no ClusterIssuer and Certificate cert-manager.io/v1

[gijsdpg]

if i run make cluster-up IMAGE=amazon/amazon-eks-pod-identity-webhook:latest

after deploying cert-manager I get an error:

unable to recognize "deploy/deployment.yaml": no matches for kind "ClusterIssuer" in version "cert-manager.io/v1"
unable to recognize "deploy/deployment.yaml": no matches for kind "Certificate" in version "cert-manager.io/v1"

[Th0masL]

I have the same error.

Here is the detail of the version I'm using:

> git rev-parse --abbrev-ref HEAD
master

> git rev-parse --short HEAD
b19c295

> kubectl version --short
Client Version: v1.21.0
Server Version: v1.21.5-eks-bc4871b

And here is the full output:

> make cluster-up IMAGE=amazon/amazon-eks-pod-identity-webhook:latest
Generating certs and deploying into active cluster...
cat deploy/deployment-base.yaml | sed -e "s|IMAGE|amazon/amazon-eks-pod-identity-webhook:latest|g" | tee deploy/deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  name: pod-identity-webhook
  namespace: default
spec:
  replicas: 1
  selector:
    matchLabels:
      app: pod-identity-webhook
  template:
    metadata:
      labels:
        app: pod-identity-webhook
    spec:
      serviceAccountName: pod-identity-webhook
      containers:
      - name: pod-identity-webhook
        image: amazon/amazon-eks-pod-identity-webhook:latest
        imagePullPolicy: Always
        command:
        - /webhook
        - --in-cluster=false
        - --namespace=default
        - --service-name=pod-identity-webhook
        - --annotation-prefix=eks.amazonaws.com
        - --token-audience=sts.amazonaws.com
        - --logtostderr
        volumeMounts:
        - name: cert
          mountPath: "/etc/webhook/certs"
          readOnly: true
      volumes:
      - name: cert
        secret:
          secretName: pod-identity-webhook-cert
---
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: selfsigned
spec:
  selfSigned: {}
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: pod-identity-webhook
  namespace: default
spec:
  secretName: pod-identity-webhook-cert
  commonName: "pod-identity-webhook.default.svc"
  dnsNames:
  - "pod-identity-webhook"
  - "pod-identity-webhook.default"
  - "pod-identity-webhook.default.svc"
  - "pod-identity-webhook.default.svc.local"
  isCA: true
  duration: 2160h # 90d
  renewBefore: 360h # 15d
  issuerRef:
    name: selfsigned
    kind: ClusterIssuer
cat deploy/mutatingwebhook.yaml | hack/webhook-patch-ca-bundle.sh > deploy/mutatingwebhook-ca-bundle.yaml
Applying configuration to active cluster...
kubectl apply -f deploy/auth.yaml
serviceaccount/pod-identity-webhook unchanged
role.rbac.authorization.k8s.io/pod-identity-webhook unchanged
rolebinding.rbac.authorization.k8s.io/pod-identity-webhook unchanged
clusterrole.rbac.authorization.k8s.io/pod-identity-webhook unchanged
clusterrolebinding.rbac.authorization.k8s.io/pod-identity-webhook unchanged
kubectl apply -f deploy/deployment.yaml
deployment.apps/pod-identity-webhook configured
unable to recognize "deploy/deployment.yaml": no matches for kind "ClusterIssuer" in version "cert-manager.io/v1"
unable to recognize "deploy/deployment.yaml": no matches for kind "Certificate" in version "cert-manager.io/v1"
make: *** [deploy-config] Error 1

[Th0masL]

It seems like this problem is due to cert-manager not being installed on my cluster.

So far I was using the older version of the amazon-eks-pod-identity-webhook, which was not using cert-manager.

But since the latest version is using cert-manager, I need to install it first.

[nckturner]

Correct, there is a new note at the top of the readme which addresses this:

Note

After version v0.3.0, --in-cluster=true no longer works and is deprecated. Please use --in-cluster=false and manage the cluster certificate with cert-manager or some other external certificate provisioning system. This is because certificates using the legacy-unknown signer are no longer signed when using the v1 certificates API.

@gijsdpg The first error is probably an issue of CRDs not being installed though. What instructions did you follow to install cert-manager?

[gijsdpg]

yes, the problem seems to be missing CRDs. I've followed the cert-manager helm documentation:

https://cert-manager.io/docs/installation/helm/

which has --set installCRDs=true commented out, if I enable that flag the ClusterIssuer and Certificate resources are created.