Addon: cert-manager

General Discussions microk8s
1

From 1.25

This addon installs Cert Manager. Cert-Manager is the de-facto standard solution for certificate management in Kubernetes clusters. It supports x.509 certificate management for Kubernetes and OpenShift clusters, retrieving certificates from private (internal) or public issuers, and ensures they are properly rotated and kept up to date.

Install this addon with:

microk8s enable cert-manager

Automatically generating Let’s Encrypt certificates for Ingress

One of the common use-cases of Cert-Manager is to configure Kubernetes Ingress resources with automatic TLS certificates from Let’s Encrypt.

Requirements

  1. A MicroK8s cluster with a public IP address. This is required to complete the HTTP challenges of Let’s Encrypt.

  2. A hostname that resolves to your public IP address, e.g. my-service.example.com.

  3. A properly configured ingress class for your MicroK8s cluster. The simplest way to do this is to use the ingress addon:

microk8s enable ingress dns

Create a ClusterIssuer

A ClusterIssuer resource is used to configure an account with Let’s Encrypt. All you need is an email address (make sure to use a valid email address).

Create a ClusterIssuer called lets-encrypt with the command below. Make sure to replace microk8s@example.com below with your email. Note that Let’s Encrypt will refuse to register accounts that use the example.com domain.

microk8s kubectl apply -f - <<EOF
---
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
 name: lets-encrypt
spec:
 acme:
   email: microk8s@example.com
   server: https://acme-v02.api.letsencrypt.org/directory
   privateKeySecretRef:
     # Secret resource that will be used to store the account's private key.
     name: lets-encrypt-priviate-key
   # Add a single challenge solver, HTTP01 using nginx
   solvers:
   - http01:
       ingress:
         class: public
EOF

Verify that the ClusterIssuer was created successfully with microk8s kubectl get clusterissuer -o wide, which should produce output similar to:

NAME           READY   STATUS                                                 AGE
lets-encrypt   True    The ACME account was registered with the ACME server   2m19s

Deploy a service

For this example, we will deploy a simple microbot deployment:

microk8s kubectl create deploy --image cdkbot/microbot:1 --replicas 3 microbot
microk8s kubectl expose deploy microbot --port 80 --type ClusterIP

Ensure the service is up and running with microk8s kubectl get pod,svc:

NAME                          READY   STATUS    RESTARTS   AGE
pod/microbot-b6996696-sbp76   1/1     Running   0          11s
pod/microbot-b6996696-xmplm   1/1     Running   0          11s
pod/microbot-b6996696-8b82c   1/1     Running   0          11s

NAME                 TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)   AGE
service/kubernetes   ClusterIP   10.152.183.1     <none>        443/TCP   16m
service/microbot     ClusterIP   10.152.183.134   <none>        80/TCP    3s

Configure ingress

Next, create a Kubernetes ingress resource that forwards requests made to https://my-service.example.com to our microbot service.

Note that the cert-manager.io/cluster-issuer: lets-encrypt annotation tells Cert-Manager to automatically retrieve TLS certificates for our domain. The following example needs to reference the correct hostnames for your deployment - please substitute appropriately before running this command:

microk8s kubectl apply -f - <<EOF
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
 name: microbot-ingress
 annotations:
   cert-manager.io/cluster-issuer: lets-encrypt
spec:
 tls:
 - hosts:
   - my-service.example.com
   secretName: microbot-ingress-tls
 rules:
 - host: my-service.example.com
   http:
     paths:
     - backend:
         service:
           name: microbot
           port:
             number: 80
       path: /
       pathType: Exact
EOF

After a while, Cert-Manager will automatically request a certificate from Let’s Encrypt, populate the microk8s-ingress-tls with it and configure the ingress. Finally, you should be able to access your service at its fully qualified domain.

2

Hi, @evilnick
Is there any way to use under microk8s 1.22 ?
I look forward to your reply.
Thanks.

3

@amo.mycena thanks for the message. Unfortunately no, this relies on features which were added in 1.25

4

Thanks for your reply.

5

Hi this worked great. I presume I don’t need to keep the microbot deployment running?

Will cert manager get a new TLS cert for any ingress configured with that annotation, or do I have to keep this ingress and just reconfigure the backend service for my ‘real’ website?

6

@bramo That’s great! No, the microbot service is just a simple test to verify that it is working, you can kill it.

7

Been trying to get this to work for days without success.

Today i reset my microk8s-cluster with snap remove microk8s --purge, then start with a fresh

sudo snap install microk8s --classic --channel=1.26/stable

and go on with the following commands:

sudo usermod -a -G microk8s $USER
sudo chown -f -R $USER ~/.kube
su - $USER
microk8s status --wait-ready
sudo snap alias microk8s.kubectl kubectl
sudo snap alias microk8s.helm3 helm
helm repo add stable https://charts.helm.sh/stable
helm repo update
microk8s add-node 
    #then add the 2 other nodes with
microk8s join ....
microk8s enable dns:192.168.1.1,5.1.66.255          # CoreDNS
microk8s enable host-access                         # Allow Pods connecting to Host services smoothly
microk8s enable ingress                             # Ingress controller for external access
microk8s enable dashboard                           # The Kubernetes dashboard
microk8s enable metallb:'192.168.1.10-192.168.1.10,192.168.1.240-192.168.1.253'
microk8s enable cert-manager
kubectl apply -f clusterissuer.yml

Now after a few unsuccesful trials with my own clusterissuer and kuard as app i tried your microbot example from the top with the same result:

default     1s          Normal    ScalingReplicaSet   deployment/microbot                                  Scaled up replica set microbot-b778687f9 to 3
default     1s          Normal    SuccessfulCreate    replicaset/microbot-b778687f9                        Created pod: microbot-b778687f9-5jnvm
default     1s          Normal    SuccessfulCreate    replicaset/microbot-b778687f9                        Created pod: microbot-b778687f9-g68kh
default     1s          Normal    SuccessfulCreate    replicaset/microbot-b778687f9                        Created pod: microbot-b778687f9-dslhz
default     0s          Normal    Scheduled           pod/microbot-b778687f9-g68kh                         Successfully assigned default/microbot-b778687f9-g68kh to cluster-wf-technik01
default     0s          Normal    Scheduled           pod/microbot-b778687f9-5jnvm                         Successfully assigned default/microbot-b778687f9-5jnvm to cluster-wf-essen01
default     0s          Normal    Scheduled           pod/microbot-b778687f9-dslhz                         Successfully assigned default/microbot-b778687f9-dslhz to cluster-bs-dg01
default     0s          Normal    Pulling             pod/microbot-b778687f9-g68kh                         Pulling image "cdkbot/microbot:1"
default     0s          Normal    Pulling             pod/microbot-b778687f9-5jnvm                         Pulling image "cdkbot/microbot:1"
default     0s          Normal    Pulling             pod/microbot-b778687f9-dslhz                         Pulling image "cdkbot/microbot:1"
default     0s          Normal    Pulled              pod/microbot-b778687f9-g68kh                         Successfully pulled image "cdkbot/microbot:1" in 6.928614238s (6.928619642s including waiting)
default     0s          Normal    Created             pod/microbot-b778687f9-g68kh                         Created container microbot
default     1s          Normal    Started             pod/microbot-b778687f9-g68kh                         Started container microbot
default     0s          Normal    Pulled              pod/microbot-b778687f9-dslhz                         Successfully pulled image "cdkbot/microbot:1" in 45.021152957s (45.021157699s including waiting)
default     0s          Normal    Created             pod/microbot-b778687f9-dslhz                         Created container microbot
default     0s          Normal    Started             pod/microbot-b778687f9-dslhz                         Started container microbot
default     0s          Normal    Pulled              pod/microbot-b778687f9-5jnvm                         Successfully pulled image "cdkbot/microbot:1" in 47.301921331s (47.301925255s including waiting)
default     0s          Normal    Created             pod/microbot-b778687f9-5jnvm                         Created container microbot
default     0s          Normal    Started             pod/microbot-b778687f9-5jnvm                         Started container microbot
ingress     0s          Normal    RELOAD              pod/nginx-ingress-microk8s-controller-l46t4          NGINX reload triggered due to a change in configuration
ingress     0s          Normal    RELOAD              pod/nginx-ingress-microk8s-controller-pxtlb          NGINX reload triggered due to a change in configuration
ingress     1s          Normal    RELOAD              pod/nginx-ingress-microk8s-controller-dnqkv          NGINX reload triggered due to a change in configuration
default     0s          Normal    Sync                ingress/microbot-ingress                             Scheduled for sync
default     0s          Normal    Sync                ingress/microbot-ingress                             Scheduled for sync
ingress     0s          Normal    RELOAD              pod/nginx-ingress-microk8s-controller-pxtlb          NGINX reload triggered due to a change in configuration
ingress     0s          Normal    RELOAD              pod/nginx-ingress-microk8s-controller-l46t4          NGINX reload triggered due to a change in configuration
default     0s          Normal    CreateCertificate   ingress/microbot-ingress                             Successfully created Certificate "microbot-ingress-tls"
default     0s          Normal    Sync                ingress/microbot-ingress                             Scheduled for sync
ingress     0s          Normal    RELOAD              pod/nginx-ingress-microk8s-controller-dnqkv          NGINX reload triggered due to a change in configuration
default     0s          Normal    Issuing             certificate/microbot-ingress-tls                     Issuing certificate as Secret does not exist
default     0s          Normal    Generated           certificate/microbot-ingress-tls                     Stored new private key in temporary Secret resource "microbot-ingress-tls-p9j5v"
default     0s          Normal    Requested           certificate/microbot-ingress-tls                     Created new CertificateRequest resource "microbot-ingress-tls-tsmj9"
default     0s          Normal    cert-manager.io     certificaterequest/microbot-ingress-tls-tsmj9        Certificate request has been approved by cert-manager.io
default     1s          Normal    OrderCreated        certificaterequest/microbot-ingress-tls-tsmj9        Created Order resource default/microbot-ingress-tls-tsmj9-3484024173
default     1s          Normal    OrderPending        certificaterequest/microbot-ingress-tls-tsmj9        Waiting on certificate issuance from order default/microbot-ingress-tls-tsmj9-3484024173: ""
default     0s          Normal    Sync                ingress/microbot-ingress                             Scheduled for sync
default     0s          Normal    Sync                ingress/microbot-ingress                             Scheduled for sync
default     0s          Normal    Sync                ingress/microbot-ingress                             Scheduled for sync
default     1s          Normal    Created             order/microbot-ingress-tls-tsmj9-3484024173          Created Challenge resource "microbot-ingress-tls-tsmj9-3484024173-1852125348" for domain "dahoam.13mail.de"
default     0s          Normal    Started             challenge/microbot-ingress-tls-tsmj9-3484024173-1852125348   Challenge scheduled for processing
default     0s          Normal    Sync                ingress/cm-acme-http-solver-4c9x2                            Scheduled for sync
default     0s          Normal    Presented           challenge/microbot-ingress-tls-tsmj9-3484024173-1852125348   Presented challenge using HTTP-01 challenge mechanism
default     0s          Normal    Sync                ingress/cm-acme-http-solver-4c9x2                            Scheduled for sync
default     0s          Normal    Sync                ingress/cm-acme-http-solver-5tk2v                            Scheduled for sync
default     0s          Normal    Sync                ingress/cm-acme-http-solver-5tk2v                            Scheduled for sync
default     0s          Normal    Scheduled           pod/cm-acme-http-solver-9df5d                                Successfully assigned default/cm-acme-http-solver-9df5d to cluster-bs-dg01
default     0s          Normal    Sync                ingress/cm-acme-http-solver-4c9x2                            Scheduled for sync
default     0s          Normal    Sync                ingress/cm-acme-http-solver-5tk2v                            Scheduled for sync
default     0s          Normal    Sync                ingress/cm-acme-http-solver-hg7j9                            Scheduled for sync
default     0s          Normal    Sync                ingress/cm-acme-http-solver-hg7j9                            Scheduled for sync
default     0s          Normal    Sync                ingress/cm-acme-http-solver-hg7j9                            Scheduled for sync
default     0s          Normal    Pulling             pod/cm-acme-http-solver-9df5d                                Pulling image "quay.io/jetstack/cert-manager-acmesolver:v1.8.0"
ingress     1s          Normal    RELOAD              pod/nginx-ingress-microk8s-controller-pxtlb                  NGINX reload triggered due to a change in configuration
ingress     1s          Normal    RELOAD              pod/nginx-ingress-microk8s-controller-l46t4                  NGINX reload triggered due to a change in configuration
ingress     1s          Normal    RELOAD              pod/nginx-ingress-microk8s-controller-dnqkv                  NGINX reload triggered due to a change in configuration
default     0s          Normal    Pulled              pod/cm-acme-http-solver-9df5d                                Successfully pulled image "quay.io/jetstack/cert-manager-acmesolver:v1.8.0" in 18.433090934s (18.433100365s including waiting)
default     0s          Normal    Created             pod/cm-acme-http-solver-9df5d                                Created container acmesolver
default     0s          Normal    Started             pod/cm-acme-http-solver-9df5d                                Started container acmesolver
default     0s          Normal    Sync                ingress/cm-acme-http-solver-hg7j9                            Scheduled for sync
default     0s          Normal    Sync                ingress/cm-acme-http-solver-hg7j9                            Scheduled for sync
default     0s          Normal    Sync                ingress/cm-acme-http-solver-hg7j9                            Scheduled for sync
default     0s          Normal    Killing             pod/cm-acme-http-solver-9df5d                                Stopping container acmesolver
ingress     0s          Normal    RELOAD              pod/nginx-ingress-microk8s-controller-l46t4                  NGINX reload triggered due to a change in configuration
ingress     0s          Normal    RELOAD              pod/nginx-ingress-microk8s-controller-pxtlb                  NGINX reload triggered due to a change in configuration
default     0s          Warning   OrderFailed         certificaterequest/microbot-ingress-tls-tsmj9                Failed to wait for order resource "microbot-ingress-tls-tsmj9-3484024173" to become ready: order is in "invalid" state:
default     1s          Warning   Failed              certificate/microbot-ingress-tls                             The certificate request has failed to complete and will be retried: Failed to wait for order resource "microbot-ingress-tls-tsmj9-3484024173" to become ready: order is in "invalid" state:
ingress     1s          Normal    RELOAD              pod/nginx-ingress-microk8s-controller-dnqkv                  NGINX reload triggered due to a change in configuration
ingress     1s          Normal    RELOAD              pod/nginx-ingress-microk8s-controller-pxtlb                  NGINX reload triggered due to a change in configuration
ingress     1s          Normal    RELOAD              pod/nginx-ingress-microk8s-controller-l46t4                  NGINX reload triggered due to a change in configuration

kubectl describe certificaterequest microbot-ingress-tls-tsmj9
Name:         microbot-ingress-tls-tsmj9
Namespace:    default
Labels:       <none>
Annotations:  cert-manager.io/certificate-name: microbot-ingress-tls
              cert-manager.io/certificate-revision: 1
              cert-manager.io/private-key-secret-name: microbot-ingress-tls-p9j5v
API Version:  cert-manager.io/v1
Kind:         CertificateRequest
Metadata:
  Creation Timestamp:  2022-12-21T18:52:59Z
  Generate Name:       microbot-ingress-tls-
  Generation:          1
  Managed Fields:
    API Version:  cert-manager.io/v1
    Fields Type:  FieldsV1
    fieldsV1:
      f:status:
        .:
        f:conditions:
          .:
          k:{"type":"Approved"}:
            .:
            f:lastTransitionTime:
            f:message:
            f:reason:
            f:status:
            f:type:
    Manager:      cert-manager-certificaterequests-approver
    Operation:    Update
    Subresource:  status
    Time:         2022-12-21T18:52:59Z
    API Version:  cert-manager.io/v1
    Fields Type:  FieldsV1
    fieldsV1:
      f:metadata:
        f:annotations:
          .:
          f:cert-manager.io/certificate-name:
          f:cert-manager.io/certificate-revision:
          f:cert-manager.io/private-key-secret-name:
        f:generateName:
        f:ownerReferences:
          .:
          k:{"uid":"64aa8ec9-ce23-4a26-9637-d400783d1c3b"}:
      f:spec:
        .:
        f:issuerRef:
          .:
          f:group:
          f:kind:
          f:name:
        f:request:
        f:usages:
    Manager:      cert-manager-certificates-request-manager
    Operation:    Update
    Time:         2022-12-21T18:52:59Z
    API Version:  cert-manager.io/v1
    Fields Type:  FieldsV1
    fieldsV1:
      f:status:
        f:conditions:
          k:{"type":"Ready"}:
            .:
            f:lastTransitionTime:
            f:message:
            f:reason:
            f:status:
            f:type:
        f:failureTime:
    Manager:      cert-manager-certificaterequests-issuer-acme
    Operation:    Update
    Subresource:  status
    Time:         2022-12-21T18:54:09Z
  Owner References:
    API Version:           cert-manager.io/v1
    Block Owner Deletion:  true
    Controller:            true
    Kind:                  Certificate
    Name:                  microbot-ingress-tls
    UID:                   64aa8ec9-ce23-4a26-9637-d400783d1c3b
  Resource Version:        27090
  UID:                     783f9bab-b1bf-4a59-8ce4-fcd5c4ccb88d
Spec:
  Extra:
    authentication.kubernetes.io/pod-name:
      cert-manager-69c6cb69f9-mwldw
    authentication.kubernetes.io/pod-uid:
      945ccb41-a5ae-4aaf-9535-f16dcb751809
  Groups:
    system:serviceaccounts
    system:serviceaccounts:cert-manager
    system:authenticated
  Issuer Ref:
    Group:  cert-manager.io
    Kind:   ClusterIssuer
    Name:   lets-encrypt
  Request:  LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQ2dEQ0NBV2dDQVFBd0FEQ0NBU0l3RFFZSktvWklodmNOQVFFQkJRQURnZ0VQQURDQ0FRb0NnZ0VCQUtwaAp1eHpnaUk2blNUQUZFWEVYeVpxYit6eGpIY1c1ZWU0WDdKaHlXNThwMk1qZEZCQmVNNmg1WmQ2YlFTTVdCVFZKClowVUM3ZGk1Mms0QS9HMEl1OGpKbDR6cVRRS0pveVVuc2hwL3dhWkNtd1lrMUxmZ1czMmdvTmcySE5OR0wyRm8Kc1JDMHNadHFObFZEdXdtUUI2Y2dpRWhRR0ZwekZ0VlNYVjFPaEJ4R1JpdXo4TWtaRnVDeDRPZk9WVmJ1bmYyQQpBUWkwWHBGRXdWODdGMnk3aThLMldkVmc2cXY3dHhVaWduTVVSWDRmZVQ2bzF5R0hwdWZlRUJEL05oNmNXVk9SCndYb1ptS0plR09acU1jd2dLdE5tSlpwdzVGS2lMODlFMEtnY1lDUmZCTW9nalBXWkplSFVXOHgvZWplSEJDSG4KRldYUXhTaGZXdEVHZHlyVVdDTUNBd0VBQWFBN01Ea0dDU3FHU0liM0RRRUpEakVzTUNvd0d3WURWUjBSQkJRdwpFb0lRWkdGb2IyRnRMakV6YldGcGJDNWtaVEFMQmdOVkhROEVCQU1DQmFBd0RRWUpLb1pJaHZjTkFRRUxCUUFECmdnRUJBS1lGR05YVEwyM1RaMmliNCs3NDZIV3lVV1h4bW1SK01CQTNYaVJkOXlWNVY4NXp5b253bHdNdDExT0wKTTZoakR4VEVVZnpMcnJOaFgxcHpCaERIdDlSdDU2eWUxanppb3ZKcTVzTDQ0NktpUmpkNmI3dUNpT3Y0T0EwcAp0ZTVZUVIrSDd2cGFqMnBvY0tuNEtvUzNHTVZ5bjV0MnU4bkpyZDhHbFI1ZTBhSi9UQVhqcDhJaGVTbjFra3FNCmhieFdZbTJqM2JtTUZkMmpVblhpOC80ZTA5NVZEblpaVXV0azYxSzByZWVIUUVZaGZ5TkVna25Vb3BqS3JjaHAKVVdKbzU0NHlXYWsrcVFpZGNhazZDRlNPMEZOcGlpbWFWeGd1ZFFGU3EyZW9oUklnR0k5SndZVm5FRXFpYlU0cgpnSFBndFBXc29MSTJ0cGlqNzNWejZUbHVvdms9Ci0tLS0tRU5EIENFUlRJRklDQVRFIFJFUVVFU1QtLS0tLQo=
  UID:      1e592ac4-61ca-435f-a6bf-b46b5389156a
  Usages:
    digital signature
    key encipherment
  Username:  system:serviceaccount:cert-manager:cert-manager
Status:
  Conditions:
    Last Transition Time:  2022-12-21T18:52:59Z
    Message:               Certificate request has been approved by cert-manager.io
    Reason:                cert-manager.io
    Status:                True
    Type:                  Approved
    Last Transition Time:  2022-12-21T18:52:59Z
    Message:               Failed to wait for order resource "microbot-ingress-tls-tsmj9-3484024173" to become ready: order is in "invalid" state: 
    Reason:                Failed
    Status:                False
    Type:                  Ready
  Failure Time:            2022-12-21T18:54:09Z
Events:
  Type     Reason           Age    From                                          Message
  ----     ------           ----   ----                                          -------
  Normal   cert-manager.io  4m16s  cert-manager-certificaterequests-approver     Certificate request has been approved by cert-manager.io
  Normal   OrderCreated     4m16s  cert-manager-certificaterequests-issuer-acme  Created Order resource default/microbot-ingress-tls-tsmj9-3484024173
  Normal   OrderPending     4m16s  cert-manager-certificaterequests-issuer-acme  Waiting on certificate issuance from order default/microbot-ingress-tls-tsmj9-3484024173: ""
  Warning  OrderFailed      3m6s   cert-manager-certificaterequests-issuer-acme  Failed to wait for order resource "microbot-ingress-tls-tsmj9-3484024173" to become ready: order is in "invalid" state:

kubectl describe certificate microbot-ingress-tls
Name:         microbot-ingress-tls
Namespace:    default
Labels:       <none>
Annotations:  <none>
API Version:  cert-manager.io/v1
Kind:         Certificate
Metadata:
  Creation Timestamp:  2022-12-21T18:52:58Z
  Generation:          1
  Managed Fields:
    API Version:  cert-manager.io/v1
    Fields Type:  FieldsV1
    fieldsV1:
      f:status:
        f:conditions:
          k:{"type":"Ready"}:
            .:
            f:lastTransitionTime:
            f:message:
            f:observedGeneration:
            f:reason:
            f:status:
            f:type:
    Manager:      cert-manager-certificates-readiness
    Operation:    Update
    Subresource:  status
    Time:         2022-12-21T18:52:58Z
    API Version:  cert-manager.io/v1
    Fields Type:  FieldsV1
    fieldsV1:
      f:status:
        .:
        f:conditions:
          .:
          k:{"type":"Issuing"}:
            .:
            f:observedGeneration:
            f:type:
    Manager:      cert-manager-certificates-trigger
    Operation:    Update
    Subresource:  status
    Time:         2022-12-21T18:52:58Z
    API Version:  cert-manager.io/v1
    Fields Type:  FieldsV1
    fieldsV1:
      f:metadata:
        f:ownerReferences:
          .:
          k:{"uid":"18e12242-3f02-4277-9814-3450face7ba8"}:
      f:spec:
        .:
        f:dnsNames:
        f:issuerRef:
          .:
          f:group:
          f:kind:
          f:name:
        f:secretName:
        f:usages:
    Manager:      cert-manager-ingress-shim
    Operation:    Update
    Time:         2022-12-21T18:52:58Z
    API Version:  cert-manager.io/v1
    Fields Type:  FieldsV1
    fieldsV1:
      f:status:
        f:conditions:
          k:{"type":"Issuing"}:
            f:lastTransitionTime:
            f:message:
            f:reason:
            f:status:
        f:failedIssuanceAttempts:
        f:lastFailureTime:
    Manager:      cert-manager-certificates-issuing
    Operation:    Update
    Subresource:  status
    Time:         2022-12-21T18:54:09Z
  Owner References:
    API Version:           networking.k8s.io/v1
    Block Owner Deletion:  true
    Controller:            true
    Kind:                  Ingress
    Name:                  microbot-ingress
    UID:                   18e12242-3f02-4277-9814-3450face7ba8
  Resource Version:        27100
  UID:                     64aa8ec9-ce23-4a26-9637-d400783d1c3b
Spec:
  Dns Names:
    something.mydomain.com
  Issuer Ref:
    Group:      cert-manager.io
    Kind:       ClusterIssuer
    Name:       lets-encrypt
  Secret Name:  microbot-ingress-tls
  Usages:
    digital signature
    key encipherment
Status:
  Conditions:
    Last Transition Time:    2022-12-21T18:54:09Z
    Message:                 The certificate request has failed to complete and will be retried: Failed to wait for order resource "microbot-ingress-tls-tsmj9-3484024173" to become ready: order is in "invalid" state: 
    Observed Generation:     1
    Reason:                  Failed
    Status:                  False
    Type:                    Issuing
    Last Transition Time:    2022-12-21T18:52:58Z
    Message:                 Issuing certificate as Secret does not exist
    Observed Generation:     1
    Reason:                  DoesNotExist
    Status:                  False
    Type:                    Ready
  Failed Issuance Attempts:  1
  Last Failure Time:         2022-12-21T18:54:09Z
Events:
  Type     Reason     Age    From                                       Message
  ----     ------     ----   ----                                       -------
  Normal   Issuing    4m53s  cert-manager-certificates-trigger          Issuing certificate as Secret does not exist
  Normal   Generated  4m52s  cert-manager-certificates-key-manager      Stored new private key in temporary Secret resource "microbot-ingress-tls-p9j5v"
  Normal   Requested  4m52s  cert-manager-certificates-request-manager  Created new CertificateRequest resource "microbot-ingress-tls-tsmj9"
  Warning  Failed     3m42s  cert-manager-certificates-issuing          The certificate request has failed to complete and will be retried: Failed to wait for order resource "microbot-ingress-tls-tsmj9-3484024173" to become ready: order is in "invalid" state:

I am at my wit’s end and am grateful for any help

8

During the

getting the next error:
Error from server (InternalError): error when creating "STDIN": Internal error occurred: failed calling webhook "webhook.cert-manager.io": failed to call webhook: Post "https://cert-manager-webhook.cert-manager.svc:443/mutate?timeout=10s": context deadline exceeded

9

@Stanislav_Trifan sorry it isn’t working for you. That error indicates the pod isn’t being created in the expected timeframe, which could be for a number of reasons. Could you paste here the exact YAML of the resource you tried to create?

10

@evilnick this is the command I run (on microk8s 1.27.2 rev 5372):


stanislav@dev:~/workspace/homelab/kubecluster$ kubectl apply -f - <<EOF
---
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
 name: lets-encrypt
spec:
 acme:
   email: _edited_@gmail.com
   server: https://acme-v02.api.letsencrypt.org/directory
   privateKeySecretRef:
     # Secret resource that will be used to store the account's private key.
     name: lets-encrypt-priviate-key
   # Add a single challenge solver, HTTP01 using nginx
   solvers:
   - http01:
       ingress:
         class: public
EOF

Error from server (InternalError): error when creating "STDIN": Internal error occurred: failed calling webhook "webhook.cert-manager.io": failed to call webhook: Post "https://cert-manager-webhook.cert-manager.svc:443/mutate?timeout=10s": context deadline exceeded
11

@Stanislav_Trifan since I cannot reproduce the issue, could you please file an issue on Issues · canonical/microk8s · GitHub and attach a microk8s inspect tarball?

1 Like