K
Q

Kubernetes: cert-manager certificate is keep in pending state

2/3/2020

I have installed cert-manager 0.12.0 for SSL certificate.

My Issuer file is

apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
  name: letsencrypt-prod
spec:
  acme:
    server: https://acme-v02.api.letsencrypt.org/directory
    email: my@email.com
    privateKeySecretRef:
      name: letsencrypt-prod
    http01: {}

My certificate file

apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
  name: tls-secret
spec:
  secretName: tls-secret-prod
  dnsNames:
  - mydomain.com
  acme:
    config:
    - http01:
        ingressClass: nginx
      domains:
      - mydomain.com
  issuerRef:
    name: letsencrypt-prod
    kind: ClusterIssuer

Ingress configuration is

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: cms
  annotations:
    kubernetes.io/ingress.class: nginx
    cert-manager.io/cluster-issuer: letsencrypt-prod
    kubernetes.io/tls-acme: "true"
spec:
  tls:
  - hosts:
    - mydomain.com
    secretName: tls-secret-prod
  rules:
  - host: mydomain.com
    http:
      paths:
      - backend:
          serviceName: apostrophe
          servicePort: 80
        path: /

But still, SSL certificated is not valid. And Common name is “Kubernetes Ingress Controller Fake Certificate”.

The following result to show orders and challenges

kubectl get orders, challenges -o wide
NAME                                                  STATE     DOMAIN            REASON                                                                                                        AGE
challenge.certmanager.k8s.io/tls-secret-155743219-0   pending   mydomain.com   pods "cm-acme-http-solver-gk2zx" is forbidden: minimum cpu usage per Container is 100m, but request is 10m.   26m

I have updated the resources limit the range and reinstalled cert-manager with helm. I am still getting this error. I am not sure what goes wrong or show how to fix this.

Please let me know if you need anything. Thanks in advance!

-- Ramesh Murugesan
cert-manager
kubernetes
kubernetes-helm
lets-encrypt
ssl

Similar Questions

need to apply the prometheus rules from alertmanager repo in k8s
First item in a template range
kubernetes DNS does not work in react app
Kubernetes kerberos and kafka secret setup using helm

1 Answer

2/3/2020

The problem lays in cpu limits defined for specific pod. You have to change minimum CPU limit in deployment configuration file. As you can see pod (cm-acme-http-solver) is requesting 100m CPU usage while minimum CPU usage defined for specific pod is *10m**. So change CPU limits in deployment configuration file from 100m to 10m or less or you can also increase CPU requests.

Take a look here: cert-manager-kubernetes, pod-min-cpu-request.

Useful article: resources-limits-kubernetes.

-- MaggieO
Source: StackOverflow