签发？

目前我使用下来通过dnspod提供的域名.cn能正常签发、.top不能签发。
有没有好的方式支持.top域名。

另外有没有支持顶级域名的清单。

error cleaning up challenge

Always trying to cleaning up dns challenge after generated certs, even if the dns record is successfully removed.

Logs are filled up with the follow error message:
E0826 09:36:38.149573 1 sync.go:282] cert-manager/challenges/finalizer "msg"="error cleaning up challenge" "error"="dnspod API call has failed: [TencentCloudSDKError] Code=ResourceNotFound.NoDataOfRecord, Message=记录列表为空。, RequestId=2781a7f8-3d0c-43e5-8b09-e07f7547b847" "dnsName"="chiyuki.studio" "resource_kind"="Challenge" "resource_name"="cert-chiyuki-studio-msfcc-3859969589-3025972435" "resource_namespace"="traefik" "resource_version"="v1" "type"="DNS-01"

Wrong type of secretId was set in clusterissuers.cert-manager.io/dnspod config

I followed the steps in https://imroc.cc/k8s/trick/cert-manager-webhook-dnspod/ , but got an error below.

error decoding solver config: json: cannot unmarshal number into Go struct field customDNSProviderConfig.secretId of type string

And found the value of secretId in clusterissuers.cert-manager.io/dnspod is not a string type.

Issuing certificate as Secret does not exist

k8s v1.26.0
cert-manager v1.10.1

kubectl describe certificates
Name:         apisix-crt
Namespace:    default
Labels:       <none>
Annotations:  <none>
API Version:  cert-manager.io/v1
Kind:         Certificate
Metadata:
  Creation Timestamp:  2023-01-03T07:02:49Z
  Generation:          1
  Managed Fields:
    API Version:  cert-manager.io/v1
    Fields Type:  FieldsV1
    fieldsV1:
      f:status:
        .:
        f:conditions:
          .:
          k:{"type":"Ready"}:
            .:
            f:lastTransitionTime:
            f:message:
            f:observedGeneration:
            f:reason:
            f:status:
            f:type:
    Manager:      cert-manager-certificates-readiness
    Operation:    Update
    Subresource:  status
    Time:         2023-01-03T07:02:49Z
    API Version:  cert-manager.io/v1
    Fields Type:  FieldsV1
    fieldsV1:
      f:status:
        f:conditions:
          k:{"type":"Issuing"}:
            .:
            f:lastTransitionTime:
            f:message:
            f:observedGeneration:
            f:reason:
            f:status:
            f:type:
    Manager:      cert-manager-certificates-trigger
    Operation:    Update
    Subresource:  status
    Time:         2023-01-03T07:02:49Z
    API Version:  cert-manager.io/v1
    Fields Type:  FieldsV1
    fieldsV1:
      f:metadata:
        f:annotations:
          .:
          f:kubectl.kubernetes.io/last-applied-configuration:
      f:spec:
        .:
        f:dnsNames:
        f:issuerRef:
          .:
          f:group:
          f:kind:
          f:name:
        f:secretName:
    Manager:      kubectl-client-side-apply
    Operation:    Update
    Time:         2023-01-03T07:02:49Z
    API Version:  cert-manager.io/v1
    Fields Type:  FieldsV1
    fieldsV1:
      f:status:
        f:nextPrivateKeySecretName:
    Manager:         cert-manager-certificates-key-manager
    Operation:       Update
    Subresource:     status
    Time:            2023-01-03T07:02:50Z
  Resource Version:  3913908
  UID:               5d17353e-f1af-48cb-9398-02da4c05038b
Spec:
  Dns Names:
    apisix.yappam.com
    *.apisix.yappam.com
  Issuer Ref:
    Group:      cert-manager.io
    Kind:       ClusterIssuer
    Name:       dnspod
  Secret Name:  apisix-crt
Status:
  Conditions:
    Last Transition Time:        2023-01-03T07:02:49Z
    Message:                     Issuing certificate as Secret does not exist
    Observed Generation:         1
    Reason:                      DoesNotExist
    Status:                      False
    Type:                        Ready
    Last Transition Time:        2023-01-03T07:02:49Z
    Message:                     Issuing certificate as Secret does not exist
    Observed Generation:         1
    Reason:                      DoesNotExist
    Status:                      True
    Type:                        Issuing
  Next Private Key Secret Name:  apisix-crt-l4fvj
Events:
  Type    Reason     Age   From                                       Message
  ----    ------     ----  ----                                       -------
  Normal  Issuing    8s    cert-manager-certificates-trigger          Issuing certificate as Secret does not exist
  Normal  Generated  7s    cert-manager-certificates-key-manager      Stored new private key in temporary Secret resource "apisix-crt-l4fvj"
  Normal  Requested  6s    cert-manager-certificates-request-manager  Created new CertificateRequest resource "apisix-crt-2xqvn"

能否支持 cnameStrategy=None的配置

防止 *.domain.com 泛解析设置成 ddns.domain.com 的时候，干扰证书申请的时候的解析。
默认的时候，会拉取 _acme-challenge.domain.com 的 cname记录。导致不会读取 _acme-challenge.domain.com的txt记录，变成读取 ddns.domain.com的txt记录去了。
看了下 cert-manager的文档，需要添加 cnameStrategy=None 来配置下?

大佬，cert-manager没有权限为颁发者颁发证书，怎么办，要设置ClusterRole给予权限吗？具体怎么做啊？

user "system:serviceaccount:monitoring:cert-manager" does not have permissions to set approved/denied conditions for issuer {dnspod ClusterIssuer cert-manager.io}"

User cert-manager-controller cannot create resource "dnspod" in API group

hi, thank you for supplying a updated version. but when I use the cert-manager v1.12.4, I got the following error when applying a certificate:

E0913 06:09:16.070831 1 controller.go:167] "cert-manager/challenges: re-queuing item due to error processing" err="dnspod.acme.mydomain.com is forbidden: User "system:serviceaccount:cert-manager:cert-manager-controller" cannot create resource "dnspod" in API group "acme.mydomain.com" at the cluster scope" key="default/crdev.mydomain.com-crt-mbdgz-418508954-627544746" *

so I have to create a clusterrole with the permission and bind it with serviceaccount "cert-manager-controller". I don't know if this helm chart forget to create the clusterrole, or this is a bug ?

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: cert-manager-controller:dnspod
rules:
- apiGroups:
  - acme.mydomain.com
  resources:
  - dnspod
  verbs:
  - create
  - get
  - list
  - watch
  - delete

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: cert-manager-controller-dnspod
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cert-manager-controller:dnspod
subjects:
  - apiGroup: ""
    kind: ServiceAccount
    name: cert-manager-controller
    namespace: cert-manager

Error presenting challenge: the server is currently unable to handle the request (post dnspod.acme.imroc.cc)

Status:
Presented: false
Processing: true
Reason: the server is currently unable to handle the request (post dnspod.acme.imroc.cc)
State: pending
Events:
Type Reason Age From Message

Normal Started 2m36s cert-manager-challenges Challenge scheduled for processing
Warning PresentError 5s (x6 over 2m30s) cert-manager-challenges Error presenting challenge: the server is currently unable to handle the request (post dnspod.acme.imroc.cc)

failed with: OpenAPI spec does not exist

Versions

Kubernetes: v1.26.10+k3s2
Cert-manager: v1.13.2

Logs

controller.go:129] OpenAPI AggregationController: action for item v1alpha1.acme.imroc.cc: Rate Limited Requeue.
controller.go:116] loading OpenAPI spec for "v1alpha1.acme.imroc.cc" failed with: OpenAPI spec does not exist
controller.go:129] OpenAPI AggregationController: action for item v1alpha1.acme.imroc.cc: Rate Limited Requeue.
controller.go:116] loading OpenAPI spec for "v1alpha1.acme.imroc.cc" failed with: OpenAPI spec does not exist
controller.go:129] OpenAPI AggregationController: action for item v1alpha1.acme.imroc.cc: Rate Limited Requeue.
controller.go:116] loading OpenAPI spec for "v1alpha1.acme.imroc.cc" failed with: OpenAPI spec does not exist
controller.go:129] OpenAPI AggregationController: action for item v1alpha1.acme.imroc.cc: Rate Limited Requeue.
controller.go:116] loading OpenAPI spec for "v1alpha1.acme.imroc.cc" failed with: OpenAPI spec does not exist
controller.go:129] OpenAPI AggregationController: action for item v1alpha1.acme.imroc.cc: Rate Limited Requeue.
controller.go:116] loading OpenAPI spec for "v1alpha1.acme.imroc.cc" failed with: OpenAPI spec does not exist
controller.go:129] OpenAPI AggregationController: action for item v1alpha1.acme.imroc.cc: Rate Limited Requeue.
controller.go:116] loading OpenAPI spec for "v1alpha1.acme.imroc.cc" failed with: OpenAPI spec does not exist
controller.go:129] OpenAPI AggregationController: action for item v1alpha1.acme.imroc.cc: Rate Limited Requeue.

Other community discussions about this issue：

Thank you for all your work on this repository. and the blog https://imroc.cc/ very nice ^^

please remove confidential info from log

This line will log secret id and secret key.

cert-manager-webhook-dnspod/main.go

Line 124 in 9d6f159

    
           klog.Infof("create dnspod client, secretId: %s, secretKey: %s", cfg.SecretId, secretKey)

could you please remove it?

"v1alpha1.acme.imroc.cc" failed with: OpenAPI spec does not exist

安装成功之后，证书能够正常颁发，但是k8s server服务日志里一直在循环报这种错，有解决办法吗：

10月 19 02:05:58 k3s-master k3s[203492]: I1019 02:05:58.411724  203492 alloc.go:327] "allocated clusterIPs" service="cert-manager/cert-manager-webhook-dnspod" clusterIPs=map[IPv4:10.43.239.218]
10月 19 02:05:58 k3s-master k3s[203492]: I1019 02:05:58.469074  203492 event.go:294] "Event occurred" object="cert-manager/cert-manager-webhook-dnspod" fieldPath="" kind="Deployment" apiVersion="apps/v1" type="Normal" reason="ScalingReplicaSet" message="Scaled up replica set cert-mana>
10月 19 02:05:58 k3s-master k3s[203492]: E1019 02:05:58.515048  203492 available_controller.go:524] v1alpha1.acme.imroc.cc failed with: Operation cannot be fulfilled on apiservices.apiregistration.k8s.io "v1alpha1.acme.imroc.cc": the object has been modified; please apply your changes>
10月 19 02:05:58 k3s-master k3s[203492]: I1019 02:05:58.517278  203492 event.go:294] "Event occurred" object="cert-manager/cert-manager-webhook-dnspod-77586fdc8f" fieldPath="" kind="ReplicaSet" apiVersion="apps/v1" type="Normal" reason="SuccessfulCreate" message="Created pod: cert-man>
10月 19 02:05:58 k3s-master k3s[203492]: I1019 02:05:58.569516  203492 controller.go:611] quota admission added evaluator for: issuers.cert-manager.io
10月 19 02:05:59 k3s-master k3s[203492]: W1019 02:05:59.491333  203492 handler_proxy.go:105] no RequestInfo found in the context
10月 19 02:05:59 k3s-master k3s[203492]: E1019 02:05:59.491417  203492 controller.go:116] loading OpenAPI spec for "v1alpha1.acme.imroc.cc" failed with: failed to retrieve openAPI spec, http error: ResponseCode: 503, Body: service unavailable
10月 19 02:05:59 k3s-master k3s[203492]: , Header: map[Content-Type:[text/plain; charset=utf-8] X-Content-Type-Options:[nosniff]]
10月 19 02:05:59 k3s-master k3s[203492]: I1019 02:05:59.491443  203492 controller.go:129] OpenAPI AggregationController: action for item v1alpha1.acme.imroc.cc: Rate Limited Requeue.
10月 19 02:05:59 k3s-master k3s[203492]: W1019 02:05:59.491337  203492 handler_proxy.go:105] no RequestInfo found in the context
10月 19 02:05:59 k3s-master k3s[203492]: E1019 02:05:59.491493  203492 controller.go:113] loading OpenAPI spec for "v1alpha1.acme.imroc.cc" failed with: Error, could not get list of group versions for APIService
10月 19 02:05:59 k3s-master k3s[203492]: I1019 02:05:59.492968  203492 controller.go:126] OpenAPI AggregationController: action for item v1alpha1.acme.imroc.cc: Rate Limited Requeue.
10月 19 02:06:01 k3s-master systemd[97538]: run-containerd-runc-k8s.io-da508401a9e63fd060813899b0108af1f976c609aa5914c31042957391251ff1-runc.KlEPgj.mount: Succeeded.
-- Subject: Unit succeeded
-- Defined-By: systemd
-- Support: http://www.ubuntu.com/support
--
-- The unit UNIT has successfully entered the 'dead' state.
10月 19 02:06:01 k3s-master systemd[1]: run-containerd-runc-k8s.io-da508401a9e63fd060813899b0108af1f976c609aa5914c31042957391251ff1-runc.KlEPgj.mount: Succeeded.
-- Subject: Unit succeeded
-- Defined-By: systemd
-- Support: http://www.ubuntu.com/support
--
-- The unit run-containerd-runc-k8s.io-da508401a9e63fd060813899b0108af1f976c609aa5914c31042957391251ff1-runc.KlEPgj.mount has successfully entered the 'dead' state.
10月 19 02:06:02 k3s-master k3s[203492]: E1019 02:06:02.144646  203492 available_controller.go:524] v1alpha1.acme.imroc.cc failed with: failing or missing response from https://10.42.2.27:443/apis/acme.imroc.cc/v1alpha1: bad status from https://10.42.2.27:443/apis/acme.imroc.cc/v1alph>
10月 19 02:06:02 k3s-master k3s[203492]: E1019 02:06:02.149630  203492 available_controller.go:524] v1alpha1.acme.imroc.cc failed with: failing or missing response from https://10.42.2.27:443/apis/acme.imroc.cc/v1alpha1: bad status from https://10.42.2.27:443/apis/acme.imroc.cc/v1alph>
10月 19 02:06:02 k3s-master k3s[203492]: E1019 02:06:02.155627  203492 available_controller.go:524] v1alpha1.acme.imroc.cc failed with: failing or missing response from https://10.42.2.27:443/apis/acme.imroc.cc/v1alpha1: bad status from https://10.42.2.27:443/apis/acme.imroc.cc/v1alph>
10月 19 02:06:03 k3s-master k3s[203492]: E1019 02:06:03.164646  203492 controller.go:116] loading OpenAPI spec for "v1alpha1.acme.imroc.cc" failed with: OpenAPI spec does not exist
10月 19 02:06:03 k3s-master k3s[203492]: I1019 02:06:03.164696  203492 controller.go:129] OpenAPI AggregationController: action for item v1alpha1.acme.imroc.cc: Rate Limited Requeue.

"reason": "PresentError",
 "message": "Error presenting challenge: the server is currently unable to handle the request (post dnspod.acme.imroc.cc)",

cert-manager-webhook-dnspod报错:

I0430 12:46:46.670500       1 main.go:123] create dnspod client successfully
E0430 12:46:47.333874       1 main.go:204] Failed to get domain id cn.: no domain found in zone cn.

版本如下: