maelvls

Investigation: cert-manager ACME solver uses the jwk field instead of kid in neworder call for non-letsencrypt calls

In the Stackover question 70897574, user1563721 suggests that cert-manager's ACME solver is not behaving as it should with non-let's encrypt servers. More specifically, that new-order is called using kid instead of jwk. In the remainder of this page, I detail how to reproduce this issue using Pebble (a smaller version of Boulder, which is the ACME server Let's Encrypt uses).

Related:

• Erratic No Key ID in JWS header

Install cert-manager but turn off the deployment:

maelvls

Tutorial: Cilium ingress controller with cert-manager

👉 This tutorial is also visible in the Cilium Service Mesh official documentation here.

With this tutorial, you will install Cilium Service Mesh on Kind with TLS with certificates created by cert-manager. It is inspired by the TLS example on the Cilium website.

This was written on 18 Feb 2022 during the beta of the Cilium Service Mesh. A lot probably changed since then.

Prerequisites:

• helm v3.7 and above,

maelvls

Testing ingress controllers

We want to use Kubernetes 1.20 or lower since we need both the v1 and v1beta1 of the Ingress resource.

• ingress-gce
  • v1beta1 Ingress with just annotation
  • v1 Ingress with spec.IngressClassName but no IngressClass object
  • v1 Ingress with spec.ingressClassName and IngressClass object
• v1 Ingress with just annotation and no IngressClass object

maelvls

Understanding cert-manager upgrade issues to 1.7

When upgrading from 0.16.1 to v1.6.1

Users will start seeing errors whenever a client tries to apply or create a v1alpha2 resource:

TODO paste the error here

maelvls

diff --git a/GObjectIntrospection.xs b/GObjectIntrospection.xs
index 58fe26f..4a56855 100644
--- a/GObjectIntrospection.xs
+++ b/GObjectIntrospection.xs
@@ -928,7 +928,7 @@ _use_generic_signal_marshaller_for (class, const gchar *package, const gchar *si
 	                                                   "ClosureMarshal");
 	g_assert (closure_marshal_info);
 	cif = g_new0 (ffi_cif, 1);
-	closure = g_callable_info_prepare_closure (closure_marshal_info,
+	closure = g_callable_info_create_closure (closure_marshal_info,

maelvls

CodeReady Containers (local openshift) tips

Use Grafana with CodeReady Containers

https://grafana.com/orgs/maelvls/api-keys

 kubectl create secret generic kubepromsecret \
  --from-literal=username=maelvls\
  --from-literal=password= \

maelvls

Getting started using cert-manager with the sig-network Gateway API

This gist was published at https://www.jetstack.io/blog/cert-manager-gateway-api-traefik-guide/

Contents:

• Getting started
  • Prerequisites
  • Getting started with Traefik
• Known bugs in implementations

maelvls

Debug a broken cert-manager-webhook

https://kubernetes.slack.com/archives/C4NV3DWUC/p1618579222346800 https://kubernetes.slack.com/archives/C4NV3DWUC/p1612299155160000

kubectl get validatingwebhookconfigurations cert-manager-webhook -ojsonpath='{.webhooks[0].clientConfig.caBundle}' | base64 -d | openssl x509 -noout -text

maelvls

Minimal working example for the hot-looping issue with Vault

Following Irbe's instructions cert-manager/cert-manager#3897 (comment):

Same issue here on Slack, I was not able to reproduce this then, but seem to be able to reproduce it now with cert-manager v1.3.1.

To reproduce follow steps here except for:

1. Deploy a newer version of cert-manager and use v1 not v1alpha2 api when creating cert-manager resources
2. Set max_ttl to 720h (30d) when creating the Vault role that `cert-manager will use

maelvls

#! /usr/bin/env bash
set -ueo pipefail

FROM=
TO=
MODE=helm-without-crds

help() {
  cat <<EOF
The cert-manager teams does upgrade tests with various upgrade modes.