Cert-manager: Can't create issuer when running in aws eks fargate

Created on 30 Aug 2020  路  6Comments  路  Source: jetstack/cert-manager

Describe the bug:
Internal error occurred: failed calling webhook "webhook.cert-manager.io": Post https://cert-manager-webhook.cert-manager.svc:443/mutate?timeout=30s: x509: certificate is valid for ip-192-168-xxx-xxx.xxx.compute.internal, not cert-manager-webhook.cert-manager.svc

Expected behaviour:
Should create issuer

Steps to reproduce the bug:
Setup a cluster on aws eks fargate.

Add fargate profile

eksctl create fargateprofile \
  --cluster "demo" \
  --name "cert-manager" \
  --namespace "cert-manager"

Create namespace
kubectl create namespace "cert-manager"

Install cert-manager with helm

helm repo add jetstack https://charts.jetstack.io
helm repo update
helm install \
  cert-manager jetstack/cert-manager \
  --namespace cert-manager \
  --version v0.16.1 \
  --set installCRDs=true

Request certificate
Add fargate profile

eksctl create fargateprofile \
  --cluster "demo" \
  --name "appspace" \
  --namespace "appspace"

kubectl create namespace "appspace"

cat <<EOF | kubectl apply -f -
apiVersion: cert-manager.io/v1alpha2
kind: Issuer
metadata:
  name: selfsigned-issuer
  namespace: appspace
spec:
  selfSigned: {}
EOF

Environment details::

  • Kubernetes version (e.g. v1.10.2): v1.17.9-eks-4c6976
  • Cloud-provider/provisioner (e.g. GKE, kops AWS, etc): AWS
  • cert-manager version (e.g. v0.4.0): v0.16.1
  • Install method (e.g. helm or static manifests): helm

/kind bug

kinbug
Source
picture kesse
👍2 👀1

Most helpful comment

I think just accepting that cert-manager doesn't work on fargate isn't the best of approaches...

It's a tool with growing users, AWS being the biggest cloud hoster and fargate being their preferred deployment option. Is there maybe a way to call these webhooks with HTTP instead, circumventing all domain name issues? @meyskens

picture yspreen on 13 Nov 2020
👍6

All 6 comments

Just had the exact same issue ... x509: certificate is valid for ip-172-31-176-102.eu-west-1.compute.internal, not cert-manager-webhook.cert-manager.svc - I'm guessing this might be related to how fargate works? I'll have to move cert manager to normal nodes for the moment I guess.

mcfedr picture mcfedr on 1 Sep 2020
😕1

I have no experience with fargate but the traffic from the Kubernetes controller to the cert-manager-webhook service somehow hits a HTTPS endpoint that isn't correct...

meyskens picture meyskens on 1 Sep 2020

Yes, ran into this also. Ended up moving cert-manager to a nodegroup for the time being.

ruckc picture ruckc on 26 Sep 2020

Going to close this as we cannot to much about it.
If somebody can make a documentation PR that would be great!

/close

meyskens picture meyskens on 29 Oct 2020

@meyskens: Closing this issue.

In response to this:

Going to close this as we cannot to much about it.
If somebody can make a documentation PR that would be great!

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

jetstack-bot picture jetstack-bot on 29 Oct 2020

I think just accepting that cert-manager doesn't work on fargate isn't the best of approaches...

It's a tool with growing users, AWS being the biggest cloud hoster and fargate being their preferred deployment option. Is there maybe a way to call these webhooks with HTTP instead, circumventing all domain name issues? @meyskens

yspreen picture yspreen on 13 Nov 2020
👍6
Was this page helpful?
0 / 5 - 0 ratings

Related issues

dontreboot picture dontreboot  路  3Comments
munnerz picture munnerz  路  4Comments
jonathan-kosgei picture jonathan-kosgei  路  4Comments
jbeda picture jbeda  路  4Comments
Azylog picture Azylog  路  3Comments