Hello -
I'm using terraform to create a GKE cluster & deploy Strimzi Kafka(v0.38), and the script is using ACME protocol to get certificate from LetsEncrypt,
and running into issues wherein the secret being created (when deploying certificate.yaml) is created with random string attached to the secret name.
Script does the following :
- creates a GKE cluster (version - 1.30.5-gke.1355000)
- Installs cert-manager in namespace cert-manager,
version of cert-manager - v1.13.2
Command :
kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.13.2/cert-manager.yaml
Install External-DNS (in namespace - kafka)
creates ClusterIssuer for prod & staging
creates Certificate (in namespace - kafka)
Finally, it deploys Strimzi kafka (v0.38)
Here is the certifcate.yaml & values.yaml for the helm chart
certificate.yaml
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: {{ .Values.cluster.name }}-lets-encrypt
spec:
secretName: {{ .Values.cluster.name }}-lets-encrypt
issuerRef:
name: {{ .Values.cluster.name }}-letsencrypt-staging
kind: ClusterIssuer
group: cert-manager.io
subject:
organizations:
- {{ .Values.acme.organizations }}
dnsNames:
- bootstrap.{{ .Values.acme.dns_name }}
- broker-0.{{ .Values.acme.dns_name }}
- broker-1.{{ .Values.acme.dns_name }}
- broker-2.{{ .Values.acme.dns_name }}
values.yaml:
cluster:
name: "versa-kafka-poc-tf2"
project:
id: "versa-kafka-poc"
acme:
zone_name: "vkp2-versa-vani" # org - vkp-versa-vani
dns_name: "vkp2.versa-vani.com" # vkp-versa-vani.com
email: "karan@versa-networks.com"
organizations: "vkp2-versa-vani" # vkp2-versa-vani
(base) Karans-MacBook-Pro:~ karanalang$ kc get secrets -n kafka | grep encrypt
versa-kafka-poc-tf2-lets-encrypt-rgjht Opaque 1 2d4h
versa-kafka-poc-tf2-letsencrypt-prod-account-key Opaque 1 2d4h
versa-kafka-poc-tf2-letsencrypt-staging-account-key Opaque 1 2d4h
(base) Karans-MacBook-Pro:~ karanalang$ kc get cert versa-kafka-poc-tf2-lets-encrypt -n kafka -o yaml
status:
conditions:
- lastTransitionTime: "2024-11-02T01:01:26Z"
message: Issuing certificate as Secret does not exist
observedGeneration: 1
reason: DoesNotExist
status: "True"
type: Issuing - lastTransitionTime: "2024-11-02T01:01:26Z"
message: Issuing certificate as Secret does not exist
observedGeneration: 1
reason: DoesNotExist
status: "False"
type: Ready
nextPrivateKeySecretName: versa-kafka-poc-tf2-lets-encrypt-rgjht
Question is - why is the secret getting created with a random string added to the secret name ?
How to debug/fix this ?
tia!
Describing the cert shows error that the Cert is not ready, since the required secret (versa-kafka-poc-tf2-lets-encrypt) is not available, instead the secret is created with a random string attached to the name: