K
Q

Kubernetes - cert-manager - Hashicorp Vault - Ready status of certificate is blank

4/22/2020

I have created Clusterissuer that uses Vault and then issued certificate through it but the Ready status of the certificate is blank. There is nothing appearing in the events and cert-manager pod logs. It has not created a secret as well.

kubectl get cert
NAMESPACE             NAME                 READY                          SECRET                                             AGE
default               example-com                                         example-com                                      139m

clusterissuer.yaml

apiVersion: certmanager.k8s.io/v1alpha1
kind: ClusterIssuer
metadata:
  name: vault-clusterissuer
spec:
  vault:
    path: pki_int/sign/<role name>
    server: https://vault-cluster.example.com:8200
    caBundle: <base64 encoded cabundle pem>
    auth:
      appRole:
        path: approle
        roleId: "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" 
        secretRef:
          name: cert-manager-vault-approle
          key: secretId

The role name mentioned in the Path is the same as the role created in the Vault under pki_init.

certificate.yaml

apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
  name: example-com
spec:
  secretName: example-com 
  issuerRef:
    name: vault-clusterissuer
    kind: ClusterIssuer
  commonName: abc.example.com
  dnsNames:
  - abc.example.com

Since it is not generating any message or logs so I am not sure from where to start troubleshooting.

Does the value of path in clusterissuer.yaml looks right to you..?

Thank you in advance

-- Devesh mehta
cert-manager
hashicorp-vault
kubernetes

Similar Questions

istio-engressgateway does not work in microk8s
Grafana for Kubernettes shows CPU usage higher than 100%
Reading a config file from kubernetes using configMap and Volumes
Logging with Docker and Kubernetes. Logs more than 16k split up

1 Answer

4/28/2020

CertificateConditionReady indicates that a certificate is ready for use.

This is defined as:

  • The target secret exists

  • The target secret contains a certificate that has not expired

  • The target secret contains a private key valid for the certificate

  • The commonName and dnsNames attributes match those specified on the Certificate

I think the issue is in wrong dnsNames defined in certificate.yaml file:

Your certificate configuration file:

apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
  name: example-com
spec:
  secretName: example-com 
  issuerRef:
    name: vault-clusterissuer
    kind: ClusterIssuer
  commonName: abc.example.com
  dnsNames:
  - abc.example.com

dnsNames field should have value: www.abc.example.com not abc.example.com

Final version should looks like:

apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
  name: example-com
spec:
  secretName: example-com 
  issuerRef:
    name: vault-clusterissuer
    kind: ClusterIssuer
  commonName: abc.example.com
  dnsNames:
  - www.abc.example.com

Also remember that path field is the Vault role path of the PKI backend and server is the Vault server base URL. The path MUST USE the vault sign endpoint.

Please take a look: issuer-vault-setup, cert-clusterissuer.

-- MaggieO
Source: StackOverflow