I want to learn about cluster computing and I so happens to have 3 x Raspberry Pi laying around.
I also want to learn about Kubernetes, so an excellent way to do this is by installing K3S because it is a lightweight certified Kubernetes installation that can run on a Raspberry Pi.
I have done the Quick Start guide to setup the nodes.
I have also done the Installation guide to
cert-manager.
And now I need to create a staging ClusterIssuer, so I can get certificates from Lets Encrypt.
Since I do not have a public ip for my internet connection, then I have to resort to using the dns01 webhook in order to issues certificates for my applications running in my cluster server.
I am using Simply.com as my DNS provider and therefore I need to use the simply-dns-webhook in order to issue certificates.
I am using the Issue/ClusterIssue examples almost verbatim with only a few changes to variable names.
I have stored my version in the file letsencrypt-staging.yaml with the following content (slightly anonymized):
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-staging
spec:
acme:
# You must replace this email address with your own.
# Let's Encrypt will use this to contact you about expiring
# certificates, and issues related to your account.
email: mail@example.com
server: https://acme-staging-v02.api.letsencrypt.org/directory
privateKeySecretRef:
# Secret resource that will be used to store the account's private key.
name: letsencrypt-staging-private-key
# Add a single challenge solver, HTTP01 using nginx
solvers:
- dns01:
webhook:
groupName: com.github.runnerm.cert-manager-simply-webhook
solverName: simply-dns-solver
config:
secretName: simply-credentials
selector:
dnsZones:
- 'example.com'
And my request for a certificate is stored in the file: app-certificate.yaml with the following content:
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: app-example-com
namespace: default
spec:
secretName: app-example-com-tls
issuerRef:
name: letsencrypt-staging
kind: ClusterIssuer
commonName: app.example.com
dnsNames:
- app.example.com
However after I run the commands:
kubectl apply -f letsencrypt-staging.yaml
kubectl apply -f app-certificate.yaml
I get the following error from kubectl describe Challanges app-example-com-X-XXXXXXX-XXXXXX:
Status:
Presented: false
Processing: true
Reason: simply-dns-solver.com.github.runnerm.cert-manager-simply-webhook is forbidden:
User "system:serviceaccount:cert-manager:cert-manager" cannot create resource
"simply-dns-solver" in API group "com.github.runnerm.cert-manager-simply-webhook"
at the cluster scope
Is there anybody who knows what that is about and how to solve it?
