Comments (6)
Hello @inteon,
thank you for the prompt response. However, I respectfully disagree with your statement. The issue is entirely reproducible on OpenShift when I manually install cert-manager using the following command:
kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.13.1/cert-manager.yaml
So it doesn't have anything to do with OpenShift Cert-Manager Operator
from cert-manager.
@hawksight yes, that's correct. My concern is that it could potentially lead to a disaster if someone mistakenly uses the same secret name in the certificate resource.
@inteon, @hawksight
I have deployed OpenShift Service CA to Kubernetes and have been able to reproduce the issue. You can access all the steps in the Jupyter notebook available in the repository linked below. I hope this clarifies the issue.
https://github.com/ykoer/kubernetes-service-ca
from cert-manager.
cert-manager Operator for Red Hat OpenShift is not officially distributed by the cert-manager team.
I think you will get better support by reaching out to Red Hat with this issue.
The cert-manager team publishes this OLM module instead: https://cert-manager.io/docs/installation/operator-lifecycle-manager/
from cert-manager.
Hello @inteon,
thank you for the prompt response. However, I respectfully disagree with your statement. The issue is entirely reproducible on OpenShift when I manually install cert-manager using the following command:
kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.13.1/cert-manager.yaml
So it doesn't have anything to do with OpenShift Cert-Manager Operator
Thank you for that extra information. Do you have a minimal example that we can use to reproduce the issue (preferably one on a non-openshift cluster).
from cert-manager.
@ykoer it appears from the OpenShift docs that Openshift has another controller somewhere that creates the certificate key pair for you and injects it into a secret you specify in the service annotation.
What you are doing on top of this is to then apply a Certificate
resource which points to the same Secret
resource?
If that is the case this probably isn't a good pattern. Just as it is not good to have two Certificates
with different spec fields pointed at the same backend Secret
resource.
Please let me know if I am missing something there.
Also to @inteon's point, is the Openshift controller doing the initial creation installer available to install in vanilla k8s clusters. Just running OpenShift environments can be difficult and time consuming to replicate issues.
from cert-manager.
Hey @ykoer, thanks for the super detailed instructions for reproducing the issue!
The OpenShift team seems to be investigating something close to this in CM-121: "Investigate how to replace Serving certificates generated internally to those generated by cert-manager, which is a Day 2 Operator".
@TrilokGeer Does this issue relate to what you are working on? Thanks!
from cert-manager.
Related Issues (20)
- Securing Gateway in GKE is failing
- Preselection in field Server not accepted on save. Manual selection required
- add template for creating cluster issuer and issuer HOT 3
- Certificate resource not updated after ingress annotation is changed HOT 1
- Should upgrade status managed fields from CSA to SSA when ServerSideApply feature gate enabled HOT 1
- Missing `cmctl` and `kubectl-cert_manager` binaries in GitHub releases HOT 5
- Incomplete regular expression for hostnames HOT 3
- cert manager not issuing certs for one ingress (in work queue no longer exists) HOT 1
- Gateway: Combining HTTPS listener with TLS-termination and TLS listener with TLS-passthrough HOT 4
- Web Hook in cert-manager is not working properly. Can anyone please me out. HOT 8
- Solver pod returns 404 error during http01 challenge HOT 5
- v1.12.X release Infinite loop with 2 certs with different keystore settings HOT 4
- Report the use of components with vulnerabilities in cert-manager HOT 3
- I don't understand the purpose of the new tests.
- Confusing messaging when certificate secret name already exist HOT 1
- Optionally write ca.crt to ConfigMap
- Support testing on Kubernetes v1.30 HOT 1
- Feature Request: Add support to set future date as notBefore when requesting for certificate HOT 5
- Regular expression file missing HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from cert-manager.