Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

cm-webhook-ovh-cert-manager-webhook-ovh pod logs "missing content for CA bundle" error #53

Open
githubixx opened this issue Feb 18, 2025 · 0 comments
Open

cm-webhook-ovh-cert-manager-webhook-ovh pod logs "missing content for CA bundle" error #53

githubixx opened this issue Feb 18, 2025 · 0 comments
Labels
bug Something isn't working

Comments

@githubixx
Copy link

What happened?

First: Thanks for providing this webhook! 😺

I basically followed this installation guide: https://aureq.github.io/cert-manager-webhook-ovh/ . After adjusting the values.yaml file accordingly I installed the Helm chart with helm upgrade --install --namespace cert-manager -f values.yaml cm-webhook-ovh cert-manager-webhook-ovh-charts/cert-manager-webhook-ovh

After the pod/container got launched the log of cm-webhook-ovh-cert-manager-webhook-ovh pod/container looks like this:

I0218 20:40:32.721479       1 main.go:28] "Webhook starting..." logger="cert-manager"
I0218 20:40:34.914357       1 handler.go:286] Adding GroupVersion somedomain.net v1alpha1 to ResourceManager
I0218 20:40:34.942942       1 secure_serving.go:213] Serving securely on [::]:8443
I0218 20:40:34.943048       1 requestheader_controller.go:172] Starting RequestHeaderAuthRequestController
I0218 20:40:34.943068       1 shared_informer.go:313] Waiting for caches to sync for RequestHeaderAuthRequestController
I0218 20:40:34.943119       1 dynamic_serving_content.go:135] "Starting controller" name="serving-cert::/tls/tls.crt::/tls/tls.key"
I0218 20:40:34.943252       1 tlsconfig.go:243] "Starting DynamicServingCertificateController"
I0218 20:40:34.945372       1 configmap_cafile_content.go:205] "Starting controller" name="client-ca::kube-system::extension-apiserver-authentication::client-ca-file"
I0218 20:40:34.945389       1 shared_informer.go:313] Waiting for caches to sync for client-ca::kube-system::extension-apiserver-authentication::client-ca-file
I0218 20:40:34.945443       1 configmap_cafile_content.go:205] "Starting controller" name="client-ca::kube-system::extension-apiserver-authentication::requestheader-client-ca-file"
I0218 20:40:34.945462       1 shared_informer.go:313] Waiting for caches to sync for client-ca::kube-system::extension-apiserver-authentication::requestheader-client-ca-file
I0218 20:40:35.043287       1 shared_informer.go:320] Caches are synced for RequestHeaderAuthRequestController
I0218 20:40:35.045811       1 shared_informer.go:320] Caches are synced for client-ca::kube-system::extension-apiserver-authentication::requestheader-client-ca-file
I0218 20:40:35.045844       1 shared_informer.go:320] Caches are synced for client-ca::kube-system::extension-apiserver-authentication::client-ca-file
E0218 20:40:35.045947       1 configmap_cafile_content.go:246] "Unhandled Error" err="kube-system/extension-apiserver-authentication failed with : missing content for CA bundle \"client-ca::kube-system::extension-apiserver-authentication::requestheader-client-ca-file\"" logger="UnhandledError"
E0218 20:40:35.047217       1 configmap_cafile_content.go:246] "Unhandled Error" err="key failed with : missing content for CA bundle \"client-ca::kube-system::extension-apiserver-authentication::requestheader-client-ca-file\"" logger="UnhandledError"
E0218 20:40:35.052759       1 configmap_cafile_content.go:246] "Unhandled Error" err="kube-system/extension-apiserver-authentication failed with : missing content for CA bundle \"client-ca::kube-system::extension-apiserver-authentication::requestheader-client-ca-file\"" logger="UnhandledError"
...

I'm using cert-manager since years on that cluster but with HTTP01 challenge only so far which works fine in general. But using DNS01 would have some real advantages. So I wanted to give this webhook a try.

As you can see in the log above some errors get issued (last three lines). This sounds a bit like it tries to load the ca.crt file mounted into the container but I'm not sure about that. I entered the container and all files /tls/tls.crt, /tls/tls.key and /tls/ca.crt are available there. The last three lines continuously get repeated every few seconds. Also trying to generate a certificate using the issuer created doesn't work (which is expected because of the error messages).

Expected Behavior

Errors below should not appear in the log and certificate should get issued:

E0218 20:40:35.045947       1 configmap_cafile_content.go:246] "Unhandled Error" err="kube-system/extension-apiserver-authentication failed with : missing content for CA bundle \"client-ca::kube-system::extension-apiserver-authentication::requestheader-client-ca-file\"" logger="UnhandledError"
E0218 20:40:35.047217       1 configmap_cafile_content.go:246] "Unhandled Error" err="key failed with : missing content for CA bundle \"client-ca::kube-system::extension-apiserver-authentication::requestheader-client-ca-file\"" logger="UnhandledError"
E0218 20:40:35.052759       1 configmap_cafile_content.go:246] "Unhandled Error" err="kube-system/extension-apiserver-authentication failed with : missing content for CA bundle \"client-ca::kube-system::extension-apiserver-authentication::requestheader-client-ca-file\"" logger="UnhandledError"

Steps to reproduce

configVersion: 0.0.1
groupName: somedomain.net
certManager:
  namespace: cert-manager
  serviceAccountName: cert-manager
issuers:
  - name: letsencrypt-prod-ovh
    create: true
    kind: ClusterIssuer
    namespace: cert-manager
    cnameStrategy: None
    acmeServerUrl: https://acme-v02.api.letsencrypt.org/directory
    email: [email protected]
    ovhEndpointName: ovh-eu
    ovhAuthenticationRef:
      applicationKeyRef:
        name: ovh-credentials
        key: applicationKey
      applicationSecretRef:
        name: ovh-credentials
        key: applicationSecret
      consumerKeyRef:
        name: ovh-credentials
        key: consumerKey
rbac:
  roleType: ClusterRole

  • The K8s secret with the OVH keys is the same as the example described here: https://aureq.github.io/cert-manager-webhook-ovh/#secret-vs-secret-references (of course with different values and base64 encoded). Using kubectl to fetch the K8s secret and base64 decode the three values works fine. So the secrets should work as expected.

  • Install Helm chart with helm upgrade --install --namespace cert-manager -f values.yaml cm-webhook-ovh cert-manager-webhook-ovh-charts/cert-manager-webhook-ovh

Versions in use

Chart: 0.7.3
cert-manager: 1.16
Kubernetes: 1.31

Additional context

No response

Contributing

Vote on this issue by adding a 👍 reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).
@githubixx githubixx added the bug Something isn't working label Feb 18, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@githubixx