Reflector error inside logs for cert-manager-webhook-civo pod

[posinautinc]

Hello,

I am trying to get Cert Manager (with Let's Encrypt) to issue a wild card cert using DNS01 and the Civo webhook on my K8S cluster on Civo. I have Istio installed and the secret containing the cert was successfully generated in the istio-system namespace.

My website is in a different namespace so I am using https://github.com/emberstack/kubernetes-reflector to copy the cert (secret) to the namespace of my website.

On initial setup, things somehow worked and I could find the replicated secret in my website's namespace. However when I changed some certificate parameter to cause the certificate to re-issue I see that the certificate remains stuck in a pending state. Looking into the logs of the civo-webhook pod I see this:

W0520 16:34:00.041392 1 reflector.go:324] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: failed to list *v1beta2.PriorityLevelConfiguration: prioritylevelconfigurations.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:cert-manager:cert-manager-webhook-civo" cannot list resource "prioritylevelconfigurations" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope E0520 16:34:00.041685 1 reflector.go:138] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: Failed to watch *v1beta2.PriorityLevelConfiguration: failed to list *v1beta2.PriorityLevelConfiguration: prioritylevelconfigurations.flowcontrol.apiserver.k8s.io is forbidden: User "system:serviceaccount:cert-manager:cert-manager-webhook-civo" cannot list resource "prioritylevelconfigurations" in API group "flowcontrol.apiserver.k8s.io" at the cluster scope

I am still quite green with respect to Kubernetes/Istio so wondering if you could shed light on whether:

1. this is the wrong approach?
2. I need to configure permissions/roles somehow?
3. this is not supported by the Civo-webhook?
4. some other problem?

This is my ClusterIssuer yaml:

apiVersion: cert-manager.io/v1 kind: ClusterIssuer metadata: name: letsencrypt-staging-cluster namespace: istio-system spec: acme: email: [email protected] server: https://acme-staging-v02.api.letsencrypt.org/directory privateKeySecretRef: name: letsencrypt-staging-cluster solvers: - dns01: webhook: solverName: "civo" groupName: civo.webhook.okteto.com config: secretName: civo-secret

And my Certificate.yaml:

apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: mydomain-cert-staging namespace: istio-system spec: secretName: mydomain-cert-staging duration: 2160h # 90d renewBefore: 360h # 15d isCA: false privateKey: algorithm: RSA encoding: PKCS1 size: 2048 usages: - server auth - client auth commonName: "whoami.mydomain.com" dnsNames: - "whoami.mydomain.com" issuerRef: name: letsencrypt-staging-cluster kind: ClusterIssuer group: cert-manager.io secretTemplate: annotations: reflector.v1.k8s.emberstack.com/reflection-allowed: "true"
reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces: "ns-twb-staging" # Control destination namespaces. reflector.v1.k8s.emberstack.com/reflection-auto-enabled: "true" # Auto create reflection for matching namespaces. reflector.v1.k8s.emberstack.com/reflection-auto-namespaces: "ns-twb-staging" # Control auto-reflection namespace.

Thanks!