Permission Error on creating Certificate using ClusterIssuer ejbca-issuer.keyfactor.com
Opened this issue · 1 comments
ashishsinghdev commented
Hi
ClusterIssuer is in ready state and health checks are successful but while issuing certificate getting permission error when cert-manager is trying to update the status to Approved.
Any idea why helm installation is not setting correct permissions.
Cert-manager pod logs:
I0505 21:18:08.575328 1 trigger_controller.go:215] "Certificate must be re-issued" logger="cert-manager.certificates-trigger" key="infra/kcr.cloud.homelab.example.com" reason="DoesNotExist" message="Issuing certificate as Secret does not exist"
I0505 21:18:08.575418 1 conditions.go:203] Setting lastTransitionTime for Certificate "kcr.cloud.homelab.example.com" condition "Issuing" to 2024-05-05 21:18:08.575412812 +0000 UTC m=+8572.458685784
I0505 21:18:08.575325 1 conditions.go:203] Setting lastTransitionTime for Certificate "kcr.cloud.homelab.example.com" condition "Ready" to 2024-05-05 21:18:08.575301405 +0000 UTC m=+8572.458574367
I0505 21:18:08.592130 1 controller.go:162] "re-queuing item due to optimistic locking on resource" logger="cert-manager.certificates-trigger" key="infra/kcr.cloud.homelab.example.com" error="Operation cannot be fulfilled on certificates.cert-manager.io \"kcr.cloud.homelab.example.com\": the object has been modified; please apply your changes to the latest version and try again"
I0505 21:18:08.592194 1 trigger_controller.go:215] "Certificate must be re-issued" logger="cert-manager.certificates-trigger" key="infra/kcr.cloud.homelab.example.com" reason="DoesNotExist" message="Issuing certificate as Secret does not exist"
I0505 21:18:08.592210 1 conditions.go:203] Setting lastTransitionTime for Certificate "kcr.cloud.homelab.example.com" condition "Issuing" to 2024-05-05 21:18:08.592206112 +0000 UTC m=+8572.475479083
I0505 21:18:08.824230 1 conditions.go:263] Setting lastTransitionTime for CertificateRequest "kcr.cloud.homelab.example.com-1" condition "Approved" to 2024-05-05 21:18:08.824219898 +0000 UTC m=+8572.707492860
I0505 21:18:08.838315 1 controller.go:162] "re-queuing item due to optimistic locking on resource" logger="cert-manager.certificaterequests-approver" key="infra/kcr.cloud.homelab.example.com-1" error="Operation cannot be fulfilled on certificaterequests.cert-manager.io \"kcr.cloud.homelab.example.com-1\": the object has been modified; please apply your changes to the latest version and try again"
I0505 21:18:08.838389 1 conditions.go:263] Setting lastTransitionTime for CertificateRequest "kcr.cloud.homelab.example.com-1" condition "Approved" to 2024-05-05 21:18:08.838384071 +0000 UTC m=+8572.721657044
E0505 21:18:08.845794 1 controller.go:167] "re-queuing item due to error processing" err="admission webhook \"webhook.cert-manager.io\" denied the request: status.conditions: Forbidden: user \"system:serviceaccount:cert-manager:cert-manager\" does not have permissions to set approved/denied conditions for issuer {corp-pki-cluster-issuer ClusterIssuer ejbca-issuer.keyfactor.com}" logger="cert-manager.certificaterequests-approver" key="infra/kcr.cloud.homelab.example.com-1"
I0505 21:18:13.838941 1 conditions.go:263] Setting lastTransitionTime for CertificateRequest "kcr.cloud.homelab.example.com-1" condition "Approved" to 2024-05-05 21:18:13.838917797 +0000 UTC m=+8577.722190832
E0505 21:18:13.851696 1 controller.go:167] "re-queuing item due to error processing" err="admission webhook \"webhook.cert-manager.io\" denied the request: status.conditions: Forbidden: user \"system:serviceaccount:cert-manager:cert-manager\" does not have permissions to set approved/denied conditions for issuer {corp-pki-cluster-issuer ClusterIssuer ejbca-issuer.keyfactor.com}" logger="cert-manager.certificaterequests-approver" key="infra/kcr.cloud.homelab.example.com-1"
ejbca-cert-manager-issuer pod logs:
2024-05-05T21:18:08Z INFO CertificateRequest has not been approved yet. Ignoring. {"controller": "certificaterequest", "controllerGroup": "cert-manager.io", "controllerKind": "CertificateRequest", "CertificateRequest": {"name":"kcr.cloud.homelab.example.com-1","namespace":"infra"}, "namespace": "infra", "name": "kcr.cloud.homelab.example.com-1", "reconcileID": "be9044e9-a5f5-474c-8538-79544cf608fc"}
2024-05-05T21:18:08Z INFO CertificateRequest has not been approved yet. Ignoring. {"controller": "certificaterequest", "controllerGroup": "cert-manager.io", "controllerKind": "CertificateRequest", "CertificateRequest": {"name":"kcr.cloud.homelab.example.com-1","namespace":"infra"}, "namespace": "infra", "name": "kcr.cloud.homelab.example.com-1", "reconcileID": "490218ce-44e4-4fc0-885e-3dfcd6d3ade1"}
m8rmclaren commented
By default, ejbca-cert-manager-issuer will not sign CertificateRequests that aren't approved as demonstrated by the log messages in the reconciler pod.
The errors you're encountering suggest that cert-manager itself does not have permission to set the approved condition on CertificateRequest resources. Have you taken a look at the cert-manager approver-policy documentation?