Comments (4)
Thanks @SgtCoDFish for correcting / improving the documentation on this.
I spent some time today to figure out the Kyverno solution to this as well.
If you absolutely want to avoid referencing the same secretName
from two Certificates
here is an example ClusterPolicy
that can do that. I have done some simple tests, but do your own testing to validate.
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: limits
spec:
validationFailureAction: Enforce
rules:
- name: limit-secretname-refs
match:
any:
- resources:
kinds:
- Certificate
operations:
- CREATE
- UPDATE
context:
- name: certCount
apiCall:
urlPath: "/apis/cert-manager.io/v1/namespaces/{{request.namespace}}/certificates"
jmesPath: "items[].spec.secretName"
validate:
message: "Only one Certificate is allowed to reference Secret: {{ request.object.spec.secretName }}"
deny:
conditions:
any:
- key: "{{ request.object.spec.secretName }}"
operator: AnyIn
value: "{{ certCount }}"
Example usaged:
> k apply -f ts-cert-1.yaml
certificate.cert-manager.io/ts-cert-1 created
> k apply -f ts-cert-2.yaml
Error from server: error when creating "ts-cert-2.yaml": admission webhook "validate.kyverno.svc-fail" denied the request:
resource Certificate/kyverno-secretname/ts-cert-2 was blocked due to the following policies
limits:
limit-secretname-refs: 'Only one Certificate is allowed to reference Secret: another-secret-cert'
I will close this out as resolved on the assumptions:
- There will be no baked in solution to v1.12.X
- You can avoid conflicts in templating / usage
- There is another workaround above ^
from cert-manager.
I think we documented this as a known issue for https://github.com/cert-manager/cert-manager/releases/tag/v1.12.6 and then it's not documented further - maybe we should add a note about this to all future 1.12.x versions.
If I remember correctly backporting was going to take a lot of effort because of architectural changes between 1.12 and 1.13.
from cert-manager.
Thanks @SgtCoDFish for the info. I was looking purely on the website for changes around this but did not see it.
I can see it in GitHub as your linked.
But there is nothing about the issue on the releases page for v1.12 here: https://cert-manager.io/docs/releases/release-notes/release-notes-1.12#v1126
This raises another concern about what Long Term Support (LTS) means, but perhaps that's for an in person call / discussion. To take action here, a PR to the cert-manager website reffering to the bug would help others.
Strategies for avoiding spec.secretName
collisions otuside of cert-manager?
- Perhaps a Kyverno policy might have the option to introspect the environment?
- Default the value based on the certificate name so you would end up copying over a cert instead, which might highlight the problem more quickly?
from cert-manager.
I've raised cert-manager/website#1477 to rework these docs, because I agree they weren't super clear! I'm not really sure on what might be the best way to handle this outside of cert-manager - if it's possible to do a kyverno thing that sounds great but I don't have a lot of bandwidth atm!
from cert-manager.
Related Issues (20)
- Cert Manager 503 Error for Domain
- Improvement of OpenSSF Scorecard Score
- "propagation check failed" err="wrong status code '404', expected '200'" HOT 1
- Stale/Stuck Challenges should be deleted after a given timeout HOT 3
- Challenges with not permitted zones in the domain are considered as processing HOT 1
- stale certificates present in metrics after certificate update
- Unhelpful log warning message: Neither --kubeconfig nor --master was specified. Using the inClusterConfig. This might not work.
- Helm chart conditions for CRDs are commented out
- Allow configuring Secret type
- Error after updating to latest version in webhook
- tls.crt doesn't contain the root but on the other side the trust manager recommends to trust only the root HOT 1
- Rename finalizer to conform to k8s requirements HOT 7
- `error finalizing order` message is light on details
- Proposal: define shortName for ClusterIssuer CRD
- Helm chart broken for helm v3.16.0 HOT 2
- Installation on k3s causes the ec2 t2.micro instance to hang
- Allow adding new fields such as unhealthyPodEvictionPolicy to the PDB
- Certificate Status: Issuing certificate as Secret does not exist
- Missing UID in webhook challenge request
- cert manager pods showing unknown flag HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from cert-manager.