profile
viewpoint

Ask questionsCan't create issuer when running in aws eks fargate

Describe the bug: Internal error occurred: failed calling webhook "webhook.cert-manager.io": Post https://cert-manager-webhook.cert-manager.svc:443/mutate?timeout=30s: x509: certificate is valid for ip-192-168-xxx-xxx.xxx.compute.internal, not cert-manager-webhook.cert-manager.svc

Expected behaviour: Should create issuer

Steps to reproduce the bug: Setup a cluster on aws eks fargate.

Add fargate profile

eksctl create fargateprofile \
  --cluster "demo" \
  --name "cert-manager" \
  --namespace "cert-manager"

Create namespace kubectl create namespace "cert-manager"

Install cert-manager with helm

helm repo add jetstack https://charts.jetstack.io
helm repo update
helm install \
  cert-manager jetstack/cert-manager \
  --namespace cert-manager \
  --version v0.16.1 \
  --set installCRDs=true

Request certificate Add fargate profile

eksctl create fargateprofile \
  --cluster "demo" \
  --name "appspace" \
  --namespace "appspace"

kubectl create namespace "appspace"

cat <<EOF | kubectl apply -f -
apiVersion: cert-manager.io/v1alpha2
kind: Issuer
metadata:
  name: selfsigned-issuer
  namespace: appspace
spec:
  selfSigned: {}
EOF

Environment details::

  • Kubernetes version (e.g. v1.10.2): v1.17.9-eks-4c6976
  • Cloud-provider/provisioner (e.g. GKE, kops AWS, etc): AWS
  • cert-manager version (e.g. v0.4.0): v0.16.1
  • Install method (e.g. helm or static manifests): helm

/kind bug

jetstack/cert-manager

Answer questions liamawhite

Hi all,

I raised a support ticket with AWS and this was the response I got. I haven't got time to verify this works but let me know if it does!


From their investigation, the issue mentioned is more related to cert-manager setup. The cert-manager-webhook deployment uses port 10250 which is also used for kubelet on the Fargate pods. Therefore when the connection was made to the cert-manager-webhook service it was reporting the error with ip address corresponding to pod cert-manager-webhook.

Here are the steps to address the error:

•Updated the deployment and changed port references from 10250 to 10260 at --secure-port and containerPort.

  kubectl edit deployment -n cert-manager cert-manager-webhook

•Updated the service and changed port reference from 10250 to 10260 at targetPort.

  kubectl edit svc -n cert-manager cert-manager-webhook

•Wait for the new pod to appear for the updated deployment. •Create an issuer now with same command: cat <<EOF | kubectl apply -f - apiVersion: cert-manager.io/v1alpha2 kind: Issuer metadata: name: selfsigned-issuer namespace: appspace spec: selfSigned: {} EOF issuer.cert-manager.io/selfsigned-issuer created

useful!
source:https://uonfu.com/
answerer
Liam White liamawhite @tetrateio Seattle, WA USA www.linkedin.com/in/liam-white Software Engineer @tetrateio. @istio Maintainer.
Github User Rank List