Hello! I try to get certificate from cert-manager for linkerd use and have problem.
I create vault issuer, and certificate. Certificate creates, but Certificate has False status
and I see many certificates in vault, for each iteration of create certificate with cert-manager.
$ kubectl get issuers.cert-manager.io -n linkerd
NAME READY AGE
linkerd-trust-anchor True 54m
$ kubectl get certificates.cert-manager.io -n linkerd
NAME READY SECRET AGE
linkerd-identity-issuer False linkerd-identity-issuer 54m
$ kubectl describe certificate -n linkerd linkerd-identity-issuer
...
Status:
Conditions:
Last Transition Time: 2021-06-25T13:49:26Z
Message: Issuing certificate as Secret does not exist
Observed Generation: 1
Reason: DoesNotExist
Status: False
Type: Ready
Last Transition Time: 2021-06-25T13:49:27Z
Message: The certificate request has failed to complete and will be retried: Failed to decode returned certificate: error decoding certificate PEM block
Observed Generation: 1
Reason: Failed
Status: False
Type: Issuing
Last Failure Time: 2021-06-25T13:49:27Z
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Issuing 55m cert-manager Issuing certificate as Secret does not exist
Normal Generated 55m cert-manager Stored new private key in temporary Secret resource "linkerd-identity-issuer-rdsss"
Normal Requested 54m cert-manager Created new CertificateRequest resource "linkerd-identity-issuer-bvzfm"
Warning Failed 54m cert-manager The certificate request has failed to complete and will be retried: Failed to decode returned certificate: error decoding certificate PEM block
# Source: linkerd-issuers/templates/issuers.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: linkerd-trust-anchor
namespace: linkerd
---
# Source: linkerd-issuers/templates/issuers.yaml
apiVersion: v1
kind: Secret
metadata:
name: linkerd-trust-anchor-secret
namespace: linkerd
annotations:
kubernetes.io/service-account.name: linkerd-trust-anchor
type: kubernetes.io/service-account-token
---
# Source: linkerd-issuers/templates/certificate.yaml
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: linkerd-identity-issuer
namespace: linkerd
spec:
secretName: linkerd-identity-issuer
duration: 48h
renewBefore: 25h
issuerRef:
name: linkerd-trust-anchor
kind: Issuer
commonName: identity.linkerd.cluster.local
dnsNames:
- identity.linkerd.cluster.local
isCA: true
privateKey:
algorithm: ECDSA
size: 256
usages:
- cert sign
- crl sign
- server auth
- client auth
---
# Source: linkerd-issuers/templates/issuers.yaml
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: linkerd-trust-anchor
namespace: linkerd
spec:
vault:
path: linkerd/sign/linkerd-trust-anchor
server: https://myvaultaddr/
auth:
kubernetes:
role: linkerd-trust-anchor
mountPath: /v1/auth/kubernetes-new
secretRef:
name: linkerd-trust-anchor-secret
key: token
Expected behaviour:
I must see linkerd-identity-issuer secret in linkerd namespace and READY status of Certificate true
Steps to reproduce the bug:
I use this guides for setup vault issuer and this commands:
https://cert-manager.io/docs/configuration/vault/
https://linkerd.io/2.10/tasks/automatically-rotating-control-plane-tls-credentials/#
https://learn.hashicorp.com/tutorials/vault/kubernetes-cert-manager?in=vault/kubernetes#configure-pki-secrets-engine
$ vault secrets enable -path linkerd pki
$ vault secrets tune -max-lease-ttl=175200h linkerd
$ vault write linkerd/root/generate/internal common_name=identity.linkerd.cluster.local key_type=ec key_bits=256 ttl=175200h
$ vault write linkerd/config/urls issuing_certificates="https://myvaultaddr/v1/linkerd/ca" url_distribution_points="https://myvaultaddr/v1/linkerd/crl"
$ vault write linkerd/roles/linkerd-trust-anchor allowed_domains=cluster.local allow_subdomains=true max_ttl=48h key_type=ec key_bits=256
$ vault policy write linkerd-trust-anchor - <<EOF
path "linkerd*" { capabilities = ["read", "list"] }
path "linkerd/roles/linkerd-trust-anchor" { capabilities = ["create", "update"] }
path "linkerd/sign/linkerd-trust-anchor" { capabilities = ["create", "update"] }
path "linkerd/issue/linkerd-trust-anchor" { capabilities = ["create"] }
EOF
$ vault write auth/kubernetes-new/role/linkerd-trust-anchor bound_service_account_names=linkerd-trust-anchor bound_service_account_namespaces=linkerd policies=linkerd-trust-anchor ttl=20m
Anything else we need to know?:
Environment details::
- Kubernetes version: v1.21.0
- cert-manager version: v1.4.0
- Install method: helm
/kind bug
Hello! I try to get certificate from cert-manager for linkerd use and have problem.
I create vault issuer, and certificate. Certificate creates, but Certificate has False status
and I see many certificates in vault, for each iteration of create certificate with cert-manager.
Expected behaviour:
I must see linkerd-identity-issuer secret in linkerd namespace and READY status of Certificate true
Steps to reproduce the bug:
I use this guides for setup vault issuer and this commands:
https://cert-manager.io/docs/configuration/vault/
https://linkerd.io/2.10/tasks/automatically-rotating-control-plane-tls-credentials/#
https://learn.hashicorp.com/tutorials/vault/kubernetes-cert-manager?in=vault/kubernetes#configure-pki-secrets-engine
Anything else we need to know?:
Environment details::
/kind bug