cert-manager: Cannot create Vault ClusterIssuer, Service Unavailable

Bugs should be filed for issues encountered whilst operating cert-manager. You should first attempt to resolve your issues through the community support channels, e.g. Slack, in order to rule out individual configuration errors. Please provide as much detail as possible.

Describe the bug: I’m able to create vault Issuers but not vault ClusterIssuers. With exact same yaml config except for issuer name (vault-issuer or vault-cluster-issuer) and issuer kind (Issuer or ClusterIssuer).

Expected behaviour: If I’m able to create a vault Issuer I should also be able to create a vault ClusterIssuer

Steps to reproduce the bug: Steps to reproduce the bug should be clear and easily reproducible to help people gain an understanding of the problem.

kubectl apply -f vault-issuer.yaml -n cert-manager
issuer.certmanager.k8s.io/vault-issuer created


kubectl apply -f vault-cluster-issuer.yaml                
Error from server (InternalError): error when creating "vault-cluster-issuer.yaml": Internal error occurred: failed calling webhook "clusterissuers.admission.certmanager.k8s.io": Post https://kubernetes.default.svc:443/apis/admission.certmanager.k8s.io/v1beta1/clusterissuers?timeout=30s: Service Unavailable

Or:

ubectl apply -f vault-cluster-issuer.yaml -n cert-manager
Error from server (InternalError): error when creating "vault-cluster-issuer.yaml": Internal error occurred: failed calling webhook "clusterissuers.admission.certmanager.k8s.io": Post https://kubernetes.default.svc:443/apis/admission.certmanager.k8s.io/v1beta1/clusterissuers?timeout=30s: Service Unavailable

Anything else we need to know?: I also tried to create ClusterIssuer in kube-system with no luck

diff vault-issuer.yaml vault-cluster-issuer.yaml 
2c2
< kind: Issuer
---
> kind: ClusterIssuer
4c4
<   name: vault-issuer
---
>   name: vault-cluster-issuer

kubectl get ns cert-manager --show-labels
NAME           STATUS   AGE   LABELS
cert-manager   Active   16h   certmanager.k8s.io/disable-validation=true,name=cert-ma
```nager

**Environment details:**:
- Kubernetes version (e.g. v1.10.2): v1,14,1 Kubespray
- Cloud-provider/provisioner (e.g. GKE, kops AWS, etc): Baremetal
- cert-manager version (e.g. v0.4.0): v0.7.2
- Install method (e.g. helm or static manifests): helm

/kind bug

About this issue

  • Original URL
  • State: closed
  • Created 5 years ago
  • Comments: 17 (3 by maintainers)

Most upvoted comments

@artpar cert-manager-webhook deployment.

+1
jmreicha on Dec 16, 2019

Temporarily “fixed” my issue by setting hostNetwork: true in my spec. I’m almost positive the behavior I’m seeing is a DO issue. Sorry to hijack the thread.

+1
jmreicha on Nov 21, 2019

I had the same problem and also checked the troubleshooting pages and tested all what I could.

I found on the webhook logs this error which may be also something:

k logs cert-manager-webhook-64999fc84c-7wgdj
flag provided but not defined: -v
Usage of tls:
  -tls-cert-file string

W0523 16:38:11.476643       1 authentication.go:296] Cluster doesn't provide requestheader-client-ca-file in configmap/extension-apiserver-authentication in kube-system, so request-header client certificate authentication won't work.
I0523 16:38:11.483511       1 secure_serving.go:116] Serving securely on [::]:6443

weird is that I can create issuers just on the cert-manager namespace, outside not. That’s may be also why I can not create clusterIssuers at all.

+1
dcardozoo on May 23, 2019
Read more comments on GitHub
← cert-manager: Cannot create http01 ClusterIssuer with DigitalOcean provider using new static manifests
cert-manager: Cannot deploy CRDs to Kubernetes 1.11 →