英文:
kubernetes : cert-manager/secret-for-certificate-mapper "msg"="unable to fetch certificate that owns the secret
问题
抱歉,我只能翻译文本内容,不提供问题解答。以下是您提供的文本的翻译部分:
-
"Cert-manager/secret-for-certificate-mapper" "msg"="unable to fetch certificate that owns the secret" "error"="Certificate.cert-manager.io "grafanaps-tls" not found":无法获取拥有该密钥的证书,证书 "Certificate.cert-manager.io" 中的 "grafanaps-tls" 未找到。
-
"So , from the investigation , I’m not able to find the grafanaps-tls":因此,经过调查,我无法找到 "grafanaps-tls"。
-
"> Kubectl get certificates\n> NAME READY SECRET AGE\n> Alertmanagerdf-tls False alertmanagerdf-tls 1y61d\n> Prometheusps-tls False prometheusps-tls 1y58":运行 "kubectl get certificates" 命令,结果显示了一些证书的状态。
-
"We have do this followings : The nginx ingress and cert-manager were outdated and not compatible with the Kubernetes version of 1.22 anymore. As a result, an upgrade of those components was initiated in order to restore pod operation.":我们已经采取以下措施:Nginx Ingress 和 Cert-manager 已过时,并不再与 Kubernetes 版本 1.22 兼容。因此,已启动这些组件的升级以恢复 Pod 操作。
-
"The cmctl check api -n cert-manager command now returns: The cert-manager API has been upgraded to version 1.7 and orphaned secrets have been cleaned up":现在,运行 "cmctl check api -n cert-manager" 命令返回:Cert-manager API 已升级到版本 1.7,孤立的密钥已被清理。
-
"Cert-manager/webhook "msg"="Detected root CA rotation - regenerating serving certificates"":Cert-manager/webhook "msg"="检测到根 CA 旋转 - 重新生成服务证书"。
-
"After a restart the logs looked mainly clean.":重启后,日志主要看起来很干净。
-
"For my finding , the issue is integration of cert-manager with the Kubernetes ingress controller.":根据我的发现,问题出在 cert-manager 与 Kubernetes Ingress 控制器的集成上。
-
"So I was interest in cert-manager configuration mostly on 'ingressshim' configuration and 'args' section":因此,我对 cert-manager 配置特别关注 'ingressshim' 配置和 'args' 部分。
-
"It appears that the SSL certificate for several servers has expired and looks like the issue with the certificate resources or the integration of cert-manager with the Kubernetes ingress controller.":看起来,几个服务器的 SSL 证书已经过期,似乎与证书资源或 cert-manager 与 Kubernetes Ingress 控制器的集成有关。
-
"What is the problem here, and how can it be resolved? Any help would be greatly appreciated":问题是什么,如何解决?非常感谢任何帮助。
英文:
Cert-manager/secret-for-certificate-mapper "msg"="unable to fetch certificate that owns the secret" "error"="Certificate.cert-manager.io "grafanaps-tls" not found"
So , from the investigation , I’m not able to find the grafanaps-tls
> Kubectl get certificates
> NAME READY SECRET AGE
> Alertmanagerdf-tls False alertmanagerdf-tls 1y61d
> Prometheusps-tls False prometheusps-tls 1y58
We have do this followings : The nginx ingress and cert-manager were outdated and not compatible with the Kubernetes version of 1.22 anymore. As a result, an upgrade of those components was initiated in order to restore pod operation.
The cmctl check api -n cert-manager command now returns: The cert-manager API has been upgraded to version 1.7 and orphaned secrets have been cleaned up
Cert-manager/webhook "msg"="Detected root CA rotation - regenerating serving certificates"
After a restart the logs looked mainly clean.
For my finding , the issue is integration of cert-manager with the Kubernetes ingress controlle .
So I was interest in cert-manager configuration mostly on ingressshim configuration and args section
It appears that the SSL certificate for several servers has expired and looks like the issue with the certificate resources or the integration of cert-manager with the Kubernetes ingress controller.
Config:
C:\Windows\system32>kubectl describe deployment cert-manager-cabictor -n cert-manager
Name: cert-manager-cabictor
Namespace: cert-manager
CreationTimestamp: Thu, 01 Dec 2022 18:31:02 +0530
Labels: app=cabictor
app.kubernetes.io/component=cabictor
app.kubernetes.io/instance=cert-manager
app.kubernetes.io/managed-by=Helm
app.kubernetes.io/name=cabictor
app.kubernetes.io/version=v1.7.3
helm.sh/chart=cert-manager-v1.7.3
Annotations: deployment.kubernetes.io/revision: 2
meta.helm.sh/release-name: cert-manager
meta.helm.sh/release-namespace: cert-manager
Selector: app.kubernetes.io/component=cabictor ,app.kubernetes.io/instance=cert-manager,app.kubernetes.io/name=cabictor
Replicas: 1 desired | 1 updated | 1 total | 1 available | 0 unavailable
StrategyType: RollingUpdate
MinReadySeconds: 0
RollingUpdateStrategy: 25% max unavailable, 25% max surge
Pod Template:
Labels: app=cabictor
app.kubernetes.io/component=cabictor
app.kubernetes.io/instance=cert-manager
app.kubernetes.io/managed-by=Helm
app.kubernetes.io/name=cabictor
app.kubernetes.io/version=v1.7.3
helm.sh/chart=cert-manager-v1.7.3
Service Account: cert-manager-cabictor
Containers:
cert-manager:
Image: quay.io/jetstack/cert-manager-cabictor :v1.7.3
Port: <none>
Host Port: <none>
Args:
--v=2
--leader-election-namespace=kube-system
Environment:
POD_NAMESPACE: (v1:metadata.namespace)
Mounts: <none>
Volumes: <none>
Conditions:
Type Status Reason
---- ------ ------
Progressing True NewReplicaSetAvailable
Available True MinimumReplicasAvailable
OldReplicaSets: <none>
NewReplicaSet: cert-manager-cabictor -5b65bcdbbd (1/1 replicas created)
Events: <none>
I was not able to identify and fix the root cause here ..
What is the problem here, and how can it be resolved? Any help would be greatly appreciated
答案1
得分: 2
错误消息:
Cert-manager/secret-for-certificate-mapper "msg"="无法获取拥有该密钥的证书" "error"="Certificate.cert-manager.io "grafanaps-tls" 未找到"
上述错误消息表示,与证书文件对应的证书无法在某些命名空间中找到。
要查看密钥和证书,请执行以下命令:
kubectl get secrets -n monitoring
kubectl get certificate -n monitoring
输出将显示缺失的密钥和证书。
根据 GitHub 链接,您也可以使用以下解决方案:
清理/修复此问题的脚本
"无法获取拥有该密钥的证书"
此脚本将查找给定命名空间中没有匹配证书资源的 TLS 密钥,并删除它们。
用法
./clean-orphans.sh
如果未指定命名空间,将检查默认命名空间。在删除任何内容之前,您将收到提示。
有关更多信息,请参阅 cert-manager 文档。您还可以参考 Alex Ellis 撰写的关于带有 TLS 的 Grafana 仪表板的博客:
英文:
Error message:
Cert-manager/secret-for-certificate-mapper "msg"="unable to fetch certificate that owns the secret" "error"="Certificate.cert-manager.io "grafanaps-tls" not found"
The above error message says that the certificate corresponding to the certificate file cannot be found in some namespaces
To view the secrets and certificates execute the below command:
kubectl get secrets -n monitoring
kubectl get certificate -n monitoring
The output will show the missing secret and certificate.
As per the GitHub link you can also use the solution.
https://github.com/cert-manager/cert-manager/issues/1944
> > Script to clean up/fix this issue
>
> "unable to fetch a certificate that owns the secret"
>
> This script will find TLS secrets in a given namespace which have no
> matching certificate resource and delete them.
>
> > Usage
>
> ./clean-orphans.sh <namespace>
>
> Specifying no namespace will check the default. You will be prompted
> before anything is deleted.
For more information refer to the document cer-manager. You can also refer to the blog by Alex Ellis on Grafana dashboard with TLS.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论