failed reading secret "cert-manager": resource name may not be empty

[luckyzachary]

pod/alidns-webhook-68f86c46c4-jw72j 每 2 分钟报这个 E1230

E1230 14:13:42.301460       1 alidns.go:51] Failed to load alidns cause by "failed reading secret \"cert-manager/\": resource name may not be empty"

---

目标是在 kube-prometheus-stack namespace 中创建 ingress-nginx。

k8s 版本 v1.27.8

执行代码如下：

helm install \
  cert-manager jetstack/cert-manager \
  --namespace cert-manager \
  --create-namespace \
  --set installCRDs=true

helm install alidns-webhook alidns-webhook/alidns-webhook \
    --namespace cert-manager --create-namespace \
    --set groupName=xxxxxx

在 kube-prometheus-stack、cert-manager 两个namespace 均有创建 secret

apiVersion: v1
kind: Secret
metadata:
  name:  alidns
stringData:
  access-key-id: xxxxxx
  access-key-secret: xxxxxx

ClusterIssuer 如下：

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: ali-letsencrypt-staging
spec:
  acme:
    server: https://acme-staging-v02.api.letsencrypt.org/directory
    email: xxxxxx
    privateKeySecretRef:
      name: ali-letsencrypt-staging
    solvers:
    - dns01:
        webhook:
          groupName: xxxxxx
          solverName: alidns
          config:
            region: "cn-beijing"
            accessKeySecretRef:
              name: alidns
              key: access-key-id
            secretKeySecretRef:
              name: alidns
              key: access-key-secret

在 kube-prometheus-stack namespace 创建 ingress

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: ali-grafana
  annotations:
    cert-manager.io/cluster-issuer: ali-letsencrypt-staging
    nginx.ingress.kubernetes.io/proxy-body-size: "0"
spec:
  ingressClassName: nginx
  tls:
  - hosts:
    - xxxxxx
    secretName: grafana-ali-letsencrypt-staging
  rules:
  - host: xxxxxx
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: grafana-service
            port:
              number: 80

在创建 ingress 的同时，会自动创建名字为 grafana-ali-letsencrypt-staging 的 Certificate。
Certificate 的 SECRET 是 grafana-ali-letsencrypt-staging。
但 READY 状态是 False。
kube-prometheus-stack namespace 下也自动创建了名字为 grafana-ali-letsencrypt-staging-2ddsj 的 secret。

不知道为何 pod 要读 cert-manager 这个 secret，这个 secret 名字是如何传进去的。
我曾把 Secret 的名字由 alidns 改为了 cert-manager，但还是会报相同的错误。

[wjiec]

晚上好，我检查了你的 ClusterIssuer 的配置，应该是 spec.acme.solvers.dns01.webhook.config.accessKeyIdRef 配置错误导致的：

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: ali-letsencrypt-staging
spec:
  acme:
    server: https://acme-staging-v02.api.letsencrypt.org/directory
    email: xxxxxx
    privateKeySecretRef:
      name: ali-letsencrypt-staging
    solvers:
    - dns01:
        webhook:
          groupName: xxxxxx
          solverName: alidns
          config:
            region: "cn-beijing"
            accessKeySecretRef: # ** 这里应该是 accessKeyIdRef **
              name: alidns
              key: access-key-id
            secretKeySecretRef:
              name: alidns
              key: access-key-secret

[jiansizhong]

遇到了同样的问题把 accessKeySecretRef换成accessKeyIdRef， secretKeySecretRef换成accessKeySecretRef之后解决了