Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

The issuer crashes when cert resources are created without durations #3

Open
LadySerena opened this issue Oct 20, 2020 · 0 comments
Open

The issuer crashes when cert resources are created without durations #3

LadySerena opened this issue Oct 20, 2020 · 0 comments

Comments

@LadySerena
Copy link

LadySerena commented Oct 20, 2020
edited

Within the cert-manager documentation the certificate spec states that the duration field is optional. When I was testing the pca issuer I noticed the controller crashed when I didn't specify a duration.

sample manifest to cause the crash

apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
  name: bug-test
  namespace: awspca-issuer-system
spec:
  issuerRef:
    group: certmanager.awspca
    kind: AWSPCAIssuer
    name: awspca-issuer
  secretName: bug-test
  commonName: foo.com
  # DNS SAN
  dnsNames:
    - localhost
    - foo.com
  # IP Address SAN
  ipAddresses:
    - "127.0.0.1"
  # Duration of the certificate
  #   Renew 1 hour before the certificate expiration
  #  renewBefore: 1h
  isCA: false

I think this line is the cause of the crash. Would it be possible to slip in a default duration of 24 hours to prevent crashes for future users?

awspca-issuer/provisioners/awspca.go

Lines 101 to 110 in b5adadf

cparams := acmpca.IssueCertificateInput{
CertificateAuthorityArn: aws.String(p.arn),
SigningAlgorithm: aws.String(acmpca.SigningAlgorithmSha256withrsa),
Csr: cr.Spec.CSRPEM,
Validity: &acmpca.Validity {
Type: aws.String(acmpca.ValidityPeriodTypeDays),
Value: aws.Int64(int64(cr.Spec.Duration.Hours()/24)),
},
IdempotencyToken: aws.String("awspca"),
}

edited to add:

I left out the stack trace so I added it. I apologize for the log being partially cut off.

2020-10-09T20:14:42.809Z    INFO    controller-runtime.metrics    metrics server is starting to listen    {"addr": "127.0.0.1:8080"}
2020-10-09T20:14:42.893Z    INFO    setup    starting manager
I1009 20:14:42.894315       1 leaderelection.go:242] attempting to acquire leader lease  awspca-issuer-system/controller-leader-election-helper...
2020-10-09T20:14:42.894Z    INFO    controller-runtime.manager    starting metrics server    {"path": "/metrics"}
I1009 20:15:00.299854       1 leaderelection.go:252] successfully acquired lease awspca-issuer-system/controller-leader-election-helper
2020-10-09T20:15:00.299Z    DEBUG    controller-runtime.manager.events    Normal    {"object": {"kind":"ConfigMap","namespace":"awspca-issuer-system","name":"controller-leader-election-helper","uid":"2a543a93-bd67-42e1-b809-ccaf2ffa394c","apiVersion":"v1","resourceVersion":"1311092"}, "reason": "LeaderElection", "message": "awspca-issuer-controller-manager-6b58d94657-nqxcb_3693e870-ac71-493e-9eaa-41afe7c555dc became leader"}
2020-10-09T20:15:00.300Z    INFO    controller-runtime.controller    Starting EventSource    {"controller": "certificaterequest", "source": "kind source: /, Kind="}
2020-10-09T20:15:00.300Z    INFO    controller-runtime.controller    Starting EventSource    {"controller": "awspcaissuer", "source": "kind source: /, Kind="}
2020-10-09T20:15:00.400Z    INFO    controller-runtime.controller    Starting Controller    {"controller": "certificaterequest"}
2020-10-09T20:15:00.400Z    INFO    controller-runtime.controller    Starting Controller    {"controller": "awspcaissuer"}
2020-10-09T20:15:00.400Z    INFO    controller-runtime.controller    Starting workers    {"controller": "awspcaissuer", "worker count": 1}
2020-10-09T20:15:00.400Z    INFO    controller-runtime.controller    Starting workers    {"controller": "certificaterequest", "worker count": 1}
2020-10-09T20:15:00.401Z    ERROR    controllers.CertificateRequest    failed to provisioner for AWSPCAIssuer resource    {"certificaterequest": "awspca-issuer-system/serena-jks-test-dw84n", "error": "provisioner awspca-issuer-system/awspca-issuer not found"}
github.com/go-logr/zapr.(*zapLogger).Error
    /Users/[redacted]/go/pkg/mod/github.com/go-logr/[email protected]/zapr.go:128
github.com/awspca-issuer/controllers.(*CertificateRequestReconciler).Reconcile
    /Users/[redacted]/repos/awspca-issuer/controllers/certificaterequest_controller.go:108
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler
    /Users/[redacted]/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:256
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem
    /Users/[redacted]/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:232
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).worker
    /Users/[redacted]/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:211
k8s.io/apimachinery/pkg/util/wait.JitterUntil.func1
    /Users/[redacted]/go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/wait.go:152
k8s.io/apimachinery/pkg/util/wait.JitterUntil
    /Users/[redacted]/go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/wait.go:153
k8s.io/apimachinery/pkg/util/wait.Until
    /Users/[redacted]/go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/wait.go:88
I1009 20:15:00.401315       1 conditions.go:200] Setting lastTransitionTime for CertificateRequest "serena-jks-test-dw84n" condition "Ready" to 2020-10-09 20:15:00.4013063 +0000 UTC m=+18.716761101
2020-10-09T20:15:00.402Z    DEBUG    controller-runtime.manager.events    Warning    {"object": {"kind":"CertificateRequest","namespace":"awspca-issuer-system","name":"serena-jks-test-dw84n","uid":"f124c674-17bf-4828-9565-e36234fd3caf","apiVersion":"cert-manager.io/v1alpha2","resourceVersion":"1311018"}, "reason": "Pending", "message": "Failed to load provisioner for AWSPCAIssuer resource awspca-issuer-system/awspca-issuer"}
2020-10-09T20:15:00.595Z    ERROR    controller-runtime.controller    Reconciler error    {"controller": "certificaterequest", "request": "awspca-issuer-system/serena-jks-test-dw84n", "error": "provisioner awspca-issuer-system/awspca-issuer not found"}
github.com/go-logr/zapr.(*zapLogger).Error
    /Users/[redacted]/go/pkg/mod/github.com/go-logr/[email protected]/zapr.go:128
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler
    /Users/[redacted]/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:258
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem
    /Users/[redacted]/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:232
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).worker
    /Users/[redacted]/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:211
k8s.io/apimachinery/pkg/util/wait.JitterUntil.func1
    /Users/[redacted]/go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/wait.go:152
k8s.io/apimachinery/pkg/util/wait.JitterUntil
    /Users/[redacted]/go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/wait.go:153
k8s.io/apimachinery/pkg/util/wait.Until
    /Users/[redacted]/go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/wait.go:88
2020-10-09T20:15:01.001Z    DEBUG    controller-runtime.manager.events    Normal    {"object": {"kind":"AWSPCAIssuer","namespace":"awspca-issuer-system","name":"awspca-issuer","uid":"989c4d9e-4206-4bc2-af0b-8483dd6c5c32","apiVersion":"certmanager.awspca/v1alpha2","resourceVersion":"586343"}, "reason": "Verified", "message": "AWSPCAIssuer verified and ready to sign certificates"}
2020-10-09T20:15:01.014Z    DEBUG    controller-runtime.controller    Successfully Reconciled    {"controller": "awspcaissuer", "request": "awspca-issuer-system/awspca-issuer"}
I1009 20:15:05.464122       1 conditions.go:189] Found status change for CertificateRequest "serena-jks-test-dw84n" condition "Ready": "False" -> "True"; setting lastTransitionTime to 2020-10-09 20:15:05.4641086 +0000 UTC m=+23.779563401
2020-10-09T20:15:05.464Z    DEBUG    controller-runtime.manager.events    Normal    {"object": {"kind":"CertificateRequest","namespace":"awspca-issuer-system","name":"serena-jks-test-dw84n","uid":"f124c674-17bf-4828-9565-e36234fd3caf","apiVersion":"cert-manager.io/v1alpha2","resourceVersion":"1311097"}, "reason": "Issued", "message": "Certificate issued"}
2020-10-09T20:15:05.599Z    DEBUG    controller-runtime.controller    Successfully Reconciled    {"controller": "certificaterequest", "request": "awspca-issuer-system/serena-jks-test-dw84n"}
2020-10-09T20:15:05.614Z    DEBUG    controller-runtime.controller    Successfully Reconciled    {"controller": "certificaterequest", "request": "awspca-issuer-system/serena-jks-test-dw84n"}
2020-10-09T20:19:00.651Z    DEBUG    controller-runtime.controller    Successfully Reconciled    {"controller": "certificaterequest", "request": "awspca-issuer-system/serena-jks-test-dw84n"}
I1009 20:19:12.906657       1 conditions.go:200] Setting lastTransitionTime for CertificateRequest "serena-jks-test-vkcmc" condition "Ready" to 2020-10-09 20:19:12.9066441 +0000 UTC m=+271.222098901
2020-10-09T20:19:12.907Z    DEBUG    controller-runtime.manager.events    Normal    {"object": {"kind":"CertificateRequest","namespace":"awspca-issuer-system","name":"serena-jks-test-vkcmc","uid":"c4222d26-66aa-43e7-b410-daeeed4a9b03","apiVersion":"cert-manager.io/v1alpha2","resourceVersion":"1312140"}, "reason": "Issued", "message": "Certificate issued"}
2020-10-09T20:19:13.026Z    DEBUG    controller-runtime.controller    Successfully Reconciled    {"controller": "certificaterequest", "request": "awspca-issuer-system/serena-jks-test-vkcmc"}
2020-10-09T20:19:13.031Z    DEBUG    controller-runtime.controller    Successfully Reconciled    {"controller": "certificaterequest", "request": "aw
E1009 20:20:42.687084       1 runtime.go:78] Observed a panic: "invalid memory address or nil pointer dereference" (runtime error: invalid memory address or nil pointer dereference)
goroutine 274 [running]:
k8s.io/apimachinery/pkg/util/runtime.logPanic(0x1572e60, 0x220f470)
    /Users/[redacted]/go/pkg/mod/k8s.io/[email protected]/pkg/util/runtime/runtime.go:74 +0xa6
k8s.io/apimachinery/pkg/util/runtime.HandleCrash(0x0, 0x0, 0x0)
    /Users/[redacted]/go/pkg/mod/k8s.io/[email protected]/pkg/util/runtime/runtime.go:48 +0x89
panic(0x1572e60, 0x220f470)
    /usr/local/Cellar/go/1.15/libexec/src/runtime/panic.go:969 +0x175
github.com/awspca-issuer/provisioners.(*AWSPCAProvisioner).Sign(0xc00065cb00, 0x1926440, 0xc000048210, 0xc00038c5a0, 0xc00065cb00, 0x1, 0x0, 0x0, 0xc000386da0, 0x14, ...)
    /Users/[redacted]/repos/awspca-issuer/provisioners/awspca.go:107 +0x569
github.com/awspca-issuer/controllers.(*CertificateRequestReconciler).Reconcile(0xc00045fe90, 0xc000af50a0, 0x14, 0xc000af5080, 0x15, 0x540d64c179, 0xc00013d8c0, 0xc000678248, 0xc000678240)
    /Users/[redacted]/repos/awspca-issuer/controllers/certificaterequest_controller.go:114 +0x70e
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler(0xc0002749c0, 0x15c3e40, 0xc000cd74c0, 0x0)
    /Users/[redacted]/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:256 +0x166
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem(0xc0002749c0, 0xc000624400)
    /Users/[redacted]/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:232 +0xb0
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).worker(0xc0002749c0)
    /Users/[redacted]/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:211 +0x2b
k8s.io/apimachinery/pkg/util/wait.JitterUntil.func1(0xc0003d0750)
    /Users/[redacted]/go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/wait.go:152 +0x5f
k8s.io/apimachinery/pkg/util/wait.JitterUntil(0xc0003d0750, 0x3b9aca00, 0x0, 0x1, 0xc0000461e0)
    /Users/[redacted]/go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/wait.go:153 +0x105
k8s.io/apimachinery/pkg/util/wait.Until(0xc0003d0750, 0x3b9aca00, 0xc0000461e0)
    /Users/[redacted]/go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/wait.go:88 +0x4d
created by sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func1
    /Users/[redacted]/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:193 +0x32d
panic: runtime error: invalid memory address or nil pointer dereference [recovered]
    panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x0 pc=0xcabe89]
goroutine 274 [running]:
k8s.io/apimachinery/pkg/util/runtime.HandleCrash(0x0, 0x0, 0x0)
    /Users/[redacted]/go/pkg/mod/k8s.io/[email protected]/pkg/util/runtime/runtime.go:55 +0x10c
panic(0x1572e60, 0x220f470)
    /usr/local/Cellar/go/1.15/libexec/src/runtime/panic.go:969 +0x175
github.com/awspca-issuer/provisioners.(*AWSPCAProvisioner).Sign(0xc00065cb00, 0x1926440, 0xc000048210, 0xc00038c5a0, 0xc00065cb00, 0x1, 0x0, 0x0, 0xc000386da0, 0x14, ...)
    /Users/[redacted]/repos/awspca-issuer/provisioners/awspca.go:107 +0x569
github.com/awspca-issuer/controllers.(*CertificateRequestReconciler).Reconcile(0xc00045fe90, 0xc000af50a0, 0x14, 0xc000af5080, 0x15, 0x540d64c179, 0xc00013d8c0, 0xc000678248, 0xc000678240)
    /Users/[redacted]/repos/awspca-issuer/controllers/certificaterequest_controller.go:114 +0x70e
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler(0xc0002749c0, 0x15c3e40, 0xc000cd74c0, 0x0)
    /Users/[redacted]/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:256 +0x166
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem(0xc0002749c0, 0xc000624400)
    /Users/[redacted]/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:232 +0xb0
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).worker(0xc0002749c0)
    /Users/[redacted]/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:211 +0x2b
k8s.io/apimachinery/pkg/util/wait.JitterUntil.func1(0xc0003d0750)
    /Users/[redacted]/go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/wait.go:152 +0x5f
k8s.io/apimachinery/pkg/util/wait.JitterUntil(0xc0003d0750, 0x3b9aca00, 0x0, 0x1, 0xc0000461e0)
    /Users/[redacted]/go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/wait.go:153 +0x105
k8s.io/apimachinery/pkg/util/wait.Until(0xc0003d0750, 0x3b9aca00, 0xc0000461e0)
    /Users/[redacted]/go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/wait.go:88 +0x4d
created by sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func1
    /Users/[redacted]/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:193 +0x32d
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@LadySerena